SSO Azure Setup
The following instructions set up an identity provider in Azure Active Directory (Entra ID).
Introduction
Entra ID is Microsoft’s multi-tenant, cloud-based directory and identity management service that combines core directory services, application access management and identity protection into a single solution. Entra ID can function as a Single Sign-On (SSO) Provider supporting SAML 2.0, Secure Web Authentication and OpenID Connect. Tehama can be integrated with Entra ID through SAML 2.0 and can present as a managed Enterprise Application alongside other Azure integrated applications.
Once enabled, authentication to Tehama must be made through Entra ID - local authentication through https://app.tehama.io is no longer possible except by using the Tehama Org Admin account. Entra ID/Tehama Integration is limited to authentication only.
User accounts are required for both Azure and Tehama. Both accounts must be configured with the same email address for SSO to work, and the user must accept the Tehama Welcome email before they will be able to launch a connection via Microsoft Entra ID
Integration Summary
Integration with Microsoft Entra ID is a four-step process as follows.
- Obtain initial configuration settings from Tehama
- Create an application in Entra ID
- Obtain the required Federation Metadata XML from Azure
- Enter it back into Tehama
Prerequisites for Entra ID Integration
- A Tehama Account with Org Admin privileges (i.e.: the Tehama account for the user with the Org Admin role for the account's organization)
Setup Time - 10 minutes
Create a connected application
Login to Tehama using the Org Admin Account and click the ORGANIZATION tab in the navigation bar.
Select the AUTHENTICATION tab.
Check "Enable SAML Single-Sign on".
Make a note of the Entity ID and Callback URL (Assertion Consumer Service URL) values.
Open a second browser tab and sign in to your Entra ID.
Select Enterprise Applications followed by +New Application
select Microsoft Entra Gallery followed by + Create your own application
Enter the application name and select Integrate any other application you don't find in the gallery (Non-gallery)
Select Properties
Add an appropriate application logo by clicking on Select a File.
You may download and save a copy of this image to use as the logo:
Click Save.
Select Single sign-on from the second level menu.
The SAML settings will be displayed.
Under Basic SAML Configuration
- Copy the Entity ID from the AUTHENTICATION METHOD section of the Tehama Web UI's Authentication page and paste it into the Identifier (Entity ID) field.
- Copy the Callback URL from the AUTHENTICATION METHOD section of the Tehama Web UI's Authentication page and paste it into the Reply URL (Assertion Consumer Service URL) field.
- Leave all other fields at their default values.
- Click Save.
To complete the Tehama SSO setup:
Under SAML Certificates
- Obtain the Federation Metadata XML by clicking on Federation MetaData XML under the SAML Certificates subsection to download a copy the XML file.
Open the XML in a text editor and copy the contents to the clipboard.
Return to the Tehama Web UI and enable SSO by clicking on the checkbox to Enable SAML Single-Sign On (if not already enabled), then paste the IDP metadata into the Federation Metadata XML box.
and click SAVE.
Now that you have completed this step, each existing team member in your organization will receive an email inviting them to configure their SSO login by clicking on the provided link, CONFIGURE SSO LOGIN, and to follow the instructions.
Each subsequently added team member will receive the same email and must also configure their SSO login by clicking on the provided link.
Tehama SSO Configuration is now complete.
You will still need to return to the Azure Console to assign User and Groups and/or configure Self-Service settings as appropriate for your organization before it will be possible to access Tehama using Entra ID integration.