Authentication User Guide
Tehama controls access to your corporate Tehama portal, your organization's doorway into the Tehama Web UI, through user authentication. This authentication controls the access to your Tehama Desktops and, if you are an admin/manager user for your organization, access to Room and Desktop management tools for your organization.
Overview
This user guide describes the three different authentication methods Tehama provides.
Authentication methods:
- Tehama Credential with Multi-Factor Authentication (MFA)
- Tehama verifies your identity using a username and a password login, managed by Tehama, made more secure with an additional factor provided through an MFA code generating application that runs on a secondary device (a smartphone or a tablet).
- Tehama verifies your identity using a username and a password login, managed by Tehama, made more secure with an additional factor provided through an MFA code generating application that runs on a secondary device (a smartphone or a tablet).
- Google Credential Authentication
- Tehama verifies your identity through Google. If you are logged in to your Google account, Tehama will grant you access.
- Tehama verifies your identity through Google. If you are logged in to your Google account, Tehama will grant you access.
- Corporate Single Sign On (SSO) Authentication
- Tehama verifies your identity through your corporation's identity provider (IP), (e.g.: Okta, or Azure). If you are logged in to the IP, Tehama will grant you access.
Corporate SSO authentication is offered at an organization level. Your Org Admin user enables or disables it for the entire organization. Otherwise, each user is prompted to choose and set up one of the other two authentication methods when they first set up their Tehama user account.*
IMPORTANT: The authentication method you choose, either Tehama credentials with MFA or Google credentials, cannot be changed.
Click on the names of these three authentication methods to find out more about them and how to set them up and log in with them.
You can also find the log in instructions for all the methods in one place at the following link:
Also in this guide:
- learn how Tehama enforces acceptance of its Terms of Service.
- explore the option of Custom Terms of Service for your organization.
* If your organization has Corporate SSO authentication enabled at the time you join Tehama, you will not be prompted to set up an authentication method. You will use SSO with your corporate IP by default. If for some reason your organization disables SSO, you will then be prompted to set up one of the other authentication methods.
Conversely, if you have set up one of the other two authentication methods when you joined Tehama, and your organization subsequently enables Corporate SSO authentication, your authentication method will switch to SSO. If your organization subsequently disables SSO, you will revert to using the authentication method you had previously set up.
Login instructions
Log in to your organization's corporate portal to the Tehama Web UI as follows:
- First access your corporate Tehama portal login page.
- Then log in using the instructions for your authentication method:
- If your organization has corporate SSO enabled:
- Otherwise, log in with the authentication method that you set up for your user account:
Access your corporate Tehama portal login page
- Open a browser*.
- Either:
- Navigate to the URL
https://app.tehama.io
. You will see the SIGN IN TO YOUR ORGANIZATION dialog. - Enter your organization's subdomain into the empty field to complete your organization's URL for Tehama.
- If you do not know your organization's url, select the text "Can't remember your Organization's URL?", enter your email address and a link to your organization's corporate portal will be emailed to you.
- Click CONTINUE.
- Navigate directly to your organization's URL for Tehama.
e.g.:https://mysubdomain.tehama.io
, where "mysubdomain" is your organization's subdomain.
- Navigate to the URL
- You will see the appropriate sign-in page for your chosen authentication method.
- Now proceed to log in following the instructions for your authentication method. Read on.
* The Tehama Web UI will display a warning banner if it is opened in a browser that is not one of Tehama's supported platforms. Your experience with the Tehama Web UI will be suboptimal if you continue with an unsupported browser. Instead, use one of the browsers listed in the list of supported browsers in the Tehama Web UI article.
Log in with Corporate SSO
Read about Corporate Single Sign On (SSO) authentication farther down in this article.
- First access your Tehama corporate portal login page, if you have not already done so. e.g.: Enter
https://mysubdomain.tehama.io
in a browser, where "mysubdomain" is your organization's subdomain. - Your identity provider will determine if you are already logged into its service.
- If you are already logged into your identity provider's service:
- you will be connected directly to the Tehama Web UI.
- Else if you are not already logged into your identity provider's service:
- you will see the login mechanism provided by your identity provider. Log in as you normally would.
NOTE: The Org Admin user in the organization can choose to log in using their backup Tehama credentials, by clicking on the text Organization admins can log in here found on the SSO sign-in page for Org Admin users.
NOTE: If a Staff member or Org/Room Manager is promoted to be the Org Admin user for an organization that has enabled SSO, they will be prompted to enter backup Tehama credentials, if they have not already done so.
- you will see the login mechanism provided by your identity provider. Log in as you normally would.
- If you are already logged into your identity provider's service:
Log in with Tehama Credentials
Read about Tehama Credentials with MFA authentication) farther down in this article.
- First access your Tehama corporate portal login page, if you have not already done so. e.g.: Enter
https://mysubdomain.tehama.io
in a browser, where "mysubdomain" is your organization's subdomain. - You will see the LOGIN TO <your subdomain name> dialog for the Tehama Web UI.
- Enter your Tehama username and password credentials.
- NOTE: If you do not know your password, select the text "Forgot your password?", enter your email address, and a link to reset your password will be emailed to you. Alternately, contact a manager in your organization or Tehama Support and ask them to reset your password for you.
- NOTE: After entering five invalid passwords in a row, Tehama will lock your account for a period of 30 minutes. If you need to log in within that period, contact a manager in your organization or Tehama Support to reset your password.
- Click SIGN IN. You will see the Multi-factor authentication dialog.
- Get the current 6-digit verification code (MFA code) from the entry you set up for this Tehama user account in your Google Authenticator application on your mobile device and enter it into the field in the dialog.
- NOTE: If you cannot retrieve your 6-digit verification code, contact a manager in your organization or Tehama Support and ask them to reset your MFA for you.
- NOTE: After entering five invalid MFA codes in a row, Tehama will lock your account for a period of 30 minutes. If you need to log in within that period, contact a manager in your organization or Tehama Support to reset your MFA code.
- Click LOG IN.
Log in with Google Credentials
Read about Google Credentials authentication) farther down in this article.
- First access your Tehama corporate portal login page, if you have not already done so. e.g.: Enter
https://mysubdomain.tehama.io
in a browser, where "mysubdomain" is your organization's subdomain. - You will see the LOGIN TO <your subdomain name> dialog for the Tehama Web UI.
- Click SIGN IN WITH GOOGLE.
- Log in as you normally would to your Google account.
Tehama Credential with Multi-Factor Authentication (MFA)
Description
Tehama Credential with Multi-Factor Authentication (MFA) is one of the three authentication methods offered by Tehama.
With this type of authentication, Tehama verifies your identity using a username and a password login, made more secure with an additional factor provided through an MFA code generating application that runs on a secondary device (a smartphone or a tablet). See below for supported devices and apps.
The username is the email-address your invitation-to-join-Tehama email was sent to. You provide and manage the password through Tehama.
The user must provide Tehama with the current MFA code, accessed from the app on the secondary device, after logging in to Tehama with the username and password.
Supported MFA devices:
- iPhone/iPad: iOS 7.0 (or higher) capable device
- Android: Android 2.3.3 (or higher) capable device
Supported MFA code generating applications:
- Google Authenticator
- Full instructions on downloading and installing Google Authenticator can be found by visiting:
https://support.google.com/accounts/answer/1066447?hl=en
BlackBerry OS devices: Google Authenticator for BBOS 4 – BBOS 7 devices are also available.
- Full instructions on downloading and installing Google Authenticator can be found by visiting:
Set up
You can set up your Tehama user account to use Tehama Credential with MFA Authentication when you join Tehama.*
Choose 'Tehama Credential with MFA' as your authentication method when you first join Tehama.* See setup instructions in "(2) Join Tehama for End-users", in section Set up Tehama Credentials with Multi-Factor Authentication.
Note: This choice is permanent. You will not be able to switch to Google credentials authentication.
If you need to reset your password or your MFA code, see the options available to you from the Tehama Web UI that are documented in the section "Organization Member management" of the Organization User Guide; or simply reach out to your Org Admin or an Org Manager in your organization for assistance. (Org Admin users will need to reach out to Tehama Support to request a password or MFA code reset.)
* If your organization has Corporate SSO authentication enabled at the time you join Tehama, you will not be prompted to set up an authentication method. You will use SSO with your corporate IP by default. If for some reason your organization disables SSO, you will then be prompted to set up an authentication method, such as Tehama Credential with MFA.
Conversely, if you have set up Tehama Credential with MFA auth when you joined Tehama and your organization subsequently enables Corporate SSO authentication, your authentication method will switch to SSO. If your organization subsequently disables SSO, you will revert to using Tehama Credential with MFA auth.
Log in
Log in to Tehama using Tehama credential with MFA authentication as follows:
Only possible if your Tehama user account is set up to use Tehama Credential with MFA authentication, and your organization does NOT have Corporate SSO authentication enabled.
- First access your Tehama corporate portal login page. e.g.: Enter
https://mysubdomain.tehama.io
in a browser, where "mysubdomain" is your organization's subdomain. - You will see the LOGIN TO <your subdomain name> dialog for the Tehama Web UI.
- Enter your Tehama username and password credentials.
- NOTE: If you do not know your password, select the text "Forgot your password?", enter your email address, and a link to reset your password will be emailed to you. Alternately, contact a manager in your organization or Tehama Support and ask them to reset your password for you.
- NOTE: After entering five invalid passwords in a row, Tehama will lock your account for a period of 30 minutes. If you need to log in within that period, contact a manager in your organization or Tehama Support to reset your password.
- Click SIGN IN. You will see the Multi-factor authentication dialog.
- Get the current 6-digit verification code (MFA code) from the entry you set up for this Tehama user account in your Google Authenticator application on your mobile device and enter it into the field in the dialog.
- NOTE: If you cannot retrieve your 6-digit verification code, contact a manager in your organization or Tehama Support and ask them to reset your MFA for you.
- NOTE: After entering five invalid MFA codes in a row, Tehama will lock your account for a period of 30 minutes. If you need to log in within that period, contact a manager in your organization or Tehama Support to reset your MFA code.
- Click LOG IN.
Google Credential Authentication
Description
Google Credential Authentication is one of the three authentication methods offered by Tehama.
With this type of authentication, Tehama verifies your identity through Google. If you are logged in to your Google account, Tehama will grant you access.
Set up
You can set up your Tehama user account to use Google Credential Authentication when you join Tehama.* You must sign up with a Google account that has as username the email-address your invite-to-join-Tehama email was sent to.
Choose 'Google Credential' as your authentication method when you first join Tehama.* See setup instructions in "(2) Join Tehama for End-users", in section Set up Google credential authentication.
Note: This choice is permanent. You will not be able to switch to 'Tehama credentials with MFA' authentication.
* If your organization has Corporate SSO authentication enabled at the time you join Tehama, you will not be prompted to set up an authentication method. You will use SSO with your corporate IP by default. If for some reason your organization disables SSO, you will then be prompted to set up an authentication method, such as Google Credential.
Conversely, if you have set up Google Credential auth when you joined Tehama and your organization subsequently enables Corporate SSO authentication, your authentication method will switch to SSO. If your organization subsequently disables SSO, you will revert to using Google credential auth.
Log in
Log in to Tehama using Google credential authentication as follows:
Only possible if your Tehama user account is set up to use Google Credential authentication, and your organization does NOT have Corporate SSO authentication enabled.
- First access your Tehama corporate portal login page. e.g.: Enter
https://mysubdomain.tehama.io
in a browser, where "mysubdomain" is your organization's subdomain. - You will see the LOGIN TO <your subdomain name> dialog for the Tehama Web UI.
- Click SIGN IN WITH GOOGLE.
- Log in as you normally would to your Google account.
Corporate Single Sign On (SSO) Authentication
Description
Corporate Single Sign On (SSO) Authentication is one of the three authentication methods offered by Tehama.
With this type of authentication, Tehama verifies your identity through your corporation's identity provider (IP), (for example Okta, or Azure). If you are logged in to the IP, Tehama will grant you access.
See Tehama's SSO Identity Providers User Guide for a list of identity providers that have been successfully integrated with Tehama.
This option is set at an organization level. Once enabled, all members of the organization must log in using corporate SSO (except the Org Admin, who retains the ability to log in using the authentication method they selected when they joined Tehama*).
* If a Staff member or Org/Room Manager is promoted to be the Org Admin user for an organization that has enabled SSO, they will be prompted to enter backup Tehama credentials, if they have not already done so.
See the 'Corporate Single Sign On (SSO) Authentication and User Provisioning' guide for more detailed information about this authentication method and its user provisioning options.
Set up
The Org Admin user for the organization can enable or disable SSO authentication at any time.
See instructions for setting up and enabling Corporate SSO authentication for your organization in the 'Corporate Single Sign On (SSO) Authentication and User Provisioning' guide.
A brief overview:
Each organization that wishes to enable SSO must first set up a relationship between its Tehama account/organization and an identity provider. This relationship enables the exchange of authentication and authorization data between Tehama and the identity provider through the 'Security Assertion Markup Language' (SAML) standard or through the 'System for Cross-domain Identity Management' (SCIM) standard.
Once SSO is enabled, you can opt to set up user provisioning between your Tehama organization and the identity provider either through SAML or through SCIM, or a combination of both.
When SSO setup is completed, each existing user in your organization will receive an email.
-
If a SAML-based connection application was used, the email will invite the user to configure their SSO login by clicking on the provided link, CONFIGURE SSO LOGIN.
-
If a SCIM-based connected application was used, the email will alert the user to the change in authentication and will contain a link to the Tehama login page.
Each subsequently added team member will receive the same email.
For SSO to be successfully set up for existing users in your Tehama organization, each existing user must, at the time that corporate SSO authentication is enabled, have a corresponding user account in the identity provider (IP), with user accounts in both systems (identity provider and Tehama) configured with the same email address.
Log in
Log in to Tehama using Corporate SSO authentication as follows:
Only possible if your organization has Corporate SSO authentication enabled.
- First access your Tehama corporate portal login page. e.g.: Enter
https://mysubdomain.tehama.io
in a browser, where "mysubdomain" is your organization's subdomain. not already done so._ - Your identity provider will determine if you are already logged into its service.
- If you are already logged into your identity provider's service:
- you will be connected directly to the Tehama Web UI.
- Else if you are not already logged into your identity provider's service:
- you will see the login mechanism provided by your identity provider. Log in as you normally would.
NOTE: The Org Admin user in the organization can choose to log in using their backup authentication credentials, by clicking on the text Organization admins can log in here found on the SSO sign-in page for Org Admin users.
NOTE: If a Staff member or Org/Room Manager is promoted to be the Org Admin user for an organization that has enabled SSO, they will be prompted to enter backup authentication credentials, if they have not already done so.
- you will see the login mechanism provided by your identity provider. Log in as you normally would.
- If you are already logged into your identity provider's service:
Create Backup Credentials (Org Admin)
If a Staff member or Org/Room Manager is promoted to be the Org Admin user for an organization that has enabled SSO, they will be prompted to create an alternate method of authentication, ('Tehama Credentials with MFA' authentication), if they have not already done so.
A newly appointed Org Admin user of an SSO enabled organization who does not already have an alternate method of authentication will go through the following process the first time they log in to Tehama after their promotion:
- Log in as normal with your SSO identity provider credentials.
- After a successful login, a dialog entitled Backup Authentication required will appear.
- Set up one of the alternate methods of authentication:
- For the Tehama Credentials with MFA authentication, see Set up Tehama Credentials with MFA.
in brief:- Enter a password and confirmation.
- Click SUBMIT.
- Set up MFA.
- For Google Credentials authentication, see Set up Google Credentials.
in brief:- Click on Sign Up with Google.
- Select your Google account with the same email-address as your email/username in Tehama, or create one using that email address.
- Log in with your Google account credentials.
- For the Tehama Credentials with MFA authentication, see Set up Tehama Credentials with MFA.
From now on the new Org Admin user will be able to log in to Tehama using their backup method of authentication by clicking on the text Organization admins can log in here found on the Tehama SSO login dialog (visible only to Org Admin users).
Terms of Service
The following is not applicable if your organization has enabled custom terms of service.
While you are using Tehama, Tehama continuously checks to see if you have accepted the latest Terms of Service (ToS). If a version of the ToS that is newer than the last one you accepted exists, you will be prompted to view and accept it. You are required to accept the latest ToS before you may proceed to interact with Tehama through the Web UI.
WARNING:: Failure of the Org Admin user for the organization (the user with the Org Admin role for the organization) to accept the latest ToS within fifteen days of issuance may result in the suspension of the organization's account.
When a change is made by Tehama to the ToS, Tehama organization owners receive an email and a notification:
- as soon as the change is available for acceptance.
- after five days have passed with no acceptance.
- after ten days have passed with no acceptance.
After fifteen days have passed with no acceptance of the ToS by the organization owner, a suspension may be placed on the organization's account, at Tehama's discretion.
A suspended Tehama organization's account restricts access to the Tehama Web UI for members of the organization and pauses Rooms owned or connected to by the organization for all members of that Room (for members of other orgs in the Room as well).
(See the 'Suspended Status' section in the Organization User Guide for a more in depth explanation of what it means for an organization's account to be suspended.)
To lift a suspension for non-acceptance of the latest ToS, the organization owner must log in to the organization and accept the ToS. The suspension will be lifted automatically. If this is not possible, contact Tehama Support for assistance.
Custom Terms of Service
Your organization may contractually opt out of Tehama's default Terms of Service and instead mutually agree upon a custom Terms of Service. If that is something your organization would like to explore, contact Tehama Support for assistance.
Once a custom Terms of Service has been established for your organization, your members will no longer be required to accept Tehama's default Terms of Service while logged in to the Tehama Web UI.