How to Configure Single Sign-On (SSO)?

What is SSO?

Single sign-on (SSO) allows you to give your team members access to your Terminus using your company Identity Provider (IdP). Terminus supports Security Assertion Markup Language (SAML) version 2.0, allowing authentication of team member logins deferred to the Identity Provider (IdP).

Most popular Identity Providers (including Okta, OneLogin, Microsoft Azure AD, and others) support SAML 2.0 protocol.

If your plan supports it, you can configure SSO in your Terminus account.

Here are the steps for a generic setup. It can be applied to any Identity Provider supporting SAML 2.0.

1. Go to the Single Sign-On setup page

From the top navigation, click on Account Settings in the dropdown.

Go to the Single Sign-On tab

Check to Enable SAML SSO

2. Configure settings in your Identity Provider

Once you enable SSO in your Terminus account, you’ll see some configuration information (on the right side) that can be used to configure your Identity Provider (IdP).

In a new browser tab, visit your IdP admin control panel.

a. Create a new Single Sign-On application in your IdP

This step is unique to each IdP. Please follow the instructions based on their documentation to create a new SAML 2.0-based SSO application.

You can call it Terminus. You can also add a logo to make it easy to look for it.

b. Configure Assertion Consumer Service (ACS) URL

Once you create a new SAML application, configure ACS URL from your Terminus settings. It looks something like this:

https://app.terminusapp.com/auth/saml/callback?uid=<your unique id>

Some services call it Single Sign On URL. If your IdP requires it, the same value can be used as Recipient URL and Destination URL.

c. Configure Service Provider (SP) Entity Identity

Copy your Terminus SP Entity ID. It looks something like this

https://app.terminusapp.com/<your unique id>

This is used to uniquely identify Terminus within your IdP. Based on the IdP, they may use terms such as Audience URI, SP Entity ID, Identifier, etc.

d. Configure Name ID Format

You need to tell your IdP to use the user email address as the identity. Based on your Idp, they may use terms such as Unique User Identifier, Name ID Format, Application Username, etc.

Some of the common predefined values can be EmailAddress, Email, user.mail, etc.

e. Save the settings

Once you configure the above settings, save them in your IdP account.

3. Configure settings in your Terminus account

Once you have configured a SAML 2.0 SSO application in your IdP account, it can then be used to complete your SSO setup in Terminus.

a. Copy the Single Sign-On URL and paste it into your Terminus settings

The above example shows the URL for Microsoft Azure AD-based login.

Your IdP may refer to it as Login URL, Single Sign-On URL, or something else.

b. Download or copy the certificate and paste it into your Terminus settings

Paste the entire text that begins with —–BEGIN CERTIFICATE—– and ends with —–

END CERTIFICATE—–

The above is just an example. You will need to use your own certificate.

c. Force SSO (Optional, but recommended)

This setting will require all non-admin team members to use your IdP SSO and disable any password-based login. Members with admin privileges will still be able to log in via password in case there are errors in the SSO setup.

In addition to admins, you could allow other users to log in using a password as well. For example, if you have users from an external agency working on your account, they may not be able to use your company SSO. In that case, you can create a separate group of all such users (no permissions are required to be specified in the group) and specify it here.

4. Auto-provisioning users (Optional)

Our Single Sign-On (SSO) solution offers just-in-time user auto-provisioning. This eliminates the need for manual user creation in our system. Whenever a new user is added to your identity provider (IdP), their account is automatically created in our system based on pre-configured user attributes. This ensures seamless user access and reduces administrative overhead.

5. Save Single-Sign-On settings

When you click Save, SSO will be activated on your account.

6. Add or remove users

Terminus supports the auto-provisioning of users via Single Sign-On (SSO). User management involves two main areas:

a. Your Identity Provider (IdP):

Adding Users: Follow your identity provider’s instructions to add users and grant them access to the Terminus application.
Removing Users: Follow your identity provider’s instructions to remove users.

b. Terminus Application:

Adding Users:
- Manual Addition: When adding a user in Terminus, use the same email address as in your identity provider to ensure a match between the two systems.
- Auto-provisioning: When enabled, users added to your identity provider are automatically added to Terminus.
  - Note: Auto-provisioning currently supports adding users but does not support de-provisioning. Therefore, you must manually remove users from both your identity provider and Terminus.
Removing Users Manually: To remove users from Terminus, you need to manually remove them from both your identity provider and the Terminus application.

When auto-provisioning is disabled, both adding and removing users must be done manually in both your identity provider and the Terminus application.