How to Configure Single Sign-On (SSO)?
What is SSO?
Single sign-on (SSO) allows you to give your team members access to your Terminus using your company Identity Provider (IdP). Terminus supports Security Assertion Markup Language (SAML) version 2.0, allowing authentication of team member logins deferred to the Identity Provider (IdP).
Most popular Identity Providers (including Okta, OneLogin, Microsoft Azure AD, and others) support SAML 2.0 protocol.
If your plan supports it, you can configure SSO in your Terminus account.
Here are the steps for a generic setup. It can be applied to any Identity Provider supporting SAML 2.0.
1. Go to the Single Sign-On setup page
From the top navigation, click on Account Settings in the dropdown.
Go to the Single Sign-On tab
Check to Enable SAML SSO
2. Configure settings in your Identity Provider
Once you enable SSO in your Terminus account, you’ll see some configuration information (on the right side) that can be used to configure your Identity Provider (IdP).
In a new browser tab, visit your IdP admin control panel.
a. Create a new Single Sign-On application in your IdP
This step is unique to each IdP. Please follow the instructions based on their documentation to create a new SAML 2.0-based SSO application.
You can call it Terminus. You can also add a logo to make it easy to look for it.
b. Configure Assertion Consumer Service (ACS) URL
Once you create a new SAML application, configure ACS URL from your Terminus settings. It looks something like this:
https://app.terminusapp.com/auth/saml/callback?uid=<your unique id>
Some services call it Single Sign On URL. If your IdP requires it, the same value can be used as Recipient URL and Destination URL.
c. Configure Service Provider (SP) Entity Identity
Copy your Terminus SP Entity ID. It looks something like this
https://app.terminusapp.com/<your unique id>
This is used to uniquely identify Terminus within your IdP. Based on the IdP, they may use terms such as Audience URI, SP Entity ID, Identifier, etc.
d. Configure Name ID Format
You need to tell your IdP to use the user email address as the identity. Based on your Idp, they may use terms such as Unique User Identifier, Name ID Format, Application Username, etc.
Some of the common predefined values can be EmailAddress, Email, user.mail, etc.
e. Save the settings
Once you configure the above settings, save them in your IdP account.
3. Configure settings in your Terminus account
Once you have configured a SAML 2.0 SSO application in your IdP account, it can then be used to complete your SSO setup in Terminus.
a. Copy the Single Sign-On URL and paste it into your Terminus settings
The above example shows the URL for Microsoft Azure AD-based login.
Your IdP may refer to it as Login URL, Single Sign-On URL, or something else.
b. Download or copy the certificate and paste it into your Terminus settings
Paste the entire text that begins with —–BEGIN CERTIFICATE—– and ends with —–
The above is just an example. You will need to use your own certificate.
c. Force SSO (Optional, but recommended)
This setting will require all non-admin team members to use your IdP SSO and disable any password-based login. Members with admin privileges will still be able to log in via password in case there are errors in the SSO setup.
In addition to admins, you could allow other users to log in using a password as well. For example, if you have users from an external agency working on your account, they may not be able to use your company SSO. In that case, you can create a separate group of all such users (no permissions are required to be specified in the group) and specify it here.
4. Save Single-Sign-On settings
When you click Save, SSO will be activated on your account.
5. Add or remove users
Terminus currently doesn’t support auto-provisioning or de-provisioning of users. You may need to manage them in two places:
- Your identity provider: Follow the instructions of your identity provider on how to add or remove users to access the Terminus application
- In Terminus: When adding a user in Terminus, use the same email address as they have in your identity provider. It will be used to match the identity between these two systems.