/
Single Sign-On (SSO)

Single Sign-On (SSO)

Owned by Coreen Stalnaker
Last updated: Sept 27, 2024
4 min read

Tired of MFA? Hate having to deal with opening your email to get a code to login? Well, if you have a SSO IDP ( Identify Provider ) like Google Workspace, Microsoft Azure, or Okta and many others, you can now use TLD with SAML SSO to login with one click to TLD as long as the email for the SSO User Matches a User in your TLD Account!

"Wait, but I have Multiple SSO providers! Some of my guys use Google and some use Okta!" No Problem! We wrote our SSO Integration to support Multiple SSO Providers on a single account. This way if you are using the Agency Module with multiple Agencies they can each have their SSO or continue to login with Email Multi-factor.

  1. In the Settings -> Fields Section you can add a "SSO Container" to you your account. You will have to be a Super Administrator to add or manage these. The Configuration Panel looks like the below:

    1. As you can see there is a lot of text here explaining what you should do.

      1. There are also advanced tabs and configurations for more esoteric or weird SAML SSO Integrations.

  1. Generally speaking, the 4 Blank Fields on this main page are all you need to configure. Make sure your SSO is using Email for the Name ID. Be sure to copy the Assertion Consumer Service URL (ACS URL) add it to your SAML SSO Provider on your end.

    1. Your IDP Entity ID - Unique Identifier for the identity provider

    2. Your Single Sign-On (SSO) URL - URL for the IDP initiated login

    3. Your IDP Certificate (x509 Certificate) - the Certificate provided by the IDP

    4. Your Service Provider Entity ID - This is a personalize ID that can be used to separate IDP providers. It must match within TLD and the IDP

      1. example would be for Agencies using different IDP services

  2. Once completed enable the SAML Containers for your Account. This can be found in Settings -> Access under the SSO Tab as seen below.

    1. it then will show a Button on your Login Page to be able to login with. You can customize the Button Look and Feel in the Buttons Tab in the SAML Container.

By Default, Users cannot log into SSO unless either the Unrestricted Flag is Set to On, the User has the Unrestricted Flag on his User under the Access Tab, or the User has the SSO Provider Selected in the User's Access Tab.

 

The 3 Settings Seen here also exist in the Users Profile under the Access Tab.

Note: Account Level Settings Override User Level Settings. 

This is what the following Settings Do:

  1. SSO Only

    1. Only Allow SSO Logins (Disable Credentials Login )

    2. This Prevents Users from Logging in with their Username and Password

    3. Users can Only SSO

  2. SSO Unrestricted

    1. Allow Login from All Account Enabled SSO Providers

    2. This Bypasses the Multi-checkbox selections on the users and allows all users on your account to login with Any SSO that is Selected in the Account Panel

Remember, These Settings can be Applied to Individuals or to your entire Account so choose depending on your needs!

Email Verification Requirements

  • For New Users, there is still a requirement to Verify their Email Address once, or on Email Change, even with SSO enabled.

  • Once the Email is Verified the User will not have to MFA into the system as your IDP Handles the Access Controls!

Password Reset Requirements

  • If SSO Only is Enabled, then the User will not need to update their password per Password Change Policies because “Login via Password” is Disabled and Password Requirements are controlled on the IDP.

Coming Soon: Mass Add / Remove SSO Providers

Login Logs & Sessions - Major Revamp

Due to the Addition of SSO we took a pass over the Login Logs and Sessions and made the following Changes

  • Added the Following Columns to Login Logs

    • success: 1 or 0 if Login was Successful

    • date_logout: The Date the User Login Session Logged Out.

    • logout_reason: The Reason for Logout, system generated, "LOGOUT", "IP_RESTRICTION", "EMAIL_UNVERIFIED", "MOVE", "DEACTIVATED" etc.

    • sso: The SSO Container ID when using SSO

    • sso_account: The SSO Account the Container ID is Related to.

    • provider: "Credentials", or the Name / Label of the SSO Provider at the Time.

    • logout_id: The Login ID From Which the Session or Sessions initiated a Logout

    • ender_id: The USer ID Responsible for Logging the User Out, as it can be initiated by an Administrator

    • ip_logout: The IP Address the Logout Took Place

  • Added the Following Columns to User Sessions

    • sso: The SSO Container ID

    • sso_account: The SSO Account for SSO Container

    • login_id: The Login ID the Session Started From

  • When Logging into TLD the Session will now have a direct correlation to the Login Log that was successful so it is easier to see which sessions are actually active.

  • On Logout, the Date Logout, Ender ID=, IP Logout and Logout Reason are automatically set.

  • The Logout ID is the Login ID that the Logout was initiated. If it was Admin initiated, we use the Latest Successful Unlogged out Login ID.

  • In the case of multiple sessions being active, The Logout ID will be the same on all of them.

Related content