Single sign-on (SSO) and SAML (Enterprise SSO)

 

In this article, we will cover:

Overview of SSO

Single sign-on (SSO) is a way for users to access multiple applications using a single set of login credentials. This can simplify the login process for users and reduce the risk of password fatigue and security breaches.

We support two types:

  • Free SSO:  We offer you the ability so you choose to sign-in via your Google/Google Workspace or Hootsuite credentials.
  • SAML (enterprise SSO): This type of SSO is more complex to set up, but it will allow users to sign in using your corporate credentials. Any Identify Provider (IdP) that supports SAML 2.0 will work and that includes but isn't limited to Google Workspace, Okta, Active Directory, Azure AD, OneLogin, JumpCloud, Ping Identity, CyberArk Identity, Auth0... We do not support SAML-based protocols such Shibboleth that require assertions that are not part of the SAML 2.0 standard.
    Inside TINT, you can have a mix of SAML collaborators and non-SAML collaborators.  This is extremely useful if you use outside contractors or agencies which might not necessarily have access to your corporate credentials but you would like them to be able to use TINT.

TINT information needed to implement SAML

ACS URL: https://api.tintup.com/auth/saml/callback
Entity ID: tintup.com
Name ID: Email
Name ID format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

We also support optional attribute mappings:

  • First name: first_name (JIT only)
  • Last name: last_name (JIT only)
  • Role: role

Role IDs can be found by clicking on your name in the right-hand corner > Team Settings > Roles.

How to create IdP XML Metadata file 

Each IdP has its own instructions to create an XML Metadata file.  In most cases, you would need to create a new app with instructions from TINT above to be able to create and download the IdP XML Metadata file.

Here are the instructions for the most requested SAML companies from our clients:

How to implement SAML on TINT

  1. Click on your name in the right-hand corner
  2. Click on Team Settings
  3. Click on Security in the left-hand column
  4. Upload your IdP XML Metadata file that you have created in your IdP provider and it will auto-populate the fields
  5. Then we have the Advanced Options:
    Force Login: Making sure users sign in even if they have an existing session, like re-verifying ID for maximum security (works if your IdP supports it)
    Signed Authorization Requests: Validating your requests using digital signatures
    Signed Assertions:
    Guaranteeing the information hasn't been tampered with by digitally signing it
    Encrypted Assertions:
    Securing sensitive data within their information by encrypting it, ensuring only we can access it. To get started with this download our certificate at the bottom of this article
    Enabled or Disabled Just-in-time (JIT) Provisioning:
     JIT is when a new user tries to log in to an authorized app for the first time, it will trigger the flow of information from the IdP to the app that's needed to create an account for them.  When switched on, it means you wouldn't have to create users in TINT ahead of time
  6. Click Save
  7. Once, this has been saved, all users will be swapped over to SAML.  If you need to opt out certain users, you can create or modify their roles to opt them out to give them the ability to log into TINT with their TINT password.  See the following sections on how to do this.  

How to disabled/enabled SAML on a collaborator

  1. Go into Collaborator
  2. Use the search (only full emails will return a result due to security) or find the collaborator you want to change.  
  3. Click on the ...
  4. Click Edit
  5. Click on SKIP SAML AUTHENTICATION dropdown to change it to Yes to switch SAML off for a collaborator or No (Recommended) to keep SAML switched on.  This option will not be available if the account does not have SAML implemented or if you do not have the manage security settings permission to see this.
  6. Click Apply
  7. The SAML indicator changes from Green to Grey when it's been switched off or from Grey to Green when it's been switched on

How to enableddisabled SAML on a collaborator - R&C and SAML - 15th September 2023.gif

How to invite a collaborator to join your team

To get a collaborator to join your team, you would need to invite them.  To invite them to TINT, proceed with the following steps:

  1. Click on your name in the top right corner
  2. Click on Team Settings
  3. Click on Collaborator
  4. Click on +Add
  5. This will open a popup on the right-hand side
  6. Type in the email of the collaborator you want to invite
  7. Click the plus sign or press enter to add the email in
  8. Click on the dropdown under ASSIGN A ROLE to create a role or add or search for a pre-existing role 
  9. If your account has SAML enabled, you will see the additional option of SKIP SAML AUTHENTICATION.  The default is set at No (Recommended) so you keep SAML switched on but if you choose Yes, then this collaborator will use their TINT password to sign in and will not be redirected to your corporate sign-in page. If you do not see this option and your account has SAML enabled, this means that you do not have manage security settings permission.
  10. Click Add to send the invite

How to invite a Collaborator and see switch ability - Team Switcher - 15th September 2023.gif

How to tell if SAML is enabled/disabled on a collaborator

Under the collaborator, there's a SAML label if it's in Grey SAML is switched off or if it's Green SAML is switched on.

Encrypted Assertions (optional)

We support Encrypted Assertions.  You can encrypt the data sent by downloading the certificate at the bottom of this article.

If you run into any issues or have any questions about SSO or SAML, please contact Technical Support at support@tintup.com.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.