Single Sign-On, or in short SSO, is an authentication approach that allows users to access numerous applications using a single set of login credentials. You need an SSO Identity Provider (IdP) to configure your platform as an external application to create a SSO login on the platform. In the instruction below we explain how you can enable it on the platform with the SAML 2.0 or Open ID protocol.
SAML 2.0 DIY Instruction
You can find the SAML metadata at the following link: [domain.platform.co.nl]/saml2/metadata/
When setting up SSO our preference is to user email address as the nameid of the SAML2 connection. If that's not an option use the username or employee number or some other unique identifier.
If the user cannot be found with the given identifier (email or something else) login will fail.
The SAML2 metadata file you provide is used for validating a request. The actual information of a user is packaged in the SAML2 response that we receive once a user tries to login.
When you've completed the setup in your identity provider, you can proceed to add the SSO integration to the platform. In Control go to Users --> Integrations
To add a SAML2 integration here click the 'Add SAML2' button. You can add your metadata url and you are done!
An extra login button will appear on our login screen of your platform.
You can test the connection from an incognito window by clicking the SSO button and signing into the SSO login screen, afterwards you get redirected to the platform with a successful sign-in if the connection is setup correctly.
In case of a failed login attempt, the TinQwise team needs to know the platform and username of the test user so we can troubleshoot the login information in our back office systems.
Some additional notes:
If the user is already logged in into your system, they are also allowed to login on the platform.
The TinQwise Growth platform only checks if the user is logged in correctly the side of the identity provider.
Complete self-service for a client if they use the SAML standard.
We do not have any passwords stored on the platform.
Only name + email address are stored on the platform.
There are more advanced settings for the SAML SSO and please look at this article for the advanced set-up like:
Create new users and update existing users
Assign users to groups
Extra info for Entra ID (Azure AD) with SAML2.0
For connecting the platform to your Entra ID (formerly known as Azure AD) over SAML2.0 please follow the steps provided by GE here: Configure Azure Active Directory as the Identity Provider (IDP)
Extra info for Active Directory or ADFS connections
ADFS is a layer on top Active Directory to communicate with the outside world. The protocol we use for that is still SAML2.
You receive from us the location with the metadata information: [domain].platform.co.nl/saml2/metadata/
You create a new application in ADFS, using our metadata
You add certain claims to the application, which basically means: which fields from their AD are added to the connection
We require at least: first_name, last_name, email. The claim attribute information
In addition they can provide extra fields that would be stored in the profile and can be used four assigning groups in advanced settings.
You provide us with the metadata url from their newly created ADFS application. You can add this metadata url to the Control in the same steps as described above.
Open ID Connect (OIDC) Instruction
The Open ID Connect SSO set-up is not DIY on the platform (yet). Here is just a list of the information needed to enable this form of SSO on the platform by TinQwise.
Information you need:
Redirect uri: [domain].platform.co.nl, this url is information you need to make the set-up in your own application.
Information send to TinQwise:
SSO url: this is the link shown on the login page to redirect users to the SSO login page of their identity provider.
Example: https://login.microsoftonline.com/[tenant numberXXX]/oauth2/v2.0/authorize?client_id=[XXX]&response_type=id_token&redirect_uri=https%3A%2F%2F[domain].platform.co.nl&response_mode=fragment&scope=openid&state=&nonce=helloOpenid url: usually the public openid configuration url.
Example: https://login.microsoftonline.com/e2b2f8a7-b04f-436d-aafb-49f3f5b9b970/v2.0/.well-known/openid-configurationIdentifier: This is the field from the openid message to match on the TinQwise user. On the TinQwise side, we first try to find a user with the same "openid_username" which can be manually set on someone's profile or automatically with a user import integration. If that's not possible we can match on email or username {identifier}@{platformname}.platform.co.nl.
Audience: optional field, used if you only allow users to login if they have the correct 'audience' specified in the openid message.
Here is a Microsoft help article for setting up an Open ID Connect SSO in Entra ID (formerly known as Azure AD). We would like to know these fields:
tenant
client_id
response_type (must be id_token, as we don't support anything else yet)
scope
nonce