Set up Single Sign-On for Tealium Accounts
This article describes how to set up Single Sign-On (SSO) for an account.
Requirements
- Identity Provider: SAML 2.0 support
- Tealium: Account Admin and User Admin permissions
If you have access to multiple Tealium accounts, SSO is only enabled for your primary account.
How it works
SSO is a secure way of using one authentication system to gain access to multiple applications. Tealium supports Security Assertion Markup Language (SAML) 2.0 to implement SSO and acts as the service provider (SP) for your Identity Provider (IdP) configuration. Using SAML for Tealium SSO allows you to secure users’ accounts under your trusted enterprise IdP.
Supported IdPs
Tealium SSO supports and has configuration instructions for connections to the following IdPs:
- Amazon AWS
- ADFS (Active Directory)
- Azure
- Jumpcloud
- OneLogin
- Okta
Tealium also supports SSO implementation to IdP platforms not listed above. However, additional testing and configuration time may be required to set up IdP connections from other platforms. Contact Tealium Support for questions regarding implementation of other IdP platforms.
Tealium SSO login process
The Tealium SSO login process follows these steps:
- Log in to your Tealium account via Tealium SSO using one of the following login options:
- Through Tealium at
https://my.tealiumiq.com/login/sso
- A custom Tealium URL, such as
https://my.tealiumiq.com/login/sso/customURL
- Through your IdP
- Through Tealium at
- If you log in via
my.tealiumiq.com
, the Tealium SSO SP validates your IdP connection information and sends a SAML request to your IdP, redirecting you to the IdP login page. If you log in via your IdP, you will skip this step. - Your IdP sends a SAML response to Tealium SSO SP and Tealium SSO SP validates the login information.
- A new Tealium login session is created.
Configure and manage SSO
To set up and manage Tealium SSO go to:
Admin menu > SSO (Single Sign-On).
After you establish a connection to your IdP and turn on authentication, Tealium SSO is activated across client- and server-side products.
Set up your Tealium SSO in four steps:
Step 1: Configure your IdP
Step 2: Connect to your IdP
Step 3: Test your SSO
Step 4: Activate your SSO
Step 1: Configure IdP
Create a new SAML SSO connection by completing the following steps:
- Navigate to Admin Menu > SSO (Single Sign-On).
- In the New SAML Single-Sign On (SSO) Connection > Configure IdP screen, download the Tealium metadata file to your computer and then import this file into your IdP.
- Create a new Tealium application in your IdP and download your IdP metadata file. Each IdP requires a different configuration to access and download a metadata file for creating a new SSO connection.
For specific IdP instructions, see IdP Configuration Instructions.
Ensure you have the following information from your IdP:- SAML Metadata file
- Email address of an administrator of your IdP account
- (Optional) SAML 2.0 Signing certificate. Your signing certificate may be a part of your metadata file.
- After you configure your IdP and collect the required information for a new SSO connection, click Continue in the Tealium New SAML Single-Sign on (SSO) Connection wizard.
IdP instructions
The following table lists instructions on how to set up your IdP to work with Tealium SSO:
IdP | Custom Configuration Information |
---|---|
Amazon AWS | Follow the instructions in the Amazon AWS documentation to download your metadata file to upload to Tealium. |
ADFS | Follow the instructions in SSO configuration with ADFS (Active Directory) IdP to download your metadata file to upload to Tealium. |
Azure | Complete the steps in SSO configuration with Azure IdP to download a metadata file from your Azure account. For more information, see the Azure documentation. |
Jumpcloud | Follow the instructions in the Jumpcloud documentation to download your metadata file to upload to Tealium. In your setup, ensure the following values are set:
|
OneLogin | Follow the instructions in the OneLogin documentation to download your metadata file to upload to Tealium. In your setup, ensure the following values are set:
|
Okta | Complete the steps in SSO configuration with Okta IdP to download your metadata file to upload to Tealium. For more information, see the Okta documentation. |
Federation ID
By default, Tealium uses the user’s email address to identify the user during login. Federation ID allows for an alternative user identifier.
- The Federation ID maps to the SAML NameID property.
- If a Federation ID is not assigned to a user in Tealium, the system defaults to matching the Email attribute. For more information, see Edit a user.
- Email attribute mapping is still required in your SAML configuration.
Contact Tealium Support to enable Federation ID on your account.
Step 2: Connect to IdP
Connect to your IdP by completing the following steps:
- In the Connect to IdP screen, upload the SAML metadata file you downloaded from your IdP. The Identity Provider field auto-populates with the name of your IdP after the connection is established.
- In the IdP Admin Email field, enter the email address of an administrator of your IdP account.
- (Optional) If your IdP provides you with a separate signing certificate, upload that file under IdP SAML 2.0 Signing Certificate.
- Click Establish Connection.
Step 3: Test your SP-initiated SSO
After connecting to your IdP, your SSO is set to Test authentication mode. Test mode allows users in your account to choose either the Tealium-initiated login or the SP-initiated login. Use this mode to validate your SP-initiated login before switching on the authentication mode. For successful testing, ensure you log in using the following URL: my.tealiumiq.com/login/sso
.
To test the connection to you IdP, copy and paste the Test URL from under Certificate Details in your browser.
Step 4: Activate your SP-initiated SSO
After you are satisfied with the SP-initiated login experience for your users, complete the following steps to activate the SP-initiated SSO.
- From the Manage SSO screen, switch the Authentication Mode to On. Switching the authentication mode to On forces all users in your account to authenticate through the SP-initiated login and resets the Tealium-provided login credentials for all users.
- A confirmation dialog appears. Verify that you test the SSO authentication flow and provide notice to the users in your account about the new SSO login procedures before you activate the new SSO login. After verifying the statements, click Activate SSO.
- Click Save.
Switching your authentication mode from Test to On activates your SSO authentication and deactivates your Tealium login. To reactivate your Tealium login, switch the authentication mode back to Test.
With Tealium SSO turned on, Tealium will no longer manage the passwords for your users. You can still add users and manage permissions from within Tealium, but functionality related to passwords and authentication (for example, multi-factor authentication) is no longer available through the Tealium interface. Users authenticate through your corporate system and then use a custom SSO URL to access their Tealium account.
This page was last updated: November 25, 2024