Set up Single Sign-On for Tealium Accounts

Requirements

• Identity Provider: SAML 2.0 support
• Tealium: Account Admin and User Admin permissions

If you have access to multiple Tealium accounts, SSO is only enabled for your primary account.

How it Works

SSO is a secure way of using one authentication system to gain access to multiple applications. Tealium supports Security Assertion Markup Language (SAML) 2.0 to implement SSO and acts as the service provider (SP) for your Identity Provider (IdP) configuration. Using SAML for Tealium SSO allows you to secure users’ accounts under your trusted enterprise IdP.

Supported IdPs

Tealium SSO supports and has configuration instructions for connections to the following IdPs:

• Amazon AWS
• ADFS (Active Directory)
• Azure
• Jumpcloud
• OneLogin
• Okta

Tealium also supports SSO implementation to IdP platforms not listed above. However, additional testing and configuration time may be required to set up IdP connections from other platforms. Contact Tealium Support for questions regarding implementation of other IdP platforms.

Tealium SSO Login Process

The Tealium SSO login process follows these steps:

1. Log in to your Tealium account via Tealium SSO using one of the following login options:
   • Through Tealium at https://my.tealiumiq.com/login/sso
   • A custom Tealium URL, such as https://my.tealiumiq.com/login/sso/customURL
   • Through your IdP
2. If you log in via my.tealiumiq.com, the Tealium SSO SP validates your IdP connection information and sends a SAML request to your IdP, redirecting you to the IdP login page. If you log in via your IdP, you will skip this step.
3. Your IdP sends a SAML response to Tealium SSO SP and Tealium SSO SP validates the login information.
4. A new Tealium login session is created.

Configure and manage your SSO

Set up and manage your Tealium SSO through the Client-side or Server-Side Admin menu > SSO (Single Sign-On). After you establish a connection to your IdP and turn on authentication, Tealium SSO is activated across client- and server-side products.

Set up your SSO

Set up your Tealium SSO in four steps:

1. Configure your IdP
2. Connect to your IdP
3. Test your SSO
4. Activate your SSO

Switching your authentication mode from Test to On activates your SSO authentication and deactivate your Tealium login. To reactivate your Tealium login, switch the authentication mode back to Test. See the Manage SSO Connection section in this document for important information about switching authentication modes.

Step 1: Configure your IdP

Create a new SAML SSO connection by completing the following steps:

1. Navigate to Admin Menu > SSO (Single Sign-On).

2. In the New SAML Single-Sign On (SSO) Connection > Configure IdP screen, download the Tealium metadata file to your computer and then import this file into your IdP.
3. Create a new Tealium application in your IdP and download your IdP metadata file. Each IdP requires a different configuration to access and download a metadata file for creating a new SSO connection. For specific IdP instructions, see IdP Configuration Instructions.
4. After configuring your IdP to create a new Tealium SSO connection, ensure you have the following information from your IdP:
   • SAML Metadata file
   • Email address of an administrator of your IdP account
   • SAML 2.0 Signing certificate (Optional. Your signing certificate may be a part of your metadata file.)
5. After you configure your IdP and collect the required information for a new SSO connection, click Continue.

IdP Configuration Instructions

The following table lists instructions on how to set up your IdP to work with Tealium SSO:

IdP	Custom Configuration Information
Amazon AWS	Follow the instructions in the Amazon AWS documentation to download your metadata file to upload to Tealium.
ADFS	Follow the instructions in the ADFS documentation to download your metadata file to upload to Tealium. In your setup, ensure that the following values are set in the Edit Rule window: E-Mail-Addresses set to email SAM-Account-Name set to Name ID After configuring the claims, return to the ADFS Relying Party Trusts screen and right-click the Tealium connection you created. Navigate to the Encryption tab to download the encryption certificate.
Azure	Complete the following steps to download a metadata file from your Azure account. For more information, see the Azure documentation. If not already configured, create a new enterprise application in your Azure account. Select Non-gallery application. Enter the application name in the Name field. Click Configure Single sign-on. In the Single sign-on screen, select SAML-based Sign-on. Upload the Tealium metadata file and save the changes to Basic SAML Configuration. Open the User Attributes & Claims tab and edit the Name identifier value. Select user.mail as the name identifier. Create an email claim in the Manage user claims screen, assign user.mail as the source for email claim, and click Save. In the Set up Single Sign-On with SAML — Preview screen, ensure that under User Attributes & Claims, the email claim value source is set to user.mail. Click Save. Under SAML Signing Certificate, download the Federation Metadata XML file.
Jumpcloud	Follow the instructions in the Jumpcloud documentation to download your metadata file to upload to Tealium. In your setup, ensure the following values are set: Setup contains an email attribute with a value of user.email.
OneLogin	Follow the instructions in the OneLogin documentation to download your metadata file to upload to Tealium. In your setup, ensure the following values are set: User has an attribute set to email. RelayState is set to the same value as the EntityID provided in Tealium metadata file. Audience is set to the same value as the Location attribute of the AssertionConsumerService node in the Tealium metadata file. Recipient is set to the same value as the Location attribute of the AssertionConsumerService node in the Tealium metadata file. ACS (Consumer) URL Validator is set to the same value as the Location attribute of the AssertionConsumerServicenode in the Tealium metadata file. Every slash must be escaped with backslash. For example, if the Location attribute has a https://prod-federation.auth.us-west-1.amazoncognito.com/saml2/idpresponse value, then the URL Validator should be https:\/\/prod-federation.auth.us-west-1.amazoncognito.com\/saml2\/idpresponse ACS (Consumer) URL is set to the same value as the Location attribute of the AssertionConsumerService node in the Tealium metadata file.
Okta	Follow the instructions in the Okta documentation to download your metadata file to upload to Tealium. In your setup, ensure the following values are set: Setup contains an email attribute with a value of user.email. For Single sign-on URL configuration: Use the Location attribute from the AssertionConsumerServicenode in the Tealium SAML 2.0 metadata. Example: https://prod-federation.auth.us-west-1.amazoncognito.com/saml2/idpresponse Select the Use this for Recipient URL and Destination URL checkbox. For Audience URI (SP Entity ID), use the value of the entityID attribute from the EntityDescriptornode in the Tealium SAML 2.0 metadata. Example: urn:amazon:cognito:sp:us-west-1_FGJFGdCYT.

Step 2: Connect to your IdP

Connect to your IdP by completing the following steps:

1. In the Connect to IdP screen, upload the SAML metadata file you downloaded from your IdP. The Identity Provider field auto-populates with the name of your IdP after the connection is established.

2. In the IdP Admin Email field, enter the email address of an administrator of your IdP account.
3. If your IdP provides you with a separate signing certificate, upload that file under IdP SAML 2.0 Signing Certificate.
4. Click Establish Connection.

Manage your SSO Connection

After successfully connecting to your IdP, you can manage the following SSO settings from the Manage SSO screen:

• Switch your authentication mode from Test to On
• Update your IdP administration email
• Upload a new signing certificate
• Verify the validity of your certificate

Step 3: Test your SP-Initiated SSO

After connecting to your IdP, your SSO is set to Test mode. Test mode allows users in your account to choose either the Tealium-initiated login or the SP-initiated login. Use this mode to validate your SP-initiated login before switching on the authentication mode.

To test the connection to you IdP, copy and paste the Test URL from under Certificate Details in your browser.

Step 4: Activate your SP-Initiated SSO

You can toggle between authentication states from the Manage SSO screen at any time but changes that you make to the authentication mode changes the status of your SSO for all users.

After you are satisfied with the SP-initiated login experience for your users, complete the following steps to activate the SP-initiated SSO.

1. From the Manage SSO screen, switch the Authentication Mode to On. Switching the authentication mode to On forces all users in your account to authenticate through the SP-initiated login and resets the Tealium-provided login credentials for all users.
2. A confirmation dialog appears. Verify that you test the SSO authentication flow and provide notice to the users in your account about the new SSO login procedures before you activate the new SSO login. After verifying the statements, click Activate SSO.
3. Click Save.

Tealium no longer manages the passwords for your users. You can still add users and manage permissions from within Tealium, but functionality related to passwords and authentication (for example, multi-factor authentication) is no longer available in their accounts. Users authenticate through your corporate system and then use a custom SSO URL to access their Tealium account.

Deactivate your SP-Initiated SSO

Complete the following steps to deactivate your SP-initiated SSO:

1. From the Manage SSO screen, switch the Authentication Mode to Test. Switching the authentication mode to Test forces all users through the Tealium-initiated login. Users need to reset their Tealium login credentials before they can access their accounts.
2. A confirmation dialog appears. Click Deactivate.
3. Click Save.

Certificate Status

From the Manage SSO screen, you can verify the status of your SAML 2.0 signing certificate under Certificate Details.

Valid Status

After you upload a current metadata file or separate signing certificate, the Certificate Expiration Date is automatically populated and the Certificate Status is set to Valid. The Certificate Status automatically updates to indicate when the certificate has expired.

Expired Status

When your certificate expires, the Certificate Status is set to Expired and your SSO login is unavailable until you upload a new signing certificate or an updated metadata file with a valid expiration date and save your configuration. To allow your users to access their accounts using the Tealium-initiated login, switch the Authentication Mode to Test. Users need to reset their Tealium login credentials before they can access their accounts.

Reset SSO

Resetting the SSO configuration deletes all current SSO settings and forces all users through the Tealium-initiated login. Users need to reset their Tealium login credentials before they can access their accounts.

To reset your SSO configuration, complete the following steps:

1. In the upper right corner of the screen, navigate to the Manage SSO screen and click Reset.

   Reset is available only when the Authentication Mode is switched to Test.

2. The Reset SSO? dialog appears. Enter RESET in the confirmation field and click Reset to confirm the SSO reset.

3. The Configure IdP screen appears. Follow the steps in the Setting up your SSO section.

If your company changes its email address domain or IdP, you must reset the SSO.