Tray Platform / Account Management / Set up Single Sign On

Set up Single Sign On

To increase both usability and security for enterprise End Users, it is possible to set up SAML-based Single Sign On (SSO).

A lot of users will be familiar with the principle of SSO through having used 'Login with Google' to allow their logged in Google session to give them access to other services such as Salesforce. This works by Google sharing a token with the other services, via the SAML protocol.

SSO will mean that your End Users no longer have to keep track of their login credentials, so they can quickly and easily access their workflows without having to hunt for passwords, and logging into Tray will be in line with your internal procedures.

There are a number of SSO authentication providers (Okta, Duo, Onelogin, etc.). Exactly how SSO will work (in terms of storing user credentials, login procedures etc.) will depend on the provider your organisation uses.

Note: The Tray platform only supports SAML version 2.0

If you wish to make use of SSO, please contact your Tray account manager. Our engineering team will then be able to configure SSO, bearing in mind the following points:

  1. We will need to know who your SSO provider is (Okta, Duo, Onelogin, etc.)
  2. We may need to communicate with you about mapping requirements for user attributes
  3. We will provide you with an ACS URL and an Entity ID. In return we normally need an SSO URL and an X509 Certificate. This exchange of information allows both parties to configure the SSO connection on their respective ends.
  4. Once SSO is setup and tested, it will work in one of two ways:
    • Login will be initiated at your end, so when your users login to your authentication portal they will be redirected to a logged in Tray session.
    • End Users can initiate a login at a https://app.tray.io/sso/connection/<identityProvider>-<yourCompany> Here, if a user already exists with a Tray account their login will be matched with that account via the email field. Otherwise, a new account will be created for that user and registered with your SSO provider.

It is also worth noting that some SSO providers have a staging environment which will facilitate testing the SSO setup before going live.

Instructions for individual SSO providers

Okta

You will need to create an Okta SAML application, as per the Okta documentation

You will first of all need to choose an App name.

Anywhere you see okta-companyName below, please replace companyName with the name of your company.

Then continue the setup, with the following values:

  • Single Sign on URL: https://sso.tray.io/login/callback?connection=okta-companyName
  • Audience URI ( SP Entity ID): urn:auth0:trayio:okta-companyName
  • Default Relay State : please do not set any value here
  • Name ID format : Unspecified
  • Application username: Okta username
  • In section ATTRIBUTE STATEMENTS, add two new attributes:
    1. First attribute with Name set to email, NameFormat set to unspecified and for Value select user.email from the dropdown
    2. Second attribute with Name set to name, NameFormat set to unspecified and for Value select user.firstName from the dropdown

Once all of this setup has been done, you will need to provide us with the following (available from the Okta admin interface):

  • The IdP Single Sign-On URL
  • The X509 Signing Certificate
  • The value you have used in place of companyName