Tray Platform / Accounts / Single sign-on

Single sign-on

To increase both usability and security for enterprise users, please note that it is possible to set up SAML-based single sign-on (SSO).

Using SSO with your Organization means that your team members won't have to keep track of their login credentials. They will be able to quickly and easily access the Organization's assets and you can be certain that anyone logging into your Tray.io Organization will be in line with your internal protocols.

There are a number of SSO authentication providers and Tray.io connectors to choose from (such as OneLogin, Duo, Okta). Exactly how SSO will work will depend on the provider your Organization requirements.

Please contact your Tray.io account manager if you wish to proceed with using SSO alongside your Organization.

Important notes on SSO

IMPORTANT!: The Tray platform only supports SAML version 2.0.

Setup

Our engineering team will then be able to configure SSO for you, bearing in mind the following:

  1. We will need to know who your SSO provider is.
  2. We may need to communicate with you about mapping specific requirements for user attributes.
  3. We will provide you with an ACS URL and an entity ID. In return we normally need an SSO URL and an X509 certificate. This exchange of information allows both parties to configure the SSO connection on their respective ends.
PLEASE NOTE: Some SSO providers use a staging environment which means the SSO setup will need testing before it goes live. This is naturally use case dependant.

Process

Once SSO is setup and tested, it will work in one of two ways:

  1. Login will be initiated at "your" end. Users will usually initiate their login at a URL which will look similar to this: https://app.tray.io/sso/connection/<identityProvider>-<yourCompany>
  2. When your users login to your authentication portal, they will then be redirected to a "logged in Tray.io session".
  3. If a user tries to login with a preexisting Tray.io account, their login will be matched via a UID aka their email address.
  4. If this is a new user, then a new account will be created and registered with your SSO provider.

Instructions for individual SSO providers

Okta

Below is a summary of setup instructions for Okta users.

  1. Users will first will need to create an Okta SAML application, as per the Okta setup guide instructions.

  2. Choose an App name.

  3. Anywhere you see okta-companyName below, please replace companyName with the name of your company.

  4. Continue setup with the following values updated as demonstrated below:

    • Single sign-on URLhttps://sso.tray.io/login/callback?connection=okta-companyName
    • Audience URI ( SP entity ID): urn:auth0:trayio:okta-companyName
    • Default relay state : DO NOT set any value here
    • Name ID format : Unspecified
    • Application username: Okta username
  5. In the Attribute statements section, add the following two attributes:

    • First attribute:
    • Name set to email
    • NameFormat set to unspecified 
    • Value select user.email from the dropdown options available
    1. Second attribute
    • Name set to name 
    • NameFormat set to unspecified
    • Value select user.firstName from the dropdown options available
  6. Once the above is set, you will need to provide Tray.io with the following information (available from the Okta admin interface):

    • The IdP single sign-on URL
    • The X509 signing certificate
    • The value you have used in place of companyName
  7. Following completion of the above your setup should be finished.