Skip to main content

Platform

Configuring SAML SSO

SAML (Security Assertion Markup Language) is a widely used solution that supports SSO (single sign-on). SAML SSO works by passing authentication information between your existing Identity Provider and the TitanHQ platform. This means your Identity Provider becomes the authentication method for accessing the platform, and you'll no longer need to use your username and password to log in.

To set up SAML SSO, you'll need to configure both your Identity Provider and your TitanHQ platform account. Make sure you're logged into both accounts before you begin.

Note

The instructions below use Microsoft Azure (Microsoft Entra ID) as the example Identity Provider. Your own Identity Provider may have different field names, however, the process is similar.

Azure is not owned or managed by TitanHQ, and as such, the information may be subject to change without us knowing. If you notice anything out of place, please email docs@titanhq.com and let us know.

  1. In the TitanHQ platform, go to Settings > SAML SSO, and select the SAML SSO toggle to enable configuration.

    PT-SAML-SSO-Turn-On.jpg

    When the SAML SSO configuration is enabled, the page is populated with a series of fields, which are explained below. In the steps that follow, you'll learn how to complete the fields.

    Configure your Identity Provider

    Identifier (Service Provider Entity ID)

    A unique ID that identifies the SAML SSO application to Microsoft Entra ID.

    Reply URL

    The location where the SAML SSO application receives the authentication token.

    Setup SAML Authentication

    Login URL

    The URL address of your Identity Provider login location.

    Identity Provider Issuer

    The Identity Provider Entity ID for the service you use.

    Logout URL

    Your Identity Provider sign-out URL.

    Public Certificate

    A digital certificate that verifies secure communication between the Identity Provider and the platform.

    Attributes for Claims

    Attribute value for user.mail claim

    Your Identity Provider’s corresponding attribute value for the user.mail claim.

  2. Next, go to your Azure account, where you'll create a new application for SAML SSO.

    1. Go to Enterprise applications and select New application.

      PT-SAML-SSO-Azure-Ent-App-New-App.jpg
    2. In the next window, select Create your own application.

      PT-SAML-SSO-Azure-Createyourownapp.jpg
    3. Enter a name for your application, such as TitanHQ SAML SSO, and ensure Integrate any other application you don't find in the gallery (Non-gallery) is selected. Then select Create.

      PT-SAML-SSO-Azure-Enterappname.jpg
    4. Once the new application is created, select Refresh to refresh your screen. The new app for SAML SSO will appear in your table of applications.

      PT-SAML-SSO-Azure-Appappearsintable.jpg
  3. Next, you'll need to assign your email address to the app.

    1. Select the app to open it and then select Assign users and groups.

      PT-SAML-SSO-Azure-Assignuserorgroup.jpg
    2. Select Add user/group .

      PT-SAML-SSO-Azure-Addusergroup.jpg
    3. Select the link None Selected, and in the window that opens, select your admin address.

      PT-SAML-SSO-Azure-Addassignment.jpg
  4. Once your email address is assigned to the SAML SSO app, you'll need to configure Azure with details from the platform.

    1. Select the checkbox beside your Display Name, and then select Single sign-on in the left menu.

      PT-SAML-SSO-Azure-AsignSSO.jpg
    2. Select the single sign-on method SAML, which opens the Set up Single Sign-On with SAML window.

    3. Go to the SAML SSO configuration page in the platform. In the Configure your identity Provider section, go to the Identifier (Service Provider Entity ID) field, and select Copy PT-SAML-SSO-Copy-Icon.jpg.

      PT-SAML-SSO-Turn-On-First-Section-First-Field.jpg
    4. In Azure, select Edit in the Basic SAML Configuration section.

      PT-SAML-SSO-Azure-EditBasicSAMLconfig.jpg
    5. In the screen that opens, select Add Identifier, and in the Identifier (Entity ID) field, paste the contents from your Identifier (Service Provider Entity ID) field.

      PT-SAML-SSO-Azure-AddIdentifier.jpg
    6. Next, you'll need to add the Reply URL. Go to the SAML SSO configuration page in the platform. In the Configure your identity Provider section, select Copy PT-SAML-SSO-Copy-Icon.jpg in the Reply URL field.

      PT-SAML-SSO-Turn-On-First-Section-Second-Field.jpg
    7. In Azure, select Add reply URL and paste the contents in the Reply URL (Assertion Consumer Service URL) field.

      PT-SAML-SSO-Azure-AddReplyURL.jpg
  5. Once you've pasted details into the required fields, verify that the URLs appear in the Basic SAML Configuration section.

    PT-SAML-SSO-Azure-BasicSAMLConfigComplete.jpg

    The updates required in Azure are now complete.

  6. Next, you'll need to set up SAML authentication. This requires copying details from Azure to the SAML SSO configuration page in the platform. Begin by going to Azure, and locate the Set up Demo SAML App section.

    1. In the Login URL field, select the copy PT-SAML-SSO-Azure-CopyIcon.jpg icon.

      PT-SAML-SSO-Azure-CopyLoginURL.jpg
    2. Go to the SAML SSO configuration page, and in the Setup SAML Authentication section, paste the contents in the Login URL field.

      PT-SAML-SSO-LoginURL.jpg
    3. In Azure, copy the Microsoft Entra Identifier.

      PT-SAML-SSO-Azure-CopyMicrosoftEntraID.jpg
    4. In the SAML SSO configuration page, paste the contents in the Identity Provider Issuer field.

      PT-SAML-SSO-IdentityProvIssuer.jpg
    5. Next, in Azure, copy the Logout URL.

      PT-SAML-SSO-Azure-CopyLogoutURL.jpg
    6. In the SAML SSO configuration page, paste the contents in the Logout URL field.

      PT-SAML-SSO-LogoutURL.jpg
    7. In Azure, locate the SAML Certificates section, and select Download beside Certificate (Base64). Save it to your Downloads folder.

      PT-SAML-SSO-Azure-BaseCertDownload.jpg
    8. Open the file, copy the contents, and paste it in the Public Certificate field in the SAML SSO configuration page.

      PT-SAML-SSO-PublicCert.jpg
  7. The last configuration item to update is the Attributes for Claims, which is the attribute required for the user.mail claim.

    1. In Azure, go to the Attributes & Claims section, and copy emailaddress, which is the attribute for user.mail.

      PT-SAML-SSO-Azure-AttributesandClaims.jpg
    2. In the SAML SSO configuration page on the platform, paste emailaddress into the Attribute value for user.mail claim field.

      PT-SAML-SSO-Azure-AttributesandClaims_SSO.jpg
  8. Select Save. Once your configuration has been validated, a confirmation box appears, detailing the following three options:

    • Cancel: If you select Cancel, the configuration data you entered will not be saved and you'll be returned to the Configuration screen.

    • Save Config: If you select Save Config, the configuration data you entered will be saved, allowing you to enable SAML SSO later.

    • Enable: Selecting Enable means that your configuration data is saved, and SAML SSO login is now active.

      Important

      When you save and enable SAML SSO, if your current session expires, you must log in again using SAML SSO. You'll no longer be able to log in with a username and password. See Log in Using SAML SSO for details.