All users in Tribal Habits must be 'authenticated'. This means that each user must login using unique credentials and a password.
Users can login to Tribal Habits via three methods:
Via the standard Tribal Habits login page. This requires the user to enter either their username or email field and then a password stored in your Tribal Habits platform.
Via SAML 2.0 Single-Sign-On. This redirects the user to your SSO platform where they enter their standard SSO credentials and are then redirected back to your Tribal Habits platform as an authenticated user.
Via a custom OAuth2 authentication process. OAuth2 allows users from one platform to log into a second platform.
This article discusses the SAML 2.0 version of Single-Sign-On.
THIS FEATURE REQUIRES AN ACTIVE PLAN OR LARGER
Please note that single-sign-on (SSO) is only available on Active 50 or larger plans. This feature is not available on smaller plans (such as Starter) or legacy plans (older monthly plans). Please contact our team at [email protected] if you would like access to this feature but it is not activated in your portal.
IMPORTANT TIP!
If you need to troubleshoot your SSO / SAML settings, but cannot access your portal any longer as your SSO is not working, you can login with your local Tribal Habits user credentials at this URL.
https://yourorganisation.tribalhabits.com/accounts/sign_in_without_sso
What is SSO?
Single-Sign-On (SSO) is an authentication process that enables users to securely authenticate with multiple platforms by using just one set of credentials.
Tribal Habits utilises the SAML 2.0 standard for SSO. This is typically utilised by organisations that require their employees to login to access their desktop and applications. This 'one login' (single sign-on) allows the employee to access Tribal Habits without having to log into Tribal Habits again - so the employee can 'sign in once to their desktop and not have to have a separate password for Tribal Habits'.
For employees, SSO is a convenience. They don't need to remember a separate login and password for Tribal Habits. When they access Tribal Habits after already logging into their SSO environment at work, then they are automatically logged into Tribal Habits.
For organisations, SSO is secure. SSO provides organisations with more control over each user's security settings - such as minimum password requirements, password changes, password resets, application access and more. Organisations can manage passwords and application access directly (without using Tribal Habits' own settings).
Please note that SAML 2.0 SSO is typically utilised by organisations for employees. It requires your organisation to have an SSO platform to manage users - such as Azure AD, OneLogin or Okta. SAML 2.0 SSO is different from an open authentication standard such as OAuth2, which can be used to allow users from one platform to log into another platform.
Tribal Habits can support OAuth2 logins if you have a unique platform of your own (perhaps another SaaS platform or a community membership platform), but this is a different process from SSO. Please see this article about about OAuth2.
How do we activate SSO in our Tribal Habits portal?
Enabling SSO in your Tribal Habits portal is a four step process. Step 4 - when you set up the specific details from your SSO provider - will vary between organisations and SSO providers. We have more specific details about popular SSO providers in separate articles below. For now, the general process is as follows:
Step 1 - Check if SSO is enabled in your portal. Go to Admin / Account and see if the SSO menu is visible. If not, contact Support to enable SSO in your portal.
Step 2 - Obtain the SSO details from your identity provider.
Step 3 - Go to the Account area of your Admin view and select the SSO menu.
Step 4 - Complete the SSO configuration requirements at Tribal Habits and at your identity provider and test your connection with some existing users. See below.
Step 4 contains most of the work. If your IT team is familiar with your SSO processes, they can typically set up SSO in Tribal Habits in less than an hour.
What information is sent to Tribal Habits via SSO?
Remember that SSO is about user login. It is an authentication process. It is not a user or data sync between two platforms (which would be handled separately via a managed integration). The SSO process works as follows:
A user attempts to access your Tribal Habits platform.
Tribal Habits redirects the user to your SSO login page.
The user logs into your SSO environment as usual.
If the user is already logged in, then they are immediately redirected back to Tribal Habits and don't need to log into your SSO environment again.
The user is then redirected back to Tribal Habits as an 'authenticated' user and we automatically log them into Tribal Habits.
When the user is redirected back to Tribal Habits, your SSO platform sends four pieces of identifying information about each user. These four pieces of information - typically called 'claims' in the SSO process - are used to identify the user in Tribal Habits. The four 'claims' we require from your SSO provider for each user are:
First name
Last name
Email address (must be unique for each user)
User name (must be unique for each user)
User name can also be email, but is still sent as a separate field
User name can also be any other unique identifier, such as a payroll or employee number or a specific 'user name' used by your SSO process
IMPORTANT! All four SSO 'claims' must EXACTLY match a user in your Tribal Habits platform. It must be an exact match for all four 'claims'. Any difference in the spelling of a first name, a current last name or a current email, for example, could result in an unmatched user. Differences in first name (preferred vs actual) or slight changes in spelling are the #1 issue in SSO problems.
NOTE: By default, we redirect all users to your SSO login page once SSO is enabled in your portal. However, we can disable this redirect if your organisation would prefer. If so, your users will see the normal Tribal Habits login page and it will have a button to 'Login with Single-Sign-On' or to login with their local Tribal Habits credentials. To disable SSO redirect, please contact our Support Team (this change can only be made by our team).
What data should we use for the 'user name' claim?
As noted above, the user name field can be email, payroll number, employee number or an actual 'user name'. The key requirement is that the field is unique for each user.
Note 1 - The user name sent as part of the claims process does not need to be the same as the user name used in your SSO login process. So an employee may log into your SSO environment using, say, their email address, but you could still send an employee number as their user name field in the claims process.
Note 2 - The user name field is the key identifier field in Tribal Habits. It is the field we assume 'never changes' and can always be used to identify a user. While email address can be used for user name (and often is), it can often by safer to use an employee number or other identifier which will never change in the future (since email addresses can change if a user's name changes or your organisation changes its email addresses). This is purely optional - email address is certainly fine to use as a user name.
Must users be set up in Tribal Habits before they can login via SSO?
Ideally, yes, but this is not a requirement. Our SAML 2.0 SSO implementation supports 'auto provisioning'.
Ideally, you would set-up your users in Tribal Habits first. This allows you to populate any custom data fields (which may be important for catalogue or auto-enrolment rules).
However, this is not a requirement. If a new user in your SSO environment attempts to access your Tribal Habits platform and they have not been created in advance, then SSO will automatically create them on their first login (this is the 'auto provision' process). Users created this way only have basic information - just the four claims sent via the SSO process (so just name, username and email).
NOTE: SSO auto provision can be disabled if your organisation would prefer. When disabled, only users who already exist in your portal will be able to login with SSO. A user SSO user would instead see an error page with instructions to contact your IT department about access. To disable SSO auto provision, please contact our Support Team (this change can only be made by our team).
What if we have users who are not in our SSO platform?
That's ok! We can support both SSO and non-SSO users in the same portal via the LOGIN field. You can learn more about this process in this article.
What if we already have users in Tribal Habits before we set up SSO?
That's ok! In fact, you will most likely have users in Tribal Habits (from a trial or initial set up) before you set up SSO. In addition, you will likely need to add someone from your IT team (as a Super Admin, so they can edit all SSO details) too.
The key issue is that all existing users in Tribal Habits have the information for the four claims updated to match your SSO environment.
For example, users created during a trial will likely have been set up with users having their email address in their user name field. If your SSO claim for user name is not email, then you would need to edit this field to match your SSO claim.
For example, users created during a trial may have been set up with preferred first names. If a different first name is used in your SSO claim, this would need to be edited to match your SSO claim.
Are there specific support articles for different SSO platforms?
Yes! We have detailed articles to assist with set-up for these SSO providers.
Anything else we should know before setting up SSO?
Yes!
Its easy to accidentally lock yourself out of your Tribal Habits portal while setting up SSO. If you enable SSO but its not set up correctly, you wont be able to log into Tribal Habits via your SSO process. If so, you wont be able to access the SSO settings page in Tribal Habits to make changes. This can seem like a problem, but don't worry - there is a solution!
If you need to troubleshoot your SAML settings, but cannot access your portal any longer, you can login with your Tribal Habits user details at:
https://yourorganisation.tribalhabits.com/accounts/sign_in_without_sso