Overview
All users in Tribal Habits must be authenticated. This means that each user must log in using unique credentials and a password.
Users can log in to Tribal Habits via three methods:
Via the standard Tribal Habits login page, by entering their username or email address and a password stored in your Tribal Habits platform.
Via SAML 2.0 Single-Sign-On (SSO), which redirects the user to your SSO platform where they enter their standard SSO credentials and are then redirected back to your Tribal Habits platform as an authenticated user.
Via a custom OAuth2 authentication process, which allows users from one platform to log into a second platform. Learn more about OAuth2.
This article discusses the SAML 2.0 version of Single-Sign-On.
THIS FEATURE REQUIRES A BUSINESS PLAN OR LARGER
Please note that single-sign-on (SSO) is only available on Business 50 or larger plans. This feature is not available on smaller plans (such as Lite) or legacy plans (older monthly plans). Please contact our team at [email protected] if you would like access to this feature but it is not activated in your portal.
What is SSO?
Single-Sign-On (SSO) is an authentication process that enables users to securely authenticate with multiple platforms using just one set of credentials.
Tribal Habits utilises the SAML 2.0 standard for SSO. This is typically used by organisations that require their employees to log in to access their desktop and applications. This 'one login' approach allows employees to access Tribal Habits without needing a separate password - so once they've logged into their SSO environment at work, they are automatically logged into Tribal Habits.
For employees, SSO is a convenience - they don't need to remember a separate login and password for Tribal Habits.
For organisations, SSO is secure. It provides more control over each user's security settings, such as minimum password requirements, password changes, password resets and application access. Organisations can manage passwords and application access directly without using Tribal Habits' own settings.
Note that SAML 2.0 SSO is typically used by organisations for employees and requires your organisation to have an SSO platform to manage users, such as Microsoft Entra, OneLogin or Okta. SAML 2.0 SSO is different from an open authentication standard such as OAuth2, which can be used to allow users from one platform to log into another. Learn more about OAuth2.
How do we activate SSO in our Tribal Habits portal?
Enabling SSO in your Tribal Habits portal is a four-step process. Step 4 (when you set up the specific details from your SSO provider) will vary between organisations and SSO providers. We have more specific details about popular SSO providers in separate articles below.
Navigate to Admin → Account → Security and toggle on Enable SAML Single-Sign-On (SSO) under the Authentication section.
Click Manage to access your SSO settings and obtain the details required for your identity provider.
Obtain the SSO details from your identity provider.
Complete the SSO configuration requirements in Tribal Habits and at your identity provider, then test your connection with some existing users.
If your IT team is familiar with your SSO processes, they can typically set up SSO in Tribal Habits in less than an hour.
What information is sent to Tribal Habits via SSO?
SSO is about user login - it is an authentication process, not a user or data sync between two platforms (which would be handled separately via a managed integration).
The SSO process works as follows:
A user attempts to access your Tribal Habits platform.
Tribal Habits redirects the user to your SSO login page.
The user logs into your SSO environment as usual and, if the user is already logged in, they are immediately redirected back to Tribal Habits without needing to log in again.
The user is redirected back to Tribal Habits as an authenticated user and is automatically logged in.
When the user is redirected back to Tribal Habits, your SSO platform sends four pieces of identifying information about each user. These four pieces of information (typically called 'claims' in the SSO process) are used to identify the user in Tribal Habits:
First name
Last name
Email address (must be unique for each user)
User name (must be unique for each user)
User name can also be email, but is still sent as a separate field
User name can also be any other unique identifier, such as a payroll or employee number
IMPORTANT! All four SSO 'claims' must exactly match a user in your Tribal Habits platform. Any difference in the spelling of a first name, last name or email address, for example, could result in an unmatched user. Differences in first name (preferred vs actual) or slight changes in spelling are the most common cause of SSO problems.
What data should we use for the 'user name' claim?
The user name field can be email, payroll number, employee number or an actual username. The key requirement is that the field is unique for each user.
Note that the user name sent as part of the claims process does not need to be the same as the user name used in your SSO login process. For example, an employee may log into your SSO environment using their email address, but you could still send an employee number as their user name field in the claims process.
The user name field is the key identifier field in Tribal Habits - it is the field assumed to never change and that can always be used to identify a user. While email address can be used for user name (and often is), it can be safer to use an employee number or other identifier that will never change, since email addresses can change if a user's name changes or your organisation changes its email addresses. This is purely optional - email address is certainly fine to use as a user name.
What about SSO auto-redirect?
By default, SSO auto-redirect is not enabled. When disabled, users will see the standard Tribal Habits login page with an option to log in with SSO or with their local Tribal Habits credentials.
You can enable auto-redirect via Admin → Account → Security by toggling on Enable auto-redirect for SSO login. When enabled, users accessing your portal will be automatically sent to your SSO login page if they are not already logged in.
This is best used when all or the majority of your users are using SSO.
FAQs
Must users be set up in Tribal Habits before they can login via SSO?
Ideally yes, but this is not a requirement. Our SAML 2.0 SSO implementation supports auto-provisioning.
Ideally, you would set up your users in Tribal Habits first. This allows you to populate any custom data fields, which may be important for catalogue or auto-enrolment rules.
However, if a new user in your SSO environment attempts to access your Tribal Habits platform and they have not been created in advance, SSO will automatically create them on their first login (this is the auto-provision process). Users created this way only have basic information - just the four claims sent via the SSO process (name, username and email).
Note: Auto-provisioning can be disabled via Admin → Account → Security by toggling on Prevent auto-provision of new users via SSO login. When disabled, only users who already exist in your portal will be able to log in with SSO. A user attempting to log in who does not exist will instead see an error page with instructions to contact your IT department about access.
What if we have users who are not in our SSO platform?
That's fine. Tribal Habits can support both SSO and non-SSO users in the same portal via the LOGIN field. Learn more about having SSO and external users in the one portal.
What if we already have users in Tribal Habits before we set up SSO?
That's fine. In fact, you will most likely have users in Tribal Habits (from a trial or initial set-up) before you set up SSO.
The key issue is ensuring that all existing users in Tribal Habits have their information updated to match the four claims from your SSO environment. For example:
Users created during a trial will likely have their email address in their user name field. If your SSO claim for user name is not email, you would need to edit this field to match your SSO claim.
Users created during a trial may have been set up with preferred first names. If a different first name is used in your SSO claim, this would need to be edited to match.
Are there specific support articles for different SSO platforms?
Yes! We have detailed articles to assist with set-up for these SSO providers:
Anything else we should know before setting up SSO?
It's easy to accidentally lock yourself out of your Tribal Habits portal while setting up SSO. If you enable SSO but it's not configured correctly, you won't be able to log in via your SSO process - and without access to your portal, you won't be able to access the Security page to make changes.
If this happens, don't worry. You can log in with your local Tribal Habits credentials at:
https://yourorganisation.tribalhabits.com/accounts/sign_in_without_sso
What if we get stuck setting up SSO? How do we troubleshoot?