Salesforce

Add SSO connection in Tango portal (for admins)

Printable View
« Go Back

Information

 
Answer

Depending on your company policy and setup, you may choose to have one or more login methods including username/password, Google account, or multiple SSOs (OIDCs and SAMLs). When your SSO is fully configured and ready to use, we recommend you to disable any other login method that your organization does not use, such as username/password or google authentication. See Manage login methods (Tango portal admins) for more information.

Who’s this guide for?

This guide is intended for Tango account administrators with Manage Authentication rights to help configure SSO as a way of secure login to Tango portal.

 

Note:
Tango doesn’t provide IdP consultation. If your organization is small, or you cannot set up IdP, consider Tango platform’s default (the username/password or Google SSO).

How to add SSO connection in Tango portal?

Follow the steps in this guide to add OIDC or SAML SSO to your Tango portal, but before you begin, make sure you configure your IdP first to create an entry. See the instructions below:

Steps to configuring SSO with Tango portal.

Step 1: Configure your IdP provider

To set up SSO for your Tango portal, you must first create an entry with your IdP provider and use Tango's configuration values copied from Tango portal.

 

Note:
The following table provides guidance for the most popular IdPs. If you’re using an IdP other than Okta, Azure, or OneLogin, you’re required to contact your Customer Success Manager (CSM) or success@tangocard.comto add your IdP domain to Tango's Content Security Policy (CSP). 

 

Log in as an admin to your IdP provider and follow their instructions and create an entry. We have provided some examples below but we recommend you to always check with your IdP documentation for the latest.

 

Identity Provider (IdP)

OIDC configuration instructions

SAML configuration instructions

Okta IdPOkta OIDC SSO configuration stepsOkta SAML SSO configuration steps
Azure IdPAzure OIDC SSO configuration stepsAzure SAML SSO configuration steps
OneLoginOneLogin OIDC SSO configuration stepsOneLogin SAML SSO configuration steps

Step 2: Configure Tango portal

You must have Manage rights for Authentication plus Organization Access for Access Level in your portal to add SSO to Tango portal. Authentication permission is turned off by default. If you don’t have the permission, or you’re not a Tango admin, ask a Tango admin in your organization to give you permissions under Users > Permissions > Authentication. See Organization roles and permissions in Default user roles in Tango portal.

Once the SSO entry has been created in your IdP, copy the required values in IdP for Tango portal configuration.

To configure Tango portal:

  1. Sign in to the Tango portal.
  2. Go to Team settings > Authentication.
  3. Click Add SSO connection.
  4. Select OIDC or SAML and continue as follows:
    1. For OIDC:
      1. Click Continue on the Single Sign-On page to go to the next.
      2. Enter a Connection display name. The connection display name will show up later on the Tango login page as a login method for users.

        Note:
        • You cannot have duplicate names.
        • The connection display name may have up to 128 letters with no special characters.

        OIDC Configuration

      3. Enter a custom Client ID that you have configured in IdP. See our SSO configuration steps in IdP guide.
      4. Enter OpenID Connection ID Token Issuer URL. This field is the Tenant ID in IdP. See our SSO configuration steps in IdP guide. The URL link is automatically appended with the following extension as soon as you paste it in the Tango portal: (/.well-known/openid-configuration).
      5. Tango claim keys are automatically populated for standard OIDC. Only if your IdP does not follow the OIDC standard and you see different variables in your IdP, enter those exact variables here to continue.
      6. (Optional) Select Bypass MFA. When you bypass multi-factor authentication (MFA), you won’t be challenged for an MFA when using SSO.
      7. Click Add. The connection is created, but disabled by default. You must test and enable the connection to make it available for your portal users. See how to test and enable SSO connection.

    2. For SAML:
      1. Click Continue on the Single Sign-On page to go to the next.
      2. Enter Connection display name. The connection display name will show up later on the Tango login page as a login method for users.

        Note:
        • You cannot have a duplicate connection display name.
        • The connection display name may have up to 128 letters with no special characters.

        SAML Configuration

      3. Enter the Entity ID and Metadata URL that you have configured in your IdP.
      4. (optional) Click Enter details manually to enter SAML configurations such as Signing certificate, Log in URL, Log out URL (Debug Mode, Sign Request, Bypass MFA) taken from your IdP
      5. (Optional) Select Bypass MFA. You won’t be challenged for an MFA when using SSO.
      6. Click Add. The connection is created, but disabled by default. You must test and enable the connection to make it available for your portal users. See how to test and enable SSO connection.

 

Note:
  • For SAML SSO, make sure your IdP signing certificate is up-to-date. When it expires, you must refresh the certificate or the Metadata URL to keep the connection working.
  • Tango does not require signing certificate. If you get a Sign Request, you must disable it by editing your SAML SSO connection. Here’s how:

    To disable Sign Request, follow the procedure below:
    • In Tango portal, navigate to Authentication page and find the SAML connection.
    • Click the ellipses menu, and select Edit next to the SAML connection.
    • Click Enter metadata URL.
    • Delete the Metadata URL link you have copied from your IdP before.
    • Click Update.
    • Click the ellipses menu next to SAML connection again, and select Edit.
    • Check to make sure Metadata URL is deleted.
    • Clear the Sign Request checkbox.
    • Click Update again. The Sign Request is removed from your connection.

Step 3: Test the SSO connection

As a Tango portal admin, you should test your SSO connection before enabling it for other users. To test the SSO connection, change it to the testing mode. When the test is successful, enable the connection to make the SSO available for all users on the Tango portal.

 

Note:
  • Admins and users with the authentication permission, can see all SSO connections listed in the Authentication page including the connections that are in testing mode.
  • An SSO connection can only be tested by the authorized users who have access to the test URL.
  • Non-admin users cannot log in with the SSO method that’s still in the testing mode.
  • The Tango portal default connections cannot be edited or deleted in your portal, but can be disabled.

 

To test the SSO connection:

  1. Make sure you are signed in to the Tango portal with manage authentication permissions.
  2. Go to Team settings > Authentication.
  3. Find OIDC SSO or SAML SSO on the list.
  4. Click ellipsis menu then select Enable testing.

    Enable testing

  5. Click again to confirm Enable testing. You are given a URL to test.
  6. Click copy Service provider URL. The window closes automatically and the label changes on the Tango portal to Testing.

    Testing URL

  7. Log out of the Tango portal.
  8. Paste the copied URL in an incognito browser and hit Enter to log in again. You know the test is successful if you can log in to the Tango portal dashboard directly and without entering your password. The UI indicates that the SSO is in Testing mode.

 

Note:
  • Other Tango portal users cannot see this SSO as an option in their login page while the connection is being tested.
  • To see the new SSO in Tango portal, log off and log back in. The SSO is added to the login methods.

 

To copy the testing URL anytime after, click Service provider URL from the ellipsis Three dots menu next to the SSO. Use the Service provider URL link for Service Provider (SP)-initiated logins (such as Okta) after the test is completed. It will allow your users to skip the Tango login page and directly log in to the Tango application.

Step 4: Enable SSO authentication

You must enable your SSO to make it available for all users in your portal. Enable the authentication after your test confirms the connection is working.

 

To enable SSO authentication:

  1. Make sure you are signed in to the Tango portal with manage authentication permissions.
  2. Go to Team settings > Authentication.
  3. Find OIDC SSO or SAML SSO on the list.
  4. Click Enable next to the connection.
  5. Click Enable for all users.

Enable SSO authentication for all users

The newly added SSO shows up as a login method in your Authentication and your Tango login page. At this point you and all users can sign in to Tango portal using SSO

 

Best practices:
For extra security and to avoid users confusion, we recommend you to keep only one active login method at any time and disable the rest. For example, disable username/password and google authentication when you have enabled SSO.

 

login connections

Step 5: Sign in to Tango portal with SSO

Once the SSO authentication is enabled, you can sign in to Tango portal using the SSO.

 

Note:
  • If you've logged in using SSO before, you may not see all the steps below.
  • If you’ve logged in to SSO before you cannot reset your password via Tango portal. 

 

To sign in with SSO:

  1. Go to the Tango portal.
  2. Enter your email address and click Continue.
    You can select the Remember email option.
  3. Select Continue with [your] SSO Connection to log in.

    If prompted, enter your email address and click Continue. If your IdP prompts you to sign in, enter your credentials to log in to your IdP, and you will be redirected back to Tango. Receive a text message, email, or authenticator app with your six-digit verification code. Enter your six-digit code and click Verify. For more information see Sign in to Tango portal.

 

Note:

You will receive the verification code only if:

  • This is your first time logging in on this device.
  • You have not checked the option to remember this device for 30 days last time you logged in.
  • You have logged in to this device before, but cleared cache/cookies since the last time you used Tango portal.


More resources

TitleAdd SSO connection in Tango portal (for admins)
URL NameAdd-SSO-connection-in-Tango-portal
Powered by