Information

Answer

This supplementary document is to help you set up SSO for Tango portal with your Okta Identity Provider (IdP). You must first configure your IdP as an admin to create an entry for Tango portal Single Sign-On (SSO). Consult with your company’s IdP expert for the latest IdP configuration steps and instructions.

Note: This document is created in August 2024. We’re only providing a general guidance to get you started. For up-to-date procedure and screenshots, refer to the your IdP documentation.

Disclaimer: Tango has no affiliation with Okta. Tango makes no warranty of any kind, whether express or implied, with regard to any third party products, third party content, or third party services. Tango will not be liable for loss damage, cost or expense, whatsoever resulting from this guide. This guide is provided as a courtesy. To confirm accuracy or completeness of this guide, please consult with Okta directly.

In this article you can find:

OKTA OIDC SSO configuration steps
OKTA SAML SSO configuration steps
Add a tile in Okta for OIDC SSO connection
Add a tile in Okta for SAML SSO connection

Requirements

An IdP account with admin permissions
A Tango portal account with manage authentication permissions

OKTA OIDC SSO configuration steps

To set up SSO with Okta OIDC for the Tango platform, you need an administrator account access to your IdP provider. Log in to your IdP and create and entry for the new SSO. Find out Connection display name, Client ID, and OpenID Connection ID Token Issuer URL in your IdP before continuing in Tango portal.

To set up Okta OIDC:

Log in to your Okta IdP with an admin account.
Go to Applications and click Create App Integration.

Select OIDC OpenID Connect and Web Application.

Click Next.
Under General tab > General Settings:
1. Enter a name in the App integration name field, such as “Tango OIDC”. You can use this name as Connection display name in Tango.
2. Select Implicit (Hybrid) for Grant type.
3. For Controlled access, select everyone in your organization or limit users.
4. Click Save.
Under General tab > Client Credentials:

Click to copy the Client ID value. You need it later to Add SSO connection in Tango portal.
Under Sign On tab:
1. Click the drop-down menu next to Issuer and select the Okta URL link. You need to enter this link later in the OpenID Connection ID Token Issuer URL field when configuring Tango portal. The URL link will be automatically appended with the following extension as soon as you paste it in Tango portal: (/.well-known/openid-configuration). See how to Add SSO connection in Tango portal.
2. Click Save.
Click Edit next to General settings > Login:
1. For Sign-in redirect URIs, paste one of the following links based on your environment:
  - Sandbox: https://sandbox-auth.tangocard.com/login/callback
  - Production: https://auth.tangocard.com/login/callback
2. Click Save.
Follow the remaining steps in Tango portal. See how to Add SSO connection in Tango portal.

OKTA SAML SSO configuration steps

To set up SSO with Okta SAML for the Tango platform, you need an administrator account access to your IdP provider. Log in to your IdP and create and entry for the new SSO. Find out Connection display name, Entity ID, and Metadata URL in your IdP before continuing in Tango portal.

To set up Okta SAML SSO:

Log in to Okta IdP with an admin account.
Go to Applications > Create App Integration.
Select SAML 2.0 and click Next.
Under General tab > General Settings:

Enter a value for the App name, such as “Tango SAML SSO”, and click Next.
Paste the following attributes from Tango portal under Create SAML Integration > Attribute Statements. See how to Add SSO connection in Tango portal.

Tango attributes*	Okta defaults
given_name	user.firstName
family_name	user.lastName
email	user.email
username	user.login
email_verified	true

*For other IdPs, refer to the IdP documentation to find out their attribute names.

Click Next and Finish.
In the Assignments tab:
1. Click Convert Assignments and select Convert all from the drop-down menu.
2. Select Groups or People to assign to this new SAML SSO connection, and click Done.
3. Click Copy next to Metadata URL and add the link to Tango portal. See how to Add SSO connection in Tango portal.
Continue the SSO configuration in Tango Portal. See Add SSO connection in Tango portal.

Add a tile in Okta for OIDC SSO connection

You can add a tile for the newly created Tango OIDC SSO connection to your Okta dashboard. To start, make sure you have enabled the SSO in Tango portal. Log in to your Okta IdP and follow the instructions below:

To add Tango SSO tile:

Log in to Okta IdP using your admin account
Select your Tango application OIDC on the list.
Go to Applications > General Settings and click Edit.
Enter a value for App integration name such as “Tango OIDC”.
Select Login initiated by > Either Okta or App.
Select Application visibility >Display application icon to users.
For Initiate login URI, copy and paste the same link you have found under “Service provider URL” in Tango portal.
To copy the Service provider URL:
1. Go to Tango > Team settings > Authentication.
2. Click ellipsesmenu next to the newly added SSO.
3. Copy the Service provider URL.
  See full instructions in Add SSO connection in Tango portal.
Click Save.
Click Edit next to Federation Broker Mode and Disable it.
Click Save.
Click Edit Logo and upload Tango logo measuring 420 x 120 pixels.
Click Save.
Refresh your Okta dashboard under My Apps and see the newly created “Tango” tile. To test, click the tile to log you in to the Tango portal.

Add a tile in Okta for SAML SSO connection

You can add a tile for the newly created Tango SSO connection on your Okta dashboard. To start, make sure you have the administrator rights and have enabled SSO in Tango portal. Log in to your Okta IdP and follow the instructions below: