Tango functions as the service provider (SP) to run a SP-initiated single sign-on (SSO) in conjunction with your organization's identity provider (IdP)—such as Okta, Microsoft Azure, OneLogin, etc. SSO authenticates user identity in your organization's environment through an IdP and then passes the user's authorization credentials to log in to Tango portal. When you enable a new SSO for your Tango portal, you have the option to log in with the IdP authentication.
Note:
- If you’re using an IdP other than Okta, Azure, or OneLogin, you’re required to contact your Customer Success Manager (CSM) or success@tangocard.com to add your IdP domain to Tango's content security policy (CSP).
- Tango users who log in with SSO can't reset their passwords through the Tango portal. They must reset and maintain their passwords through the credential management configured by your organization's identity team.
OIDC vs. SAML SSO
OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) are two authentication protocols that authenticate Tango portal users for SSO. They are both widely used protocols with different strengths and weaknesses. Here's a comparison of the two:
|
Feature
|
OIDC
|
SAML
|
|---|
| Application Type | OIDC is built on top of the OAuth 2.0 protocol, making it more suitable for modern applications including: web, mobile, and native applications. | SAML is well-suited for enterprise environments and legacy applications. It is a mature standard with a proven track record. |
| SSO approach | OIDC uses JSON web tokens and is a more lightweight utilizing RESTful APIs. | SAML uses XML-based signatures and encryption which can provide strong security guarantees. |
| SSO Configuration |
- OIDC is simpler and easier to configure on both Tango Portal and IdP.
- OIDC requires fewer inputs (Client ID and URL).
|
- SAML is more involved to configure requiring explicit configuration of SAML attributes and certificate maintenance.
- SAML requires more inputs (given-name, family_name, email, username, and email_verified).
|
What do we recommend?
The ultimate choice between SAML and OIDC should be based on the specific needs of your organization, the types of applications you are integrating, and the existing infrastructure and skill set.
Tango recommends OIDC as:
- OIDC is easier to set up, simpler, lightweight, and more modern protocol.
- OIDC doesn’t require you to refresh your certificates. As with SAML, you have to update and refresh your certificate upon expiry.
What’s next?
- Configure your IdP using our sample:
- Add SSO connection in Tango portal (for admins)
- Manage SSO connection in Tango portal (for admins)
