Using Single Sign-On (SSO) with Tealium

kathleen_jo
Employee Emeritus

Tealium supports Security Assertion Markup Language (SAML) for implementing Single Sign-On (SSO). SSO is a secure way of using one authentication system to gain access to multiple applications. Using SAML for Tealium allows you to secure your users' accounts under your trusted enterprise identity provider.

SSO can be enabled only in your primary Tealium account. After SSO is enabled, Tealium will no longer manage the passwords for your users. You will still add users and manage permissions from within Tealium, but functionality related to passwords and authentication (ie. multi-factor authentication) will no longer be available in your account. They will authenticate through your corporate system then use a special SSO URL to access their Tealium account. 

When users are added to your SSO-enabled account they will no longer receive an activation email from Tealium.

Enabling SAML SSO for Tealium

In order to get started using SAML SSO for Tealium you will need a SAML service configured. Contact Tealium Support Desk to work through the following steps to get your account activated for SAML SSO: 

Step 1: Configure a SAML-based identity provider in your application

You may use third-party providers (eg. PingOne, Okta, and OneLogin) or set up your own server. The only requirement is that it can communicate using the SAML format.  

Step 2: Gather your identity provider attributes

The following values are required:

  • Email address for the IdP admin 
  • Entity ID
  • SSO endpoint
  • Public Certificates

Step 3: Provide the identity provider details to Tealium Support

A SAML metadata XML file or a URL to the metadata file works best for this purpose. Tealium support will use this information initiate the SSO enablement process with the Tealium IT team.

During the enablement, Tealium will assign a  idp_id value that will uniquely identify your account. You will require this value when signing in.

Signing into Tealium with SAML SSO

Signing into an SSO-enabled account requires a special entry point URL. The standard Tealium login page, which requires a password, will not work for users attempting to access an SSO-enabled account.

Before You Begin:
If you have not already done so, contact Tealium Support to get the idp_id value for your SSO-enabled Tealium iQ account.

  1. Go to  https://sso.tealiumiq.com/login/sso/{idp_id}. Be sure to replace the idp_id with your specific value.
    • If you omit the idp_id value and go to https://sso.tealiumiq.com/login/sso/ instead, you will be prompted to enter your email address so that Tealium can determine the name of your primary account.
  2. If your SSO session is still active you will be redirected into Tealium iQ automatically. Otherwise you will be taken to your identity provider, where you will enter your password. 

FAQ

Q. How do I find my primary Tealium account?

This information can be found in your User Preferences settings.

  • In Tealium iQ, click your name/email in the top right corner to open the Account Admin menu.
  • Under User Preferences, click Edit/View user Settings.
  • Your primary account will be displayed under your email address.

Q. I have access to multiple accounts, some are SSO-enabled and others are not. How should I log in?

First, you must determine your primary account and whether it is enabled for SSO.

  • If your primary account is SSO-enabled, you must always log into that account using the special SSO URL. Once logged in, you can access your other accounts from the Account/Profile switcher. 
  • If your primary account does not use SSO, you can log in directly through Tealium and use the Account/Profile switcher to access your other accounts, even if the other accounts are SSO-enabled.

Q. How can I reset my password?

Tealium does not manage passwords for SSO-enabled accounts. You must contact your identity provider administrator to resolve any login issues.

Q. How do I authenticate with the Tealium API using SAML SSO?

For information about how to authenticate with the Tealium API using SAML SSO, see Managing and Generating API Keys.

Q. How do I log into Tealium Tools such as Web Companion or Verify using SAML SSO?

Tealium Tools such as Web Companion and Verify that require login credentials, are not currently supported for SAML SSO accounts. Future releases of SAML SSO will incorporate Tealium Tool authentication.

3 Kudos
Public