SAML-based SSO involves configuration on both IDP and SP (Tessell) before it can be consumed for authentication. This guide lists these steps of configuration a customer needs to perform before he can log into Tessell via SSO. Since Azure AD is the first IDP we support, this guide lists the steps to configure AD as the IDP. We can later add a section for Okta and any other IDPs.
Azure AD (IDP) Configuration
On Azure, under ‘Enterprise Applications’, create a new application (app) for Tessell
Proceed to add AD users to the newly created app. These are users that should have access to Tessell. Then proceed to the ‘Setup single sign on’ section to configure the IDP side of SSO config in the app.
We require the admin to configure 3 Tessell-related fields in the new app’s SSO config. The values for these fields can be fetched from Tessell. They are located in the IAM app under ‘Identity Providers’
These fields need to be configured in the Azure app under ‘Basic SAML Configuration’. The fields are:
Identifier (Entity ID)
Reply URL (Assertion Consumer Service URL)
Sign on URL
Leave the ‘Attributes & Claims’ as the preset defaults
Tessell (SP) Configuration
The following configuration steps have to be performed in the Tessell UI.
Microsoft generates a unique login URL, identifier, and certificate for each app to access the app. These have to be copied over from the app in Azure to Tessell.
The above fields have to be configured in Tessell under the IAM app. The precise location in Tessell’s UI is: Governance → IAM → Identity Providers → Azure AD
Once Tessell is configured with the IDP details, the last step is to invite the AD users to Tessell. Users can be invited to Tessell in Tessell’s IAM app (as shown below). Please ensure users invited to Tessell are also added to the Tessell enterprise application in Azure.