Configuring SSO on Together
First, if you do not have access to Together as an admin already, you will need to be invited as an IT Admin. The main admin building and operating your program on Together will be able to invite all IT team members from within the Integrations page.
- For more information on how your admin team can invite you, please refer to the steps outlined here: How to Invite an IT Admin
SAML Attributes
The following SAML attributes are expected by the Together SAML integration, please note some are optional while others are required.
| Instructions | SAML Attribute String | Attribute Description |
| Optional | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | User's first name |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | User's last name | |
| Required | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | User's Email |
| NameID | User's Identifier (Employee ID or Email |
Important Notes For SAML Attributes in Together:
The NameID assertion format in your configuration should be a value that is always unique to the employee and does not change when possible (i.e. employee ID or UUID). If that is not possible, the email address value can be used instead.Ā
- The SAML Attribute Strings in the table above are valid URL's, however, we expect that URL exactly as a string for the SAML Attribute Name. For example, if you are setting up the first/given name attribute, the name for that attribute should be "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", not "givenname".
The Name Format can be Unspecified, however the attribute name needs to match the 'SAML Attribute String' value in the table exactly.
Beginning Set Up:
Once you have been invited as an IT Admin and have signed into Together, you can make your way to theĀ Integrations page found here. This can be found underĀ Settings >Ā Integrations:
From the Integrations page, you can click on the Set Up button beside the SSO integration:
Select SSO Method:
Setting up the SSO integration in Together is simple, first, you start by selecting your sign-in method, in this case, we will be selecting SAML:
Once you select your sign-in method, you will also see an option to enter an Integration Owner. You may enter an email to be notified in case the integration/connection fails at any point.
After filling out an integration owner, click theĀ Save & ContinueĀ button:
Adding Your Metadata:
Now you will move on to the second step of the integration: entering your Identity Provider's metadata. To do so, simply paste the metadata in the text box near the bottom of the window and the rest will be automatically parsed for you:
Note: if you need to add multiple Identity Providers, you can do so by clicking theĀ Add Another Identity Provider button and then pasting your second IDP's metadata in the corresponding text box.
Important: Please enter the full URL in the attribute value field of your IdP when configuring custom attributes for givenname and surname. It will not work if only the variable names givenname and surname are entered in the value field.
After pasting in your metadata, double-check to make sure each of the fields looks correct. Once you have confirmed these are correct, be sure to click the Save & Continue button near the bottom to continue on to test signing in through your SSO:
Testing SSO:
After you have saved your Identity Providers metadata, you will be prompted to our Testing flow. Please read through the instructions carefully on this window, and when you're ready, click theĀ TestĀ button to verify you can successfully authenticate via SSO.Ā
Clicking the Test button will run you through a sign-in attempt via your new SSO configuration, and return you back to Together if it is successful.
Once you authenticate via SSO during this test, we will also verify the SAML Attributes are being sent and interpreted by Together properly. If there is a missing attribute or a blank value when you expected one, please see the Attribute notes near the top of this article.
Finish Setup:
Now that you have finished configuring and testing your new SSO setup, you will see one final page asking you to confirm a few things, namely, that you have assigned all your relevant users the proper permissions in order to be able to log into Together via your SSO.
Once you have read this page, you can confirm with the checkbox near the bottom and click theĀ FinishĀ button to finalize the SSO integration:
Enable SSO:
By default, once you finish the configuration, SSO will be disabled by default until you or your admin team turns it on from theĀ Integrations Page. If you're ready to enable this right after finishing the setup, you can toggle it on immediately, or you can wait until your admin team is ready. In either case, the configuration steps will be saved and can be enabled with the toggle switch at any time:
Note:
- We currently only support SHA256 hashing at this time, not SHA512.
- We support multiple organizations on Together using the same identity provider. However, please note that Just-in-Time provisioning (JIT) is not supported via identity provider-initiated logins. For organizations that share one identity provider, please prompt users to begin signing in from your organization-specific link that can be found underĀ Settings > General > Copy Link to Platform.
- If your team has configured a Microsoft O365 calendar/video integration with Together already, you still must create a new enterprise application for your SSO configuration. Configuring SSO cannot be done within the same application approved for the O365 calendar/video integration.
- We support staging environments for testing. Please submit a request here to request access to our staging environment.
Ā
Have more questions? Submit a requestĀ here and let us know how we can help!
Comments (0 comments)