Single Sign-On (SSO) synchronization in TerraTrue allows centralized access management through your Identity Provider (IdP), such as Okta, Azure AD, JumpCloud, or OneLogin. This guide will help you configure SSO Sync and map user groups via your IdP.
Prerequisites
- Ensure you have administrative access to both TerraTrue and your Identity Provider.
- SSO configured with SAML2 protocol.
- Users must be provisioned in TerraTrue either manually or automatically via SCIM or SSO JIT (Just-In-Time)
SSO Configuration
- If you haven’t enabled SSO in your org and would like to, please contact TerraTrue support to help you get started. The following help center articles and references can help you configure SSO in your organization:
- After SSO is enabled, please test the configuration to ensure that users can sign-in TerraTrue with SSO through your IdP.
- Review your session duration, as it impacts the time to get group membership updated to users.
- Note: Users can potentially be denied access until the next sign-in when user groups will get synced. We recommend setting a 1-day session duration.
Mapping User Groups via SSO Identity Provider
In order to map Permissions, Access Groups, and Review Teams to your Identity Provider (IdP), you must first configure TerraTrue groups – Permissions, Review Teams, and Access Groups – in TerraTrue.
TerraTrue Groups Configuration
Permissions
- TerraTrue roles and its’ permission are predefined by TerraTrue. With SSO, you may assign users with various roles and their permissions directly in your IdP. Setup instructions and details to what permissions are available in each role can be found in configuring permissions and roles .
- Ensure that your Users in TerraTrue are configured in TerraTrue by going to Org Settings > Users. Set up instructions for adding and managing users are available for your reference.
- Note: The users need to be manually created in TerraTrue except:
- In the case your org uses the Auto-Onboarding feature, users are automatically created during SSO Sign-In.
- SCIM is being used for User provisioning
- Note: The users need to be manually created in TerraTrue except:
-
Note: User permissions that are already configured in TerraTrue will not persist in your IdP and will need to be set up in your IdP if you plan to manage them from the IdP.
-
- In order to keep the current assignments in TerraTrue, you will need to reflect those in IdP groups. Otherwise, the assignments would be removed when the users sign in with SSO.
-
Note: When Groups sync with SSO is enabled, permissions can not be assigned directly in TerraTrue
- However, the "Everyone" permission in your Identity and Access Management, which allows your administrator to provide permissions for every existing user in your org, is still configurable directly in TerraTrue. The same holds for permissions for API users.
-
Review Team
- Ensure that your Review Teams in TerraTrue are configured in TerraTrue by going to Org Settings > Review Teams so that the groups can be available to map. Set up instructions for creating and editing Review Teams are available for your reference.
- Note: Review Team memberships that are already configured in TerraTrue will not persist in your IdP and will need to be set up in your IdP if you plan to manage them from the IdP.
Access Groups
- Ensure that your Access Groups in TerraTrue are configured in TerraTrue by going to Org Settings > Access Groups so that the groups can be available to map. Set up instructions for creating and editing Access Groups are available for your reference.
- Note: Access Group memberships that are already configured in TerraTrue will not persist in your IdP and will need to be set up in your IdP if you plan to manage them from the IdP.
TerraTrue Group Mapping
- Go to Org Settings > Authentication > User Group Mappings
- Switch on the “Enable Group Sync with Identity Provider” then select SSO / SAML as your provisioning method.
- Sort or filter by the group type (Permissions, Review Teams, Access Groups)
- Go to your IdP and create a corresponding group for each Permission, Access Group and Review Team whose memberships will be managed from it.
- Note: Reflect the current memberships set in TerraTrue for each corresponding group in the IdP, otherwise you can potentially lock your access to TerraTrue.
- Enter the IdP group name to the corresponding TerraTrue group.
- Note: For MS Entra, the IdP Object Id of the group must be entered as the IdP group name instead
- “Save & Apply Changes” to persist configurations.
Identity Provider configuration
Okta
- In the Okta Administrator UI, go to the TerraTrue application
- Click on the Edit option in the Settings section of the Sign On tab
- In SAML 2.0 section, configure the groups assertion in the Group Attribute Statements section as shown below:
Note: Choose any desired filter to match the groups that will be synchronized to TerraTrue
- Click on Save button
Microsoft Entra
- In MS Entra Administrator UI, go to Enterprise applications and click on TerraTrue app
- Click on Manage > Single sign-on in the left side menu
- Click on Edit button of the Attribute & Claims section
- Click on Add a group claim in the top of the page
- From Group Claims page in right side:
- Select All Groups for the Which groups associated with the user should be returned in the claim option
- Choose the Group ID as the Source attribute
- Collapse the Advanced options section
- Check the Filter groups box and enter any desired filter to match the groups to be synced to TerraTrue
- Check the Customize the name of the group claim box and enter groups in the Name required field
- Click on Save button
JumpCloud
- In JumpCloud Admin Portal UI, go to SSO applications and click on TerraTrue app
- From the TerraTrue Application page, go to the User Groups tab and mark all groups whose members will be synced to TerraTrue groups.
- Click on Save button
- Go to the SSO tab of the TerraTrue Application Page
- In Group Attributes section, mark the include group attribute checkbox
- Type groups in the edit box
- Click on save button
Test SSO Sync
Once the configurations are in place, TerraTrue will automatically synchronize memberships based on your IdP assignments. Any changes in the IdP (e.g., adding or removing users from groups) will reflect in TerraTrue. Test the SSO login to ensure users are authenticated and their group memberships are correctly synced.