Authentication Settings and SSO Enablement
Overview
TerraTrue’s Authentication settings allows admins to manage how users authenticate with TerraTrue using SSO, enabling password logins, and handling Just-In-Time (JIT) user provisioning including user subdomains. These controls empower you to customize and secure your organization's access to TerraTrue according to your needs.
Authentication Methods
To view your authentication method, go to Org Settings > Authentication > Authentication Settings. There are 3 enablement options available through TerraTrue.
1. SSO Disabled
SSO is disabled for your organization on default. When SSO is disabled, Google Auth will be available for your end users to login. When SSO is disabled, you may also:
-
Enable/Disable Password Login
- If password login is not enabled, users are only able to log in only through Google Auth. Please ensure that users can sign in with Google Auth before disabling password login to avoid access issues.
- Note: Password login is not the safest authentication method and only recommended to be enabled during authentication setup.
- If password login is not enabled, users are only able to log in only through Google Auth. Please ensure that users can sign in with Google Auth before disabling password login to avoid access issues.
-
Enable/Disable Just-In-Time (JIT) User Provisioning
- You may automatically provision non-TerraTrue users who authenticate via Google Auth with the "Everyone" permission in Org Settings > Identity & Access Management.
- Only users with email domains matching the organization’s domain are auto-provisioned.
- You can also allow users from subdomains by enabling subdomain users once JIT user provisioning is enabled.
- If JIT user provisioning is not enabled, only users who are provisioned in TerraTrue, whether manually or via SCIM, will be able to log in.
- You may automatically provision non-TerraTrue users who authenticate via Google Auth with the "Everyone" permission in Org Settings > Identity & Access Management.
2. SSO Optional
SSO Optional allows end users to sign in with SSO AND Google Authentication. When SSO is optional, you may also:
-
Enable/Disable Password Login
- If password login is not enabled, users are only able to log in only through Google Auth or SSO. Please ensure that users can sign in with Google Auth or SSO before disabling password login to avoid access issues.
- Note: Password login is not the safest authentication method and only recommended to be enabled during authentication setup.
- If password login is not enabled, users are only able to log in only through Google Auth or SSO. Please ensure that users can sign in with Google Auth or SSO before disabling password login to avoid access issues.
-
Enable/Disable Just-In-Time (JIT) User Provisioning
- You may automatically provision non-TerraTrue users who authenticate via Google Auth or SSO with the "Everyone" permission in Org Settings > Identity & Access Management.
- Only users with email domains matching the organization’s domain are auto-provisioned.
- You can also allow users from subdomains by enabling subdomain users once JIT user provisioning is enabled.
- If JIT user provisioning is not enabled, only users who are provisioned in TerraTrue, whether manually or via SCIM, will be able to log in.
- You may automatically provision non-TerraTrue users who authenticate via Google Auth or SSO with the "Everyone" permission in Org Settings > Identity & Access Management.
Note: SSO optional is the first step to enable SSO for your organization since users will have other sign in methods like Google Auth and Password login, reducing the chance of user lockout (see SSO configuration below).
3. SSO Required
SSO Required only allows end users to sign in with SSO, and does not provide any other signin methods. When SSO is required, you may also:
-
Enable/Disable Just-In-Time (JIT) User Provisioning
- You may automatically provision non-TerraTrue users who authenticate via SSO with the "Everyone" permission in Org Settings > Identity & Access Management.
- Only users with email domains matching the organization’s domain are auto-provisioned.
- You can also allow users from subdomains by enabling subdomain users once JIT user provisioning is enabled.
- If JIT user provisioning is not enabled, only users who are provisioned in TerraTrue, whether manually or via SCIM, will be able to log in.
- You may automatically provision non-TerraTrue users who authenticate via SSO with the "Everyone" permission in Org Settings > Identity & Access Management.
*Note: Since SSO required restricts login to only through the customer’s Identity Provider, you must ensure successful SSO optional enablement prior to switching the SSO as required (see SSO configuration below).
First Time SSO Enablement & Configuration
-
Prerequisites:
- You must have admin privileges to your IdP and TerraTrue: Enablement and configuration will require admin permissions in TerraTrue as well as administrator access to your IdP to finish configuration of TerraTrue SSO.
-
Modify Authentication Method to Optional:
- To modify your authentication method to SSO, please go to Org Settings > Authentication > Authentication Settings Enablement tab and click the “Modify” button on the Authentication Method card. In the modify authentication enablement page, select SSO Optional
- To load your IdP SSO metadata, Copy and Paste your IdP SSO metadata into the Metadata URL field and click on the "Load Metadata" button
- Check the values fetched from Metadata and then click on “Save Changes”.
- You must set up SSO as optional before switching SSO as required to reduce the chance of locking out a user’s access to TerraTrue.
- Click on the “Modify” button on the Authentication Method card, and copy the randomly generated Customer SSO ID value and paste it accordingly in the TerraTrue app configurations on your Identity Provider
-
Optional – Change Authentication Method to Required:
- Once you finish your SSO configuration, after a successful SSO login, you may modify your authentication method to SSO Required. If you’d like to do this, please go to Org Settings > Authentication > Authentication Settings Enablement tab and click the “Modify” button on the Authentication Method card. In the modify authentication enablement page, select SSO Required then click “Save Changes”.
- Please ensure that SSO is working before by having a successful login after enabling SSO as optional before turning on the SSO enablement as required so that you will have alternative auth methods to mitigate the risk of locking out user’s access to TerraTrue.
- To help validate and reduce the chance of end user lockout, TerraTrue will provide a list of the most recent successful SSO logins when you try to switch from optional to required SSO enablement.
- In the chance your users get locked out, please reach out to hello@terratrue.com.
Add a New Identity Provider Certificate
Upload your new certificate in a PEM-encoded file for a seamless transition when the SSO certificate is expiring which you can obtain from your identity provider.
To update your SSO certificate, please go to Org Settings > Authentication > Authentication Settings, click on the “Modify” button on the Authentication Method card, scroll down to the SSO Auth Certificate section, and click “Upload New Certificate” and drag and drop or browse a new certificate to upload.
- The system supports up to two certificates.
- If the limit is reached, the older certificate will be overwritten.
- Admin users will receive weekly email notifications starting 60 days before a certificate's expiration. Daily reminders will be sent in the last 7 days.
Audit Authentication Settings Changes
View the history of updates to authentication settings, including session durations, user group mapping, and provisioning methods in Org Settings > Authentication > Authentication History.
Update SSO Configuration
Migrate to a new Identity Provider
If you are migrating to a new Identity Provider, please proceed the following steps to update your SSO configuration
- Please go to Org Settings > Authentication > Authentication Settings Enablement tab and click the “Modify” button on the Authentication Method card.
- In case your SSO is currently set to "Required", please update it to Optional and click on the "Save" button
- Note: If you are not able to login with Google Auth, we recommend to enable the Password Login to have an alternative auth method and prevent locking out your access in case of any issue with the new SSO configuration
- To load the SSO metadata for your new IdP, Copy and Paste your IdP SSO metadata into the Metadata URL field and click on the "Load Metadata" button
- Check the values fetched from Metadata and then click on “Save Changes”.
- Click on the “Modify” button on the Authentication Method card, and copy the randomly generated Customer SSO ID value and paste it accordingly in the TerraTrue app configurations on your Identity Provider
Update existing SSO configuration
Reach out to hello@terratrue.com if you’d like to update any existing SSO configuration for your IdP.