If you want to set up an Azure SSO, please check out this article instead.
Overview
Teramind allows you to authenticate to the Teramind Dashboard using external identity providers integrated via SAML 2.0 protocol.
We have provided instructions to setup SSO with some of the most popular identity provider below. Instructions for other providers are similar.
Note that, a newly generated user will still need to set their password in order to make further changes or to login when using the Teramind Revealed Agent.
If you change your hostname to a Fully Qualified Domain Name (FQDN) after you have configured the SSO, users might still be redirected to the old host/IP address. To fix that, login from your new host address. The SSO settings will be updated automatically. Save the settings to prevent future redirects. For more information, check out this article.
OneLogin
Step 1: Collect the Authentication settings from the Teramind Dashboard
First, you will need to collect two parameters from your Teramind Dashboard:
1.1 Login to your Teramind Dashboard.
1.2 Go to the Configurations > Settings > Authentication tab:
1.3 Turn on the Enable SSO option under the Single Sign-On (SSO) section. This will show additional options.
1.4 Copy the information from the Teramind callback URL and Teramind entity ID fields. You will need them to set up the OneLogin configuration in the next step.
Step 2: Create an Application and specify the Configuration settings
2.1 Log in to your OneLogin dashboard.
2.2 Click Administration from the top menu if you are not on the admin page already.
2.3 Go to Applications.
2.4 Click the Add App button near the top-right corner.
2.5 Type saml test in the search bar and press Enter. This will show a list of available apps. Select the SAML Test Connector (Advanced) from the list.
2.6 Give your connector a Display Name, for example, ‘Teramind Dashboard’. You can also upload icons, add descriptions, etc. from this page. Click the Save button when done:
2.7 Go to the Configuration tab and fill out the settings according to the table below:
Field Name | Value |
Audience (EntityID) | Teramind entity ID value you captured in Step 1.4. |
Recipient | Teramind callback URL value you captured in Step 1.4. |
ACS (Consumer) URL | Teramind callback URL value you captured in Step 1.4. |
Login URL | Teramind callback URL value you captured in Step 1.4. |
SAML initiator | Select Service Provider from the drop-down list. |
SAML nameID format | Select Email from the drop-down list. |
SAML issue type | Select Specific from the drop-down list. |
2.8 Click the Save button when done.
Step 3: Specify the Parameters settings
3.1 Click the Parameter tab and press the small ‘+’ button (this will open an Edit Field window).
3.2 On the Edit Field window, in the Name field, type: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress and press Enter. A Value option will appear. Select Email from the Value pull-down list.
Turn the Include in SAML assertion flag on.
Click the Save button to save the field:
Make sure you turn on the Include in SAML assertion flag on the Edit Field window. Otherwise you will get an authentication error.
3.3 Repeat step 3.1-3.2 and add two more fields as follows:
Name | Value |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | First Name |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | Last Name |
3.4 Once you have added all the three fields, your screen should look like this:
Step 4: Collect the SSO settings
4.1 Click the SSO tab.
4.2 Under the X.509 Certificate box, click View Details (you can right-click the link and open it in a new browser tab to avoid closing the SSO page):
4.3 From the Certificates page, click the Copy to Clipboard 
icon located at the top-right corner of the X.509 Certificate box. Paste the text in Notepad or keep it somewhere safe. You will need it in Step 5.
4.4 From the SSO page, copy the Issuer URL and SAML 2.0 Endpoint (HTTP) field values or write them down (you will need them in Step 5):
Step 5: Specify the Identity Provider settings on the Teramind dashboard
5.1 Go back to your Teramind dashboard’s Security page (Gear > Settings > Security tab). Scroll down to the Single Sign On Authentication section:
5.2 Fill out the three required settings according to the table below. You can also use the optional settings to fine-tune the configurations:
Field Name | Required? | Value |
Identity provider authentication ID | YES | Issuer URL value you captured in Step 4.4. |
Identity provider authentication URL | YES | SAML 2.0 Endpoint (HTTP) value you captured in Step 4.4. |
Identity provider certificate | YES | The X.509 certificate value you copied in Step 4.3. |
Sign authorization request | Optional | Enable signature for SSO authentication requests and metadata. |
Want assertions signed | Optional | Indicates a requirement for the |
Auto register new agents | Optional | If this option is enabled and if no agent is found with the identity provider email, a new agent can be created on login. Once you enable this option, you will set the default options for newly created agents such as, if the new agent/user will be able to playback their history, view activity reports, etc. |
5.4 Click the Save changes button when done.
Okta
Step 1: Collect the Authentication settings from the Teramind Dashboard
First, you will need to collect two parameters from your Teramind Dashboard:
1.1 Login to your Teramind Dashboard.
1.2 Go to the Configurations > Settings > Authentication tab:
1.3 Turn on the Enable SSO option under the Single Sign-On (SSO) section. This will show additional options.
1.4 Copy the information from the Teramind callback URL and Teramind entity ID fields. You will need them to set up the Okta configuration in the next step.
Step 2: Create an Application
2.1 Log in to your Okta dashboard.
2.2 Click Admin from the top menu if you are not on the admin page already:
2.3 Click the Applications main menu and select Applications from the drop-down menu:
2.4 From the Applications screen, click the Add Applications button:
2.5 From the Add Application screen, click the Create New App button:
2.6 From the Create a New Application Integration pop-up window, select Web for the Platform and SAML 2.0 for the Sign on method options, then click the Create button:
Step 3: Create a SAML integration – General Settings
3.1 On the first tab, General Settings, enter an App Name, for example, ‘Teramind Dashboard’. You can also upload a logo, configure visibly, etc. from this page. Click the Next button when done:
Step 4: Create a SAML integration – Configure SAML
4.1 On the second tab, Configure SAML, you will see several GENERAL options. Configure them according to the table below:
Field Name | Value |
Single sign on URL | Teramind callback URL value you captured in Step 1.4. Also make sure the Use this for Recipient URL and Destination URL option is checked. |
Audience URI (SP Entity ID) | Teramind entity ID value you captured in Step 1.4. |
Name ID format | Select EmailAddress from the drop-down list. |
Application username | Select Email from the drop-down list. |
Update application username on | Select Create and update from the drop-down list. |
4.2 On the same screen, near the middle, you will see several ATTRIBUTE ELEMENTS options. Use the Add Another button to add three attributes and configure them according to the table below. Click the Next button when done:
Name | Name format | Value |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | Basic | user.email |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | Basic | user.firstName |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | Basic | user.lastName |
Step 5: Create a SAML integration – Feedback
5.1 On the last tab, Feedback, select I'm an Okta customer adding an internal app for the Are you a customer or partner? And, select This is an internal app that we have created for the App type option. Click the Finish button when done:
Step 6: Collect the SSO settings
6.1 Once you finish the previous step, you will be taken to the Sign On tab automatically. If not, click the tab to select it. On this screen, you will see a warning message, ‘SAML 2.0 is not configured until you complete the setup instructions.’ and a View Setup Instructions button under the warning. Click the button:
6.2 Once you finish the previous step, you will be taken to a new page. Copy the first three values, Identity Provider Single Sign-On URL, 2. Identity Provider Issuer and 3. X.509 Certificate. You will need it in Step 7 later:
Step 7: Specify the Identity Provider settings on the Teramind dashboard
7.1 Go back to your Teramind dashboard.
7.2 Fill out the three required settings according to the table below. You can also use the optional settings to fine-tune the configurations:
Field Name | Required? | Value |
Identity provider authentication ID | YES | Identity Provider Issuer value you captured in Step 6.2. |
Identity provider authentication URL | YES | Identity Provider Single Sign-On URL value you captured in Step 6.2. |
Identity provider certificate | YES | The X.509 certificate value you copied in Step 6.2. |
Sign authorization request | Optional | Enable signature for SSO authentication requests and metadata. |
Want assertions signed | Optional | Indicates a requirement for the |
Auto register new agents | Optional | If this option is enabled and if no agent is found with the identity provider email, a new agent can be created on login. Once you enable this option, you will set the default options for newly created agents such as, if the new agent/user will be able to playback their history, view activity reports, etc. |
7.4 Click the Save changes button when done.