If you want to set up an Azure SSO, please check out this article instead.
Overview
Teramind allows you to authenticate to the Teramind Dashboard using external identity providers integrated via SAML 2.0 protocol.
We have provided instructions to setup SSO with some of the most popular identity provider below. Instructions for other providers are similar.
Note that, a newly generated user will still need to set their password in order to make further changes or to login when using the Teramind Revealed Agent.
Notes for On-Premises/Private Cloud Deployments
If you change your hostname to a Fully Qualified Domain Name (FQDN) after you have configured the SSO, users might still be redirected to the old host/IP address. To fix that, login from your new host address. The SSO settings will be updated automatically. Save the settings to prevent future redirects. For more information, check out this article.
Okta
Step 1: Collect Authentication Settings from Teramind
1. Log in to your Teramind Dashboard.
2. Navigate to Configurations > Settings > Authentication:
3. Locate the Single Sign-On (SSO) section and turn on the Enable SSO option. Turning this on will reveal two fields: Teramind callback URL and Teramind entity ID. Keep this tab open or copy these values for use in Step 4-11.
Step 2: Create App Integration in Okta
4. Log in to your Okta dashboard. Click the Admin button located near the top-right side of the screen. You will be taken to the Admin Console (you might need to sign in again with Okta 2FA).
5. From the sidebar menu, select Applications > Applications.
6. Click the Create App Integration button. A Create a new app integration window will pop up:
7. From the pop-up window, select SAML 2.0.
8. Click the Next button to proceed to the next step.
Step 3: Create SAML Integration – General Settings
9. On the General Settings tab, provide an App name (e.g., "Teramind Dashboard"). You may also upload a logo or adjust the app's visibility here.
10. Click the Next button to proceed to the next step.
Step 4: Create SAML Integration – Configure SAML
11. On the Configure SAML tab, fill out the General section using the values according to the table below:
Field Name | Value |
Single sign on URL | Teramind callback URL value you captured in Step 1-3. Also make sure the Use this for Recipient URL and Destination URL option is checked. |
Audience URI (SP Entity ID) | Teramind entity ID value you captured in Step 1-3. |
Name ID format | Select EmailAddress from the drop-down list. |
Application username | Select Email from the drop-down list. |
Update application username on | Select Create and update from the drop-down list. |
12. In the Attribute Statements section, click Add Another to create the following three attributes:
Name | Name format | Value |
| Basic | user.email |
| Basic | user.firstName |
| Basic | user.lastName |
13. Click the Next button to proceed to the next step.
Step 5: Create SAML Integration – Feedback
14. On the Feedback tab, select the option: This is an internal app that we have created.
15. Click Finish. You will be redirected to the newly created “Teramind Dashboard” application page.
Step 6: Collect Sign On Metadata
16. Navigate to the Sign On tab (this often opens automatically) and click More details under Metadata details to reveal the all the metadata:
17. Collect the following values (you will need them for Step 7-19):
a. Sign on URL: Use the Copy button to copy the value.
b. Issuer: Use the Copy button to copy the value.
c. Signing Certificate: Use the Download button to download the certificate. Open the file in a text editor and copy the certificate value*.
*You must Download the certificate and then copy its value. Copying it from Okta only captures the certificate hash, which lacks the necessary header and footer required by Teramind.
Step 7: Complete the Setup in Teramind Dashboard
18. Return to your Teramind Dashboard and fill in the required fields in the Authentication tab using the data from Step 17. You can also use the optional settings to fine-tune the configurations:
Field Name | Required? | Value |
Identity provider authentication ID | YES | The Issuer value you captured in Step 6-17b. |
Identity provider authentication URL | YES | The Sign On URL value you captured in Step 6-17a. |
Identity provider certificate | YES | The Signing Certificate value you captured in Step 6-17c. |
Sign authorization request | Optional | Enable signature for SSO authentication requests and metadata. Enabled by default. |
Want assertions signed | Optional | Requires signed SAML assertions. Disabled by default.
This indicates a requirement for the |
19. Optionally, you can enable the Auto register new agents option. This option automatically provisions new user accounts when an unrecognized email logs in via SSO. You can then configure default settings for these new users, such as their ability to view historical playback and activity reports, and/or if they will be granted access to the Teramind Dashboard. These options are similar to the ones available on the Account tab of an employee's profile.
20. Click the Save changes button when done.
Step 8: Additional Requirements
For users to successfully log in, ensure the following configurations are also met:
Presence of Employee and Dashboard Access
You will need to add the employee and enable the User can login to Teramind Dashboard option from their profile’s Account tab unless you have enabled the Auto register new agents and the Can login to Teramind Dashboard options the in Step 7-19.
Presence of User in Okta Directory
Ensure the user exists in Okta. You can add users through the Okta Admin Console by navigating to the Directory > People screen. For specific instructions, please refer to the Okta documentation.
Application Assignment
You will need to assign the user to your Teramind application from the Okta Admin Console. This is typically managed through the application's Assignments tab. For specific instructions, please refer to the Okta documentation.
OneLogin
Step 1: Collect Authentication Settings from Teramind
1. Log in to your Teramind Dashboard.
2. Navigate to Configurations > Settings > Authentication:
3. Locate the Single Sign-On (SSO) section and turn on the Enable SSO option. Turning this on will reveal two fields: Teramind callback URL and Teramind entity ID. Keep this tab open or copy these values for use in Step 4-10.
Step 2: Create Application in OneLogin
4. Log in to your OneLogin admin dashboard and navigate to Applications > Applications from the top menu.
5. Click the Add App button located near the top-right corner of the screen.
6. Type "saml custom" in the search bar to filter the list of available apps.
7. Select the SAML Custom Connector (Advanced) from the results.
8. Enter a Display Name (e.g., "Teramind Dashboard"). You may also upload icons or add a description for the application.
9. Click the Save button.
Step 3: SAML Custom Connector - Configuration
10. Select the Configuration tab from the left panel and enter the following settings:
Field Name | Value |
Audience (EntityID) | Teramind entity ID value you captured in Step 1-3. |
Recipient | Teramind callback URL value you captured in Step 1-3. |
ACS (Consumer) URL | Teramind callback URL value you captured in Step 1-3. |
Login URL | Teramind callback URL value you captured in Step 1-3. |
SAML initiator | Select Service Provider from the dropdown list. |
SAML nameID format | Select Email from the dropdown list. |
SAML issue type | Select Specific from the dropdown list. |
11. Click the Save button.
Step 4: SAML Custom Connector - Parameters
12. Select the Parameter tab from the left panel.
13. Click the + (plus) button next to the Value column. This will open a pop-up window:
14. In the Name field, type the following and press Enter:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
15. Select “Email” from the Value dropdown list. Note: you will have to press Enter after typing in the Name field. Otherwise, you will not see the Value field
16. Turn on the Include in SAML assertion flag.
17. Click the Save button.
18. Repeat Step 4-13 to Step 4-17 and add two more fields as follows:
Name | Value |
| First Name |
| Last Name |
Once you have added all three fields, your screen should look like this:
19. Click the Save button to save the fields.
Step 5: SAML Custom Connector – SSO
20. Click the SSO tab. Use the Copy 
icon to collect the following values (you will need them in Step 6-23):
a. Issuer URL
b. SAML 2.0 Endpoint (HTTP)
21. Under the X.509 Certificate box, click View Details. It will take you to the certificates page. Tip: Right-click the link and open it in a new tab to avoid closing the SSO page.
22. On the Certificates page, click the Copy icon to collect the X.509 Certificate value. You will need it in Step 6-23.
Step 6: Complete the Setup in Teramind Dashboard
23. Return to your Teramind Dashboard and fill in the required fields in the Authentication tab using the data from Step 5. You can also use the optional settings to fine-tune the configurations:
Field Name | Required? | Value |
Identity provider authentication ID | YES | The Issuer URL value you captured in Step 5-20a. |
Identity provider authentication URL | YES | The SAML 2.0 Endpoint (HTTP) value you captured in Step 5-20b. |
Identity provider certificate | YES | The X.509 Certificate value you captured in Step 5-22. |
Sign authorization request | Optional | Enable signature for SSO authentication requests and metadata. Enabled by default. |
Want assertions signed | Optional | Requires signed SAML assertions. Disabled by default.
This indicates a requirement for the |
24. Optionally, you can enable the Auto register new agents option. This option automatically provisions new user accounts when an unrecognized email logs in via SSO. You can then configure default settings for these new users, such as their ability to view historical playback and activity reports, and/or if they will be granted access to the Teramind Dashboard. These options are similar to the ones available on the Account tab of an employee's profile.
25. Click the Save changes button when done.
Additional Requirements
For users to successfully log in, ensure the following configurations are also met:
Presence of Employee and Dashboard Access
You will need to add the employee and enable the User can login to Teramind Dashboard option from their profile’s Account tab unless you have enabled the Auto register new agents and the Can login to Teramind Dashboard options the in Step 6-24.
Presence of User in OneLogin
Ensure the user exists in OneLogin. You can add users through the OneLogin dashboard by navigating to the Users > Users screen. For specific instructions, please refer to the OneLogin documentation.
Application Assignment
You will need to assign the user to your Teramind application from the OneLogin dashboard. To assign a user to the Teramind app, navigate to your OneLogin dashboard. Go to the Users screen, select the specific user, and open the Applications tab. From there, click the + (plus) button to add the application. For further details, please consult the OneLogin documentation.