SSO (Single Sign On) Configuration April 26, 2024 06:35 Updated Important - This setup guide is intended for IT system administrators. While we can help you set up SSO to work with our platform, we can't provide support for the configuration of your SAML identity provider. The Messaging Hub provides Single Sign-On (SSO) functionality for enterprise customers, allowing authorised users to access the web application via a single identity without the need for separate logins and passwords. This allows IT administrators to better manage team access and keeps information more secure. How to configure Single Sign On (SSO) with your Identity Provider How to configure the Messaging Hub to use Single Sign On (SSO) Frequently Asked Questions (FAQs) Before you get started... You will need to meet certain criteria before you can configure SSO: An identity provider that supports the SAML 2.0 standard We offer support for the following providers: Microsoft Azure AD (Active Directory) Okta Access/permissions to configure applications within your identity provider User credentials with admin-level access to the parent account on the Messaging Hub Note - Enabling SSO on a parent account will automatically affect all associated sub-accounts. To mitigate any login issues, please ensure all user emails are correct, and the relevant email domains are included during SSO configuration. Configuring your SSO Identity Provider We use SAML 2.0 (Security Assertion Markup Language), a standard that permits Identity Providers (IdP) to safely pass authorisation credentials, such as your username and password, to service providers like our Messaging Hub. 1. The first step is to create a new SAML application with your IdP: For Microsoft Azure AD, follow this guide For Okta, follow this guide 2. Configure the application using the following settings: For Microsoft Azure AD Audience URI (SP Entity ID) https://messaging.tpgtelecom.com.au Single sign on URL https://messaging.tpgtelecom.com.au/login/sso Assertion Consumer Service URL (Reply URL) https://api.messagemedia.com/v2/iam/sso/acs Claim Claim Name Type Value Unique Iser Identifier (Name ID) SAML user.userprincipalname Additional Claim Claim Name Type Value http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress SAML user.mail http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname SAML user.givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name SAML user.userprincipalname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname SAML user.surname For Okta Single sign on URL (Assertion Consumer Service URL (Reply URL)) https://api.messagemedia.com/v2/iam/sso/acs Audience URI (SP Entity ID) https://messaging.tpgtelecom.com.au Okta Attributes Name Name Format Value http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress URI Reference user.email http://schemas.microsoft.com/claims/authnmethodsreferences URI Reference session.amr http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname URI Reference user.firstName http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname URI Reference user.lastName 3. Configure a logo (Optional) 4. Assign users or groups to the application 5. Copy or download the IdP XML metadata - you will need this for Step 5 of Configuring the Messaging Hub Configuring the Messaging Hub 1. Log into the parent account in the Hub - remember, your user credentials will need admin-level access to proceed from here! 2. Once you're logged into the Hub, go to the menu and click on the icon, then select Account: Note - if you can't see the Single Sign-on (SSO) option , don't sweat it... it hasn't moved, it just means that the feature isn't enabled on your account. Just submit a support request and our team can help you out, then you can circle back here and finish the configuration. 3. Select the Security tab. 4. Configure the email domains that you want to enable for SSO - email domains can only be used once per account hierarchy so if you set an email domain at a sub-account level, you can't set the same email domain on another sub-account. 5. Use the dropdown arrow to select your Identity Provider (IdP) - either Okta or Azure AD - if your IdP is not listed, you can submit a support request to chat more about extending SSO support to your IdP 6. Enter the XML provided by your IdP in the field provided. 7. When someone logs into the Hub using SSO but they don't already have a user profile, you can allow the Hub to automatically create a new user with the credentials provided by the IdP. Just toggle this switch to On to enable. 8. Use the dropdown arrow to set the default user role to be assigned to these newly created profiles. 9. Select the accounts & sub-accounts you want to allow these new users to have access to. 10. Toggling this switch to On means that any users logging in with credentials matching your nominated email domains will be forced to log into the Hub using SSO only. FAQs My organization uses an identity service provider (IdP) that's not in the list. Will it be supported?Please contact the support team via the link at the bottom of the page with the details of which identity provider you would like to use. Do you support on-premises Microsoft Active Directory?No, we only support Azure Active Directory. Do you support IdP initiated SSO?Unfortunately not at this stage. Users will need to re-enter their email address in the Log in with Single Sign On page. Does enforcing SAML SSO log out users?No, active user sessions stay logged in until they expire. The next time a user needs to log in, they will need to log in with SAML SSO. If you have further questions, please contact support@messaging.tpgtelecom.com.au Related articles 2-Factor Authentication Automation Templates Overview SPF & DKIM Configuration for Email to SMS Identifying scam or phishing emails API Documentation