Implement SAML using Tesseral

This article explains how you can add SAML to your app using Tesseral.

1

Sign up for Tesseral

If you haven’t already, sign up for Tesseral at console.tesseral.com and follow the Quickstart Guide.

2

Enable SAML on your Project

Enabling SAML on a Project

Go to the Authentication page in the Tesseral Console and click on Configure Enterprise Settings. Then enable Log in with SAML.

3

Enable SAML for an Organization

Enabling SAML for an Organization

By default, Organizations don’t have SAML enabled. You must enable SAML for an Organization in the Tesseral Console. (This is in service of letting you charge your customers for API access.)

To enable SAML for your customer, go to the Organizations page in the Tesseral Console. Go to the Organization’s Authentication tab, and enable Log in with SAML. You will also need to configure Allowed Domains: add the list of domains that your customer’s employees use for their emails. Only emails from these domains will be allowed to log in with SAML.

You will need to repeat this process for each Organization you want to enable SAML for. You can use the UpdateOrganization endpoint in the Tesseral Backend API to automate this process.

Advanced Configuration

Setting up SAML on your customer’s behalf

Setting up SAML on your customer's behalf

The SAML protocol requires configuration on your customer’s end. When you enable SAML for an Organization, your customer will be able to configure SAML themselves.

You can also configure SAML on your customer’s behalf. To do this, you will need three pieces of information from your customer:

  • An IDP Entity ID.
  • An IDP Redirect URL.
  • An IDP Certificate.

From there, you can go into an Organization’s Authentication tab in the Tesseral Console, and click on Create SAML Connection. Input the three pieces of information.

Your customer will need two pieces of information from you:

  • An Assertion Consumer Service (ACS) URL
  • An SP Entity ID

In the Tesseral Console, you can copy these values from the Service Provider Details section on your newly created SAML Connection. Your customer will need to enter these values into their Identity Provider.

Making SAML required for an Organization

Making SAML required for an Organization

Once SAML is enabled for an Organization, you can make it the only way to log in to that Organization.

Your customers can make SAML their only allowed login method, or you can enforce that yourself from the Tesseral Console.

To make SAML required for an Organization, go to the Organization’s Authentication tab in the Tesseral Console, and disable all login methods except Log in with SAML.