Configuring SAML single sign-on
Gives users access to Trelica via your identity provider (IdP), such as Google Workspace or Okta.
SAML-based Single Sign-On (SSO) gives users access to Trelica via your identity provider (IdP).
SAML-based SSO is ideal if you want everyone in your organization to be able to log in to Trelica and you do not want to create user accounts manually. When a new user attempts to log in to Trelica then - providing they have an account in your IdP - a Trelica user account is created for them automatically. This is useful if you're using the App Hub to allow users to browse and get access to approved apps, or if you're using the browser extension to collect app usage data.
When SSO is enabled, users in your organization log in to Trelica using the identity provider interface familiar to them, instead of the Trelica login page. When a user tries to access Trelica, they are automatically redirected to your IdP's login page. After they have authenticated, they are redirected to Trelica. When users log in via SSO, authentication security is shifted to your IdP and coordinated with your other service providers.
Trelica supports SAML-based SSO for all IdPs. Instructions on setting up the most common ones are provided in the next sections.
SAML-based SSO should not be used in conjunction with user requests.
- Your company’s IdP must support the SAML 2.0 standard.
- You must have administrator access to your IdP.
Follow the specific steps for your IdP:
The first time that an individual logs in to Trelica using SAML-based SSO, a user account is created for them with the default user role: App Owner.
🧙🏽♂️ App owners can see all apps in the inventory, but they can only see financial information for the apps they own (if any). For more information about the permissions associated with each role, see Roles.
To change the default user role:
- 2.Under Single Sign-On expand Default role.
- 3.From the dropdown list select the role you want to assign to new users by default.
- 4.Click Apply changes. When someone without an existing account logs in to Trelica via SAML-based SSO, a user account is created for them with the new default role.
To change a user's role after they have been created, open the Users view, select the user and click Edit.
Edit option on the Users list.
When SAML-based SSO is enabled, new users must enrol to Trelica via your IdP. If you need to grant access to someone who does not have an account in your IdP, such as an external contractor or auditor, you will need to add them to Trelica manually and enable alternative login methods so that they can log in with an email address and password and/or SSO via OpenID Connect ("social login").
To enable alternative login options:
- 2.Under Single Sign-On expand SAML options.
- To allow users to log in with their email address and password, select Allow password login.
- To allow users to log in with an existing Google or Microsoft account, select Allow OpenID Connect.
- 3.Click Apply changes.
When manually-added users use the invitation link in the email notification, they are redirected to the Trelica login page with the relevant options enabled.
When alternative login options are enabled, users that have created an account via SAML-based SSO can enable these options from their profile page and use them to log in instead of using SAML-based SSO via your IdP.
SAML-based SSO is designed for auto-enrolling users to Trelica. If you want to prevent new users from creating accounts and gaining access, you can turn off automatic provisioning.
To turn off automatic provisioning:
- 2.Under Single Sign-On expand SAML providers.
- 3.In the table of SAML providers, click the menu icon for the relevant provider and select Edit. The Edit SAML Identity Provider dialog is displayed.
- 4.Clear Automatically provision users.
- 5.Click Save. The SAML settings are updated.
Existing Trelica users will be able to log in via your IdP, but new users will not be able to create accounts in Trelica. To create new users, either re-enable automatic provisioning or add users manually.
Removing a user account from the IdP will revoke that user's access to Trelica, but will not remove the user account from Trelica. As part of your user offboarding process, we recommend that you delete the user account from Trelica as well. For more information, see Removing users.