Configuring SAML single sign-on

Gives users access to Trelica via your identity provider (IdP), such as Google Workspace or Okta.
This feature is included in the Enterprise plan
SAML-based Single Sign-On (SSO) gives users access to Trelica via your identity provider (IdP).
SAML-based SSO is ideal if you want everyone in your organization to be able to log in to Trelica and you do not want to create user accounts manually. When a new user attempts to log in to Trelica then - providing they have an account in your IdP - a Trelica user account is created for them automatically. This is useful if you're using the App Hub to allow users to browse and get access to approved apps, or if you're using the browser extension to collect app usage data.
When SSO is enabled, users in your organization log in to Trelica using the identity provider interface familiar to them, instead of the Trelica login page. When a user tries to access Trelica, they are automatically redirected to your IdP's login page. After they have authenticated, they are redirected to Trelica. When users log in via SSO, authentication security is shifted to your IdP and coordinated with your other service providers.‌
Trelica supports SAML-based SSO for all IdPs. Instructions on setting up the most common ones are provided in the next sections.
SAML-based SSO should not be used in conjunction with user requests.

Prerequisites for SSO with Trelica

  • Your company’s IdP must support the SAML 2.0 standard.
  • You must have administrator access to your IdP.

🔨 Setup for each IdP

Follow the specific steps for your IdP:

Changing the default user role

The first time that an individual logs in to Trelica using SAML-based SSO, a user account is created for them with the default user role: App Owner.
🧙🏽‍♂️ App owners can see all apps in the inventory, but they can only see financial information for the apps they own (if any). For more information about the permissions associated with each role, see Roles.
To change the default user role:
  1. 1.
    Navigate to Admin > Settings > Users to open the Users Settings page.
  2. 2.
    Under Single Sign-On expand Default role.
  3. 3.
    From the dropdown list select the role you want to assign to new users by default.
  4. 4.
    Click Apply changes. When someone without an existing account logs in to Trelica via SAML-based SSO, a user account is created for them with the new default role.
To change a user's role after they have been created, open the Users view, select the user and click Edit.
Edit option on the Users list.

Enabling other login options

When SAML-based SSO is enabled, new users must enrol to Trelica via your IdP. If you need to grant access to someone who does not have an account in your IdP, such as an external contractor or auditor, you will need to add them to Trelica manually and enable alternative login methods so that they can log in with an email address and password and/or SSO via OpenID Connect ("social login").
To enable alternative login options:
  1. 1.
    Navigate to Admin > Settings > Users to open the Users Settings page.
  2. 2.
    Under Single Sign-On expand SAML options.
    • To allow users to log in with their email address and password, select Allow password login.
    • To allow users to log in with an existing Google or Microsoft account, select Allow OpenID Connect.
  3. 3.
    Click Apply changes.
When manually-added users use the invitation link in the email notification, they are redirected to the Trelica login page with the relevant options enabled.
When alternative login options are enabled, users that have created an account via SAML-based SSO can enable these options from their profile page and use them to log in instead of using SAML-based SSO via your IdP.

Turning off automatic provisioning

SAML-based SSO is designed for auto-enrolling users to Trelica. If you want to prevent new users from creating accounts and gaining access, you can turn off automatic provisioning.
To turn off automatic provisioning:
  1. 1.
    Open the Users Settings page.
  2. 2.
    Under Single Sign-On expand SAML providers.
  3. 3.
    In the table of SAML providers, click the menu icon for the relevant provider and select Edit. The Edit SAML Identity Provider dialog is displayed.
  4. 4.
    Clear Automatically provision users.
  5. 5.
    Click Save. The SAML settings are updated.
Existing Trelica users will be able to log in via your IdP, but new users will not be able to create accounts in Trelica. To create new users, either re-enable automatic provisioning or add users manually.

Removing SAML users

Removing a user account from the IdP will revoke that user's access to Trelica, but will not remove the user account from Trelica. As part of your user offboarding process, we recommend that you delete the user account from Trelica as well. For more information, see Removing users.