Skip to main content

Single Sign-On (SSO) in Tidio

  • Updated

Single Sign-On (SSO) is a login method that lets users access multiple apps or services with one set of credentials. Instead of signing in separately to each tool, a user can log in once through a trusted identity provider (such as Google, Microsoft, or Okta) - and is automatically authenticated across all their connected systems.

Tidio allows you to use SSO in your Tidio projects, and enforce this login method in your team of agents. This helps reduce password fatigue, simplify access management for the whole organization, and improve overall security.

 

In this article, you will learn:

 

 

How does SSO work in Tidio?

 

Once properly configured and enabled by the project owner, all the agents in the given project will see the option to log in through SSO. This functionality can also be quickly disabled by the project owner if necessary, and enabled back again anytime. Each Tidio project needs to have its SSO configured separately. 

This login method will allow the agents access only to that one specific project, even if the agents are added to other projects (and even if SSO is enabled there as well). Agents using standard password authentication are not allowed to access the projects where SSO is enabled.

The project owner can also force SSO on the entire team of agents.

If using the same identity provider for multiple Tidio projects, every Tidio project should be added as a separate app on the provider's side.

 

 

Configuring and enabling SSO

 

To manage your SSO setup, go to Settings > Project > Single Sign-On (SSO):

 

 

 

Inside, you will find all the information available on (and necessary for) SSO in your Tidio project: the current status and your SAML (Security Assertion Markup Language) configuration.

 

 

 

Tidio SSO configuration

 

To make SSO available for your project, you need to fill out all the fields in this section.

 

Identity domain

This is the email domain your team uses to sign in. However, before the domain can be used, you will be prompted to add a specific DNS record to your domain's settings in order to prove ownership.

 

IdP entity ID

This is a unique identifier for your identity provider (IdP), sometimes called the 'issuer URL' or 'entity ID'.

 

SSO sign-in URL

This is the URL where your agents are redirected to sign in from. It's sometimes also called the 'login URL' or 'SAML endpoint'.

 

Public certificate

A SAML public certificate is a security certificate used to verify that SSO login requests and responses are authentic and haven’t been tampered with.

 

 

Below is an example of a completed and valid SAML configuration:

 

 

 

Identity provider configuration

 

You will also need to configure some settings on your identify provider's side. Below you have three crucial URLs for this purpose:

 

  • Entity ID: https://api-v2.tidio.com/auth/saml/metadata
  • Assertion Consumer Service URL: https://api-v2.tidio.com/auth/saml/acs
  • Logout URL: https://api-v2.tidio.com/auth/saml/sls

 

 

Enforcing SSO in your project

 

As the project owner, you can force your entire team of agents to only use SSO (as opposed to having SSO as an option, alongside the traditional password login method). To do that, you need SSO already configured and enabled, and you also need to be logged in via SSO yourself.

Go to Settings > Project > Single Sing-On (SSO), and notice the Force SSO configuration option:

 

 

 

If you are the project owner, and SSO is already configured, and you are currently logged into Tidio through SSO - you are able to use this option and force your team to use SSO. You can disable this option anytime as well.

 

Was this article helpful?
0 out of 0 found this helpful
Return to top

Comments

0 comments

Please sign in to leave a comment.