Single Sign-On - Integration between Okta and TUNE (TUNE Side)
TUNE offers SSO as a paid add-on; reach out to your Customer Success Manager, Sales Representative, or our support team at support@tune.com to get started if it’s not already enabled on your account.
This article covers the TUNE side of the SSO setup. If you need any guidance on setting up your Okta integration, you can find the instructions here.
Getting started with Single Sign-on
Single Sign-On is available for employee users. The Single Sign-On feature is managed under Company - Customize Application - Settings. An employee user must have Brand Management permission to manage the SSO feature.
Enabling Single Sign-On
Single Sign-On is enabled at the account level with additional control at the individual user level. Check the SSO Enabled checkbox on the Single Sign-On Settings page to enable SSO.
Configuration
The Okta integration requires 4 fields to be completed:
- Issuer - The Issuer URL is your base Okta URL
Accounts with Okta API Access Management, use this URL format https://org.okta.com/oauth2/default
Accounts without Okta API Access Management, use this URL format https://org.okta.com/oauth2
- Client ID - This is the identifier which is used to initiate the login protocol
- Client Secret - This is the secret token which is used to initiate the login protocol
- SSO Signing URL - This is the user-facing login URL for your SSO implementation
During the sign-on process, your service provider should direct back to /sso_login
For example https://yournetwork.hasoffers.com/sso_login
If you are using a custom application domain, you would want to use that domain here
Managing Single Sign-On for Individual Users
Once Single Sign-On is enabled for your account, all employee users will have SSO automatically enabled by default. SSO may be disabled for individual users as needed.
To disable SSO for an employee user, navigate to the Employee page and click the Edit button under the Settings section. Single Sign-On can then be set to Enabled or Disabled. Disabling SSO will force users to log in using their email and password, bypassing the SSO process.