Data & Security
      Back to home
      1. TermScout Help Center
      2. Platform Support
      3. Data & Security

      Does TermScout support SSO?

      Yes, TermScout supports SSO.

      TermScout supports SSO via SAML identity providers. This is a two-step process: (1) the Customer creates an application using their identity provider of choice (2) TermScout receives metadata URL from the customer and configures the provider in our application. The process uses TermScout’s authentication service, managed by Amazon Cognito, following their best practices for configuring identity providers.

      Create the Application

      TermScout can support any third-party SAML 2.0 provider. The following outlines the application configuration in detail for Microsoft Azure AD and Okta, as these have been explicitly tested withTermScout’s application.

      Generic

      The following is required for any generic identity provider:

      1. Set the urn/Audience URI/SP Entity ID to: urn:amazon:cognito:sp:us-east-1_WJXDAxFXe
      2. Set the redirect URL/reply URL/sign-in URL to:
      3. https://termscout.auth.us-east-1.amazoncognito.com/saml2/idpresponse
      4. Set the attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to the email address attribute made available by the identity provider. This is a required attribute to authenticate users with SSO for our application.

      Additional resources can be found here.

      Microsoft Azure Active Directory

      The following outlines specific instructions for configuring an application with Microsoft Azure

      Active Directory:

      1. In the Azure Portal, create a new Enterprise Application. Be sure to choose Non-gallery application
      2. Choose Single sign-on in the navigation menu and select SAML
      3. Navigate to the Domain and URLs section
      4. Set the Identifier to urn:amazon:cognito:sp:us-east-1_WJXDAxFXe
      5. Set the Reply URL to https://termscout.auth.us-east-1.amazoncognito.com/saml2/idpresponse
      6. Navigate to User Attributes and Claims and set Claim Name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to Value user.userprincipalname
      7. Navigate to Users and Groups to add any users that you’d like to have access to TermScout through your SSO integration
      8. Find the App Federation Metadata Url to send to TermScout as outlined below

      Additional resources can be found here.

      Okta

      The following outlines specific instructions for configuring an application with Okta:

      1. Create a new SAML 2.0 application in the Okta developer console. Be sure to set Platform to Web
      2. Under GENERAL, for Single sign on URL, enter https://termscout.auth.us-east-1.amazoncognito.com/saml2/idpresponse
      3. For Audience URI (SP Entity ID), enter urn:amazon:cognito:sp:us-east-1_WJXDAxFXe
      4. Under ATTRIBUTE STATEMENTS, add a statement with the following information:
        For Name, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
        For Value, enter user.email
      5. On the Assignments tab for your Okta app, for Assign, choose Assign to People. Assign TermScout to any users that you’d like to have access to TermScout through your SSO integration
      6. On the Sign On tab, find the Identity Provider metadata hyperlink to send to TermScout as outlined below

      Additional resources can be found here and here.

      Send Information to TermScout

      After configuring the application with your identity provider, TermScout needs a few data points to finish the configuration on our side. Please send an email to infosec@termscout.com with the subject line: “SSO Setup” including the following information in the body of the email:

      1. SAML Metadata URL - Link to the metadata XML for your application

      2. Email Domain - The domain of the corporate email account that your users will be

      signing in with

      We will respond when everything is ready. You’ll need to assign approved users to the

      application through your identity provider. Approved users can then navigate to our Sign In page, choose “Continue With SSO” and enter their corporate email address.

      Additional Notes

      TermScout only supports authentication via SAML identity providers when accessing our application directly through our Sign In page, as described above. Users will not be able to authenticate through the identity provider’s console or web interface.

      Troubleshooting

      If everything appears to be set up correctly and users are not able to authenticate successfully, please confirm the following:

      1. The user(s) trying to authenticate are assigned to the application through your identity provider.
      2. The user(s) trying to authenticate are using a corporate email account with the domain that you sent to TermScout when setting up your SSO integration.
      3. The 3 items listed in the Generic application configuration documentation above are entered correctly in your application configuration.
      4. You’ve sent the information described above to TermScout and received a response indicating that your SSO integration is ready to use.
      5. The user(s) trying to authenticate don’t have existing accounts with TermScout using the same email address as the one being used with SSO. In this case, please contact us at infosec@termscout.com for help migrating the existing user accounts.

      If you’ve confirmed the above and are still experiencing issues, please contact infosec@termscout.com for assistance.