Authentication User Guide

Tehama offers two flavours of authentication:

2FA and SSO are both available to all organizations.

Two-Factor Authentication (2FA)

Two-Factor Authentication (2FA) is used as part of the login process for Tehama to provide extra security.

After you fill in the fields on the JOIN TEHAMA page, and click the Register button, you are presented with a page where you can install Google Authenticator software.

Choose either the Google Play button or the App Store button and then click Next. The next page contains a QR code which you'll need to scan on your mobile device. After you click Next, the final login page opens.

Once you enter your email address and password, you'll need to access the Google Authenticator on your mobile device to enter this code in the Authentication Code field. When you click Login you will have access to Tehama.

If you need to reset your password , reach out to the Tehama Concierge for support (Tehama Support).

Choose one of the options listed to assist you get the help you require.

Single Sign On (SSO)

Tehama provides the option to use Single Sign On (SSO) for its login process.

Each Organization that wishes to enable SSO must first set up a relationship between its Tehama account and an identify provider. This relationship enables the exchange of authentication and authorization data between Tehama and the identity provider through the 'Security Assertion Markup Language' (SAML) standard.

SAML (Security Assertion Markup Language) is an XML based standard that supports users only having to provide their authentication data (e.g.: username/password) once when logging in to a series of servers (applications/websites) that are affiliated with the same 'identify provider'.


The following instructions walk you, the Organization Owner, through setting up SSO for your organization.

The following steps, divided into four parts, walk you through configuring the Tehama SAML (Security Assertion Markup Language).

Begin Tehama SAML Configuration

  1. Open a tab in the browser of your choice and log in to Tehama as the Organization Owner.


    - Address: https://<your organization-id>.tehama.io

    or, if you do not know your organization-id:

    - Address: https://app.tehama.io and enter your organization's url when prompted.

    (If you do not know your organization's url, select the text "Can't remember your Organization's URL?", enter your email address and a link to your organization's login page will be emailed to you.)

  2. Go to your Organization's settings page by selecting Organization from the top-right dropdown.

    top-right-dropdown

  3. Click on the AUTHENTICATION sidebar item.

    organization auth path

  4. Check "Enable SAML Single-Sign On"

    saml enabled in organization auth path

  5. Take note of the values in the Entity ID and the Callback URL (Assertion Consumer Service URL) fields. These will be used during the configuration of the identity provider.

  6. Do not click on the SAVE button at this point.

Configure the Identify Provider

You may use any SAML-based identity provider.

Examples include:

  • Salesforce
  • Active Directory Federation Services (ADFS)
  • many others.

After setting up your chosen identity provider, add your Tehama Organization as a "connected application" with the Entity ID and Callback URL values that were presented to you when you enabled SAML SSO for you Organization in Tehama.

Once your identity provider configuration is complete, retrieve the Federation Metadata XML for use in finishing the Tehama SAML Configuration.

You can find detailed instructions for setting up an identity provider in the SSO Identify Provider User Guide

Finish Tehama SAML Configuration

  1. Go back to the Tehama browser window that is showing the Authentication tab
  2. Paste the XML contents into the "Federation Metadata XML" text box field.

    saml enabled in organization auth with XML metadata

  3. Press Save

Team Tehama SAML Configuration

Now that the Tehama SAML configuration is completed, each team member in your organization will receive and email inviting them to configure their SSO login by clicking on the provided link, CONFIGURE SSO LOGIN, and following the instructions.

Each subsequently added team member will receive the same email.