Authentication User Guide
Tehama offers two flavours of authentication:
2FA and SSO are both available to all organizations.
Two-Factor Authentication (2FA)
Two-Factor Authentication (2FA) is used as part of the login process for Tehama to provide extra security.
After you fill in the fields on the JOIN TEHAMA page, and click the Register button, you are presented with a page where you can install Google Authenticator software.
Choose either the Google Play button or the App Store button and then click Next. The next page contains a QR code which you'll need to scan on your mobile device. After you click Next, the final login page opens.
Once you enter your email address and password, you'll need to access the Google Authenticator on your mobile device to enter this code in the Authentication Code field. When you click Login you will have access to Tehama.
If you need to reset your password , reach out to the Tehama Concierge for support (Tehama Support).
Choose one of the options listed to assist you get the help you require.
Single Sign On (SSO)
Tehama provides the option to use Single Sign On (SSO) for its login process.
Each Organization that wishes to enable SSO must first set up a relationship between its Tehama account and an identity provider. This relationship enables the exchange of authentication and authorization data between Tehama and the identity provider through the 'Security Assertion Markup Language' (SAML) standard.
Each user needs:
- a login to the Organization's Tehama account, and
- a login to the SSO service.
The following instructions walk you, the Organization Owner, through setting up the SSO service for your organization and linking it with your Organization's Tehama accounts.
The following steps, divided into four parts, walk you through configuring the Tehama SAML (Security Assertion Markup Language).
- Begin Tehama SAML Configuration
- Configure the Identity Provider
- Finish Tehama SAML Configuration
- Team Tehama SAML Configuration
Begin Tehama SAML Configuration
- Open a tab in the browser of your choice and log in to Tehama as the Organization Owner.
- Address: https://<your organization-id>.tehama.io
or, if you do not know your organization-id:
- Address: https://app.tehama.io and enter your organization's url when prompted.
(If you do not know your organization's url, select the text "Can't remember your Organization's URL?", enter your email address and a link to your organization's login page will be emailed to you.)
- Go to your Organization's settings page by selecting Organization from the top-right dropdown.
- Click on the AUTHENTICATION sidebar item.
- Check "Enable SAML Single-Sign On"
- Take note of the values in the Entity ID and the Callback URL (Assertion Consumer Service URL) fields. These
will be used during the configuration of the identity provider.
- Do not click on the SAVE button at this point.
Configure the Identity Provider
You may use any SAML-based identity provider.
- Active Directory Federation Services (ADFS)
- many others.
After setting up your chosen identity provider, add your Tehama Organization as a "connected application" with the Entity ID and Callback URL values that were presented to you when you enabled SAML SSO for you Organization in Tehama. Identity providers do not always use the same names for these values. Entity ID may be referred to as Audience URI, Identifier, Issuer, SP Entity ID, etc. Similarly Callback URL may be referred to as Assertion Consumer Service (ACS), Reply URL, Single sign on URL, etc.
Once your identity provider configuration is complete, retrieve the Federation Metadata XML for use in finishing the Tehama SAML Configuration. Identity providers may refer to this variously as IDP metadata, metadata, or simply XML, etc.
You can find detailed instructions for setting up an identity provider in the SSO Identity Providers User Guide
Finish Tehama SAML Configuration
- Go back to the Tehama browser window that is showing the Authentication tab
- Paste the XML contents into the "Federation Metadata XML" text box field.
- Press Save
Tehama Team Member SAML Configuration
Now that the Tehama SAML configuration is completed, each existing team member in your organization will receive an email inviting them to configure their SSO login by clicking on the provided link, CONFIGURE SSO LOGIN, and to follow the instructions.
Each subsequently added team member will receive the same email.
For SSO to work each Tehama Team Member must have a corresponding user account within the identity provider’s directory; with user accounts in both systems (identity provider and Tehama ) configured with the same email address.
Log in to the Tehama Web UI as follows:
- Open a browser and
- Navigate to the URL: https://app.tehama.io,
- You will see the SIGN IN TO YOUR ORGANIZATION dialog.
- Enter your organization's subdomain into the empty field to complete your organization's URL and click CONTINUE. (e.g.: enter 'mysubdomain' to complete the URL: mysubdomain.tehama.io)
- If you have forgotten your organization's subdomain, you may request it be emailed to you.
- Navigate directly to your organization's URL for Tehama. (e.g.: https://mysubdomain.tehama.io)
If using SSO and your identity provider determines that you are already logged in, then you are logged in.
Otherwise, you will see the LOGIN TO ... dialog. Log in using the account that you set up when you joined Tehama. That is, either a Google account or a Tehama account.
Now you may proceed to interact the Tehama Web UI.
Terms of Service
While you are using Tehama, Tehama continuously checks to see if you have accepted the latest Terms of Service (ToS). If a version of the ToS that is newer than the last one you accepted exists, you will be prompted to view and accept it. You are required to accept the latest ToS before you may proceed to interact with Tehama through the Web UI.
WARNING:: Failure of an organization owner (the user with the Admin role for the organization) to accept the latest ToS within fifteen days of issuance may result in the suspension of the organization's account.
When a change is made by Tehama to the ToS, Tehama organization owners receive an email and a notification:
- as soon as the change is available for acceptance.
- after five days have passed with no acceptance.
- after ten days have passed with no acceptance.
After fifteen days have passed with no acceptance of the ToS by the organization owner, a suspension may be placed on the organization's account, at Tehama's discretion.
A suspended Tehama organization's account restricts access to the Tehama Web UI for members of the organization and pauses rooms owned or connected to by the organization for all members of that room (for members of other orgs in the room as well).
To lift a suspension for non-acceptance of the latest ToS, the organization owner must log in to the organization and accept the ToS. The suspension will be lifted automatically. If this is not possible, contact Tehama Support for assistance.