SSO is only available on an Enterprise plan. If you're interested in Tango Enterprise, please reach out to our team here.
Click on the button below to view the Tango for setting up SSO:
Frequently Asked Questions related to configuring SSO & SCIM in the Tango Application
How does SSO configuration work in Tango?
How does SSO configuration work in Tango?
Tango uses a third-party service called Frontegg to handle the SSO/SCIM connections for our users. This means that the SSO flow and verification goes through Frontegg and gets passed back to Tango.
When you’re ready to configure SSO, Tango will enable your Workspace’s connection to Frontegg. This workflow will walk you through the SSO configuration process (please note that while we use Okta as the example in this workflow, the actual in-app support documentation will be customized to your IdP).
What IdPs do you support?
What IdPs do you support?
Any SAML or OpenID SSO services are supported. There is built-in documentation for a number of these services, as well as an option for Custom App configuration which covers anything not specified.
What do I need in order to enable SSO?
What do I need in order to enable SSO?
There are a number of access requirements the person configuring SSO should meet:
A Tango Admin seat to access the “Security” and “Manage SSO” pages within the Tango Workspace.
Admin seats do take up a Creator license (see this help article for information on Creator vs. Admin)
Admin access to your IdP (Identity Provider) to create the application within your IdP, insert the correct values, and share the metadata URL
Someone who can add a DNS record for the domains you’re looking to claim
For Enterprise customers with SCIM, SCIM can be configured immediately after SSO has been set up by following this workflow (please note, not all Enterprise accounts include the SCIM offering).
How long does it take to set up SSO?
How long does it take to set up SSO?
As long as the person configuring SSO has the correct Admin credentials to complete the required steps, SSO can be set up in less than 20 minutes.
What do I need to enable SCIM?
What do I need to enable SCIM?
You will need..
A Tango Enterprise subscription with SCIM (please note, not all Enterprise subscriptions have SCIM. If you’re unsure, please reference the features included in your order form).
A Tango Admin seat to access the “Security” and “Manage SSO” pages of Tango
An admin of your IdP to add provisioning and the needed values to the existing SSO application
Does my plan have SCIM?
Does my plan have SCIM?
SCIM is included in some Enterprise contracts. If it is not included in your Enterprise plan, it can be added at an additional cost.
What are the benefits of SCIM?
What are the benefits of SCIM?
The main benefit of SCIM is centralizing role management, provisioning, and deprovisioning of users. Provisioning and deprovisioning are hugely important to security in access management, because they mean that you don’t have to manually remove users who no longer should have access across all your platforms.
What are the limitations of SCIM provisioning?
What are the limitations of SCIM provisioning?
Once SSO and SCIM have been set up, Tango Admins who do not have access to manage users in the IdP will not be able to add or remove users within Tango. This is a security bonus, but may make role management more burdensome if you plan to rotate who has access to the Tango Workspace.
How long does it take to set up SCIM?
How long does it take to set up SCIM?
As long as the person configuring SSO has the correct Admin credentials to complete the required steps, SCIM can be set up in under an hour, including setting up groups and assigning roles. It may take additional time to sync after the SCIM configuration is complete, depending on the settings within your IdP, but the initial setup is fairly quick.
What information/attributes does Tango need from SCIM?
What information/attributes does Tango need from SCIM?
Tango will only look for attributes for username, email, first name, and last name. These specific mappings should be within the SCIM configuration documentation when you are setting up SCIM.
Specifically for Azure, externalId is needed as one of the attributes, so please do not remove it.
How does Tango manage roles for SCIM?
How does Tango manage roles for SCIM?
We do not prevent the manual assignment of roles once SCIM has been set up, so role management is done through the "Members" section of your Workspace's settings.
Does Tango support SCIM with Google SSO?
Does Tango support SCIM with Google SSO?
No. Only applications approved by Google can use SCIM for Google SSO. Unfortunately, Tango is not currently on that list so it is not possible to use SCIM with Google SSO at this time. We do not expect that to change in the near future.
How does Tango support SSO configuration?
How does Tango support SSO configuration?
In addition to the self-serve documentation provided, Tango has a dedicated Technical Support Engineer, as well as two Staff Engineers who are experts in configuring SSO and SCIM. Should Business or Enterprise clients require help in setting up their SSO or SCIM connections, they can email [email protected] or [email protected] to schedule time with a member of our team.
Once you have SSO (and maybe even SCIM) set-up, the next thing you should consider is automatically downloading the extension and signing-in for all your users.
Reach out to your Tango Implementation Lead to learn about Magic Login!