Skip to main content
All CollectionsGet startedYour Tackle account
Set up Tackle for single sign-on (SSO)
Set up Tackle for single sign-on (SSO)

Sign in to Tackle using an third-party identity provider, such as Okta, Microsoft Azure, or OpenID.

Steve Stormoen avatar
Written by Steve Stormoen
Updated over 2 weeks ago

Single sign-on (SSO) allows you to sign in to Tackle through a secure third-party identity provider, which adds security and saves time over password authentication. Tackle SSO is compatible with most leading SSO providers, including Okta, Microsoft Azure, and other OpenID providers.

Set up Okta for Tackle SSO

Before you begin

Make sure you have the following permissions and tools:

  • Access to a Tackle account with the Tackle Admin role

  • Attain App Admin permissions in Okta

  • A browser to search Tackle in Okta

When you're ready, follow these steps to connect your Tackle account to Okta:

  1. Add the Tackle integration in Okta.

  2. Enable your Okta integration in Tackle.

  3. Sign in to Tackle in Okta.

Add the Tackle integration in Okta

  1. In your Okta dashboard, go to Applications > Applications.

  2. Click Browse App Catalog.

  3. Search for Tackle.io.

  4. When you find the Tackle integration, click Add Integration.

  5. Name the integration and click Done to finish adding the Tackle app in Okta.

  6. After you add the integration, you are redirected in Okta. The Assignments tab opens by default.

  7. Click the Sign On tab, and then copy and save the Client ID, Client secret, and the URL from the OpenID Provider Metadata. You’ll enter these required values in Tackle once the integration is added in Okta and you're able to access Tackle.

Enable your Okta integration in Tackle

  1. Sign in to Tackle🔗.

  2. In the left menu, click User Management.

  3. Click the Single sign-on tab. The tab opens.

    The Single Sign-on tab of the User Management page in Tackle. Okta is selected as the Single Sign-on provider, and the customer's Okta domain and Client ID are filled in.

  4. Click the dropdown field and select Okta as your connection type.

  5. For the remaining fields, enter the required values you copied when you set up your Okta integration:

    1. Okta domain ({your-oktaDomain}.okta.com) - for example, if your domain name is "acme," you would enter acme.okta.com.

    2. Client ID

    3. Client secret

  6. Click Save Changes to enable your integration. If the integration is enabled successfully, you’ll see a green banner with a success message. To make any changes, click Edit.

Once the integration is enabled, you can manually grant admin access to users in Tackle.

  1. In Tackle, go to the left menu and click User Management.

  2. Click Invite.

  3. Enter the new user's email address, select a user role, and then click SEND INVITE.
    To check the status of an invite, you can search for a user name or email address.

Sign in to Tackle in Okta

After you have connected Okta in Tackle, you can sign in to Tackle through Okta:

  1. Go to {your-oktaDomain}.okta.com. For example, if your domain name is "acme," enter https://acme.okta.com.

  2. Go to My Apps.

    The My Apps menu in Okta. Menu items include Default Apps, Add section, Notifications, and Add apps.

  3. Find the Tackle.io app.

    A list of installed apps in an Okta account. Tackle.io appears as the last tile in this list.

  4. Click the app to sign in to Tackle. This takes you to https://downstream.tackle.io/login.
    Note: If you can’t see or find the app in Okta, you may not have access to Tackle. Contact your Okta administrator for help.

Set up OpenID Connect for your identity provider

Before you begin

You'll need a callback URL for Tackle to use an identity provider of choice before you get started. You may need to configure the OpenID Connect (OIDC) Issuer with these callback URLs:

  • Redirect URL - https://auth.tackle.io/login/callback

  • Home Login URL - https://downstream.tackle.io/auth/initiate/[vendor_ID]
    Note: This is an example URL format. As you're setting up, you'll be provided a unique Home Login URL with your vendor ID.

  • Then enable a custom OpenID Connect

Enable your custom OpenID Connect

  1. Sign in to Tackle🔗.

  2. In the left menu, click User Management.

  3. Click the Single sign-on tab. The tab opens.

    The Single Sign-on tab of the User Management page in Tackle. OpenID Connect is selected as the Single Sign-on provider.

  4. Click the dropdown field and select OpenID Connect as your connection type.

  5. For the remaining fields, enter the required values you copied when you set up your OIDC integration in your identity provider:

    1. Client ID

    2. Issuer URL - This is the URL of the well-known configuration endpoint from your Identity Provider.

    3. Client Secret (OPTIONAL) - Some SSO providers may require “back channel” or “ID Token” authentication which requires a client secret.

  6. Click Save Changes to enable your integration. If the integration is enabled successfully, you’ll see a green banner with a success message. To make any changes, click Edit.

  7. Make sure to complete additional steps on your end for a successful integration.

Microsoft Azure AD SSO setup

If you’re using Microsoft Azure Active Directory (AD) to set up SSO, follow these additional steps:

  1. Go to the Microsoft quickstart guide > Register an application🔗.

  2. Follow steps 1-7. However, for step 6, complete the following items:

    1. For Redirect URI (optional), click the Select a platform field and select Web.

    2. For the Redirect URI field, enter https://tackle.auth0.com/login/callback.

  3. After you complete the initial app registration (steps 1-7), go to the left menu, and under Manage, click Authentication.

  4. For the Implicit grant and hybrid flows section, select the ID tokens (used for implicit hybrid flows) checkbox and then click Save.

  5. On the left menu, under Manage, click Certificate & secrets.

  6. Select New Client secret.

  7. Enter a description for the client secret and click Add.

  8. On the left menu, under Manage, click Branding & properties.

  9. In the Home page URL field, enter the Home Login URL provided in Tackle > User Management > Single sign-on.

  10. When you’re done, click Save.

Enforce SSO as the only sign-in method for your account

After setting up your Okta or OIDC SSO connection and successfully signing in through single sign-on, you’ll be able to strictly enforce it as your accounts only sign-in method.

  1. Sign in to Tackle using your SSO provider.

  2. In the left menu, click User Management.

  3. Click the Single sign-on tab.

  4. Click the Edit button to edit your connection.

  5. In the Login Requirement section, click the Require all users to sign in with single sign-on only checkbox.

  6. Save your changes.

Now your users will be required to either sign in directly through your identity provider or will be redirected there after entering their email address in Tackle sign-in screen.

Add new users through SSO with Just-In-Time (JIT) provisioning

Just-In-Time (JIT) provisioning is a setting that further streamlines adding new users to Tackle with SSO. With JIT provisioning enabled, whenever a user signed in to your SSO provider signs in to Tackle for the first time, a new Tackle user is automatically created for them. Otherwise, your new user will not be able to sign in unless your Tackle administrator invites them manually from within the Tackle platform.

By default, JIT provisioning is disabled for new Tackle accounts. Here’s how to enable or disable JIT provisioning:

  1. Sign in to Tackle. In the left menu, click User Management.

  2. Click the Single sign-on tab, then click Edit at the bottom of the page.

  3. In the Just in time (JIT) provisioning section, use the radio buttons to turn this feature on or off.

  4. When you’re finished, click Save changes.

Related Articles
Set up your Salesforce integration with Tackle Setup Assistant
Tackle - Orb integration
Reset Salesforce connection to Tackle
Set up your Microsoft buyer registration page
Tackle for Salesforce: What's new - 2023
Did this answer your question?