Configuring Single Sign-On
Single sign-on (SSO) improves security controls; with SSO configured, users are redirected to authenticate to Tamr Cloud using your organization’s Identity Provider (IdP) when logging in.
With SSO enabled, you cannot create new users from Tamr Cloud Admin > Users. New users are automatically provisioned when they sign into Tamr Cloud for the first time via SSO, as follows:
- User accounts are created automatically from the IdP when the user first logs in, based on the user's email address.
- New users are assigned to the default role of "No Role".
- Tamr Cloud sends the user an email confirmation, which the user must accept before being able to log in.
You can also associate Tamr Cloud groups with external groups in your organization's IdP, such as groups in your organization's Active Directory. Your IdP must be configured to pass the group information to Tamr when the user logs in. In Tamr Cloud, you can configure tenant, project, and data product roles for these groups. Users are assigned to appropriate the Tamr Cloud groups when they log in, based on their external groups in the IdP. See Managing Groups for more information.
Important:
- At least one user in your tenant must have the Admin role before configuring SSO.
- When SSO is enabled, any existing Tamr Cloud user accounts will be migrated to SSO authentication and will retain all associated permissions. The user’s email address must be the same before and after SSO is enabled; otherwise, the user is treated as a new Tamr Cloud user.
Tamr Cloud supports the following enterprise IdPs:
- SAML 2.0 (preferred), including Okta and Microsoft Entra ID.
- Google Workspace
Contact Tamr Support ([email protected]) if you are interested in configuring SSO authentication and authorization for your tenant.
Updated 6 days ago