Trovata currently supports Single Sign On (SSO) and can integrate with any SAML 2.0 compatible IdP.
Below are various setup guides and process flows for compatible options.
Table of Contents
Self-Service SSO
Prerequisites
Before setting up SSO, ensure you have:
Administrator access to your Trovata instance.
A company-wide SSO provider in place.
Your SSO sign-in URL
The SSO X509 signing certificate saved as a plain text file (created using the below Service Provider Details at your IdP)
1) Access SSO Settings - Go to the bottom left corner of the page, click your instance name, select the settings icon, and navigate to the "SSO" tab.
2) Enter SSO Sign-In URL - Paste your SSO sign-in URL in the provided field.
3) Upload X509 Signing Certificate - Upload your X509 signing certificate (ensure it’s saved as a plain text file).
4) Select SSO Connection Type - Choose your SSO connection type from the dropdown menu. If your type isn’t “Azure/Entra” or “Shibboleth,” select “Other.”
5) Enter Company Email Domain - Specify your company’s email domain. For example, if your company’s email addresses look like tom@companyname.com, you should enter "companyname.com". You can also add multiple domains if needed.
6) Save Changes - Click "Save Changes" to save your entries.
7) Test Configuration - Click "Test Changes" to verify the SSO setup. You will be presented with a login screen, enter that same email you logged in with and click “Continue”. A confirmation page will appear that says "SSO Login Test Successful".
8) Enable Configuration - To activate this setup, switch on the toggle at the top of the page. Then, log out of Trovata and log back in to verify the integration by using your company’s SSO provider.
SAML Setup Metadata Exchange Guide
Here are the 6 values needed to setup authentication (IdP) provider:
Audience URI ( or Entity Id): urn:auth0:trovata-users:<company name>
Default RelayState: Trovata-<company name>
NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
NameID Attribute: email
Email Attribute: email
Once application is created in the IdP provider, please provide Trovata with the following information via the Trovata chat feature, found in the bottom right corner of your account instance:
<Company-Name>
You will need to use your company name, the standard naming convention is that each word is capitalized and each space is represented by a hyphen (-).
SSO Login URL
x509 Certificate
Email Domain
More than one is supported.
Okta SAML SSO Guide
1. Create a new application in the Okta Portal and select SAML 2.0.
2. Enter the following settings for the application. For <company name>, use the company name, the standard naming convention is that each word is capitalized and each space is represented by a hyphen (-).
• Audience: urn:auth0:trovata-users:<company name>
• Default RelayState: Trovata-<company name>
Ensure the remaining settings match exactly as they are shown in the screenshot:
3. Create/save the settings for the application above.
4. Once the application is saved, click on “View Setup Instructions” to get the sign-on url that was generated for the application and provide it to Trovata.
Azure SAML SSO Guide
1. Navigate to “Enterprise applications” in Azure.
2. Click on New Application and then Create your own application.
3. Name the app “Trovata” or another name that makes sense for the organization.
4. Click on Integrate any other application you don't find in the gallery (Non-gallery) and then Create.
5. Once the application is created, click Single sign-on in the sidebar.
6. Enter the following settings for the application. For <company name>, use the company name, the standard naming convention is that each word is capitalized and each space is represented by a hyphen (-).
Ensure the settings match exactly as it is in the screenshot.
• Identifier: urn:auth0:trovata-users:company-name
• Relay State: Trovata-company-name
7. Leave Step 2 as-is.
8. In Step 3, download the Certificate (Base 64).
9. In Step 4, provide the Login URL and Logout URL and the certificate download in the previous step to Trovata.
OneLogin SAML SSO Guide
Create a custom application Applications -> Add App
Search for: SAML Custom
Select SAML Customer Connector (Advanced).
Change the Display Name as desired.
Click Save.
Once saved, enter in the Configuration by clicking the Configuration link:
Provide the following values:
RelayState: Trovata-<company name>
Audience: urn:auth0:trovata-users:<company name>
ACS (Consumer) URL Validator*:
[-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)
ACS (Consumer) URL*: https://login.trovata.io/login/callback?connection=<company-name>
For <company name> replace it with the name given by Trovata.
The remaining fields can be left as the defaults.
Save these values when complete.
Next configure a parameter by clicking the Parameters link.
Add a SAML Custom Connector (Advanced) FIeld by clicking on the “+” sign:
Enter email into the field name.
Select Include in SAML assertion.
Click on the Save button.
Once SSO is Setup
Configuration is complete and SSO admin is ready to add users
Trovata does not support a user logging in directly through SSO dashboard.
Users must login via Trovata’s sign in page: app.trovata.io (unless the Trovata “tile” is reconfigured to route to that exact URL).
NOTE: We do not support social sign in through Google, LinkedIn, or other common social platforms.
If the user’s domain matches the initial set up domain during configuration, it will redirect to the customer SSO login screen.
Trovata will auto-provision a user account for those logging in for the first time (e.g. no linkage necessary).
An administrator might not exist if all users are set up via SSO.
NOTE: An administrator can be designated by the Account Owner OR by your Trovata contact (as long as Trovata has administrator access to your instance).
Information Relevant to SSO / iDP Admin
SSO administrator grants users privileges to access Trovata and the Trovata “tile” will be displayed for the user once granted access.
In Trovata, the default setting for entitlements will need to be updated all users start off as read-only
As a best practice, deactivated users’ profiles should be deleted by a Trovata admin (once SSO permissions to Trovata are removed users cannot login anyway).
Troubleshooting
If a user was created in the Trovata Admin Portal and SSO was configured after the fact:
A user’s email needs to exactly match (note case sensitive) the email address set up in the customer’s SSO environment (also known as iDP - identity provider) to trigger the automatic linking of the user created in the Trovata Admin Portal to the customer’s identity in their SSO environment.
By linking, the customer retains all entitlements/permissions.
If a user is created in the Trovata Admin Portal and SSO is active already:
The user will receive a set password link, they should use the link to set a password for that newly created account (take note of the password). This is important to potentially link the user created in the Trovata Admin Portal with the customer's identity in their SSO environment.
Remainder of the steps after this follow the same path as “If a user was created in the Trovata Admin Portal and SSO was configured after the fact”.
If the emails don’t match between the user created in the Trovata Admin Portal and the customers SSO environment:
A new user will be created in Trovata, it will be mapped with the customer’s identity in their SSO environment.
The new user created is granted default entitlements/permissions (Reader)