Skip to main content

Single Sign-On (SSO)

Updated

What is Single Sign-On?

Single Sign‑On (SSO) enables users to access multiple applications with a single set of credentials. Examples include “Sign in with Google” or “Login with Facebook.” In enterprise contexts, SSO often uses tools like Okta or Azure AD.

What are the benefits of Enterprise SSO?

In addition to simplicity, implementing Enterprise SSO with Tactic offers several advantages:

  • Centralized authentication and improved security.

  • Simplified user experience with one set of credentials

  • Reduced password fatigue and related IT support requests

  • Seamless onboarding and offboarding for employees

  • Consistent compliance with organizational security policies

  • Ensuring two-factor authentication (2FA) is being used.

 

SSO vs. Directory Sync

Tactic supports both SSO and Directory Sync, but they serve different purposes:

  • SSO: Handles authentication, allowing users to log in using your organization’s identity provider.

  • Directory Sync: Continuously syncs user profile attributes and group memberships in real time.

  • Directory Sync: Allows your "Department" or "Team" User Profile Attributes from your AD to be synced into Tactic as "Teams", which you can then assign these Teams to specific Desks & Meeting Rooms as needed.

💡 Note: Single sign-on user attribute updates are not real-time updates. Real-time updates are only possible with Directory Sync. 

 

How do we use SSO at Tactic?

At Tactic, we allow any organization to purchase SSO as an add-on to allow them the benefits described above. A lot of organizations won’t allow a company to purchase SSO separately – so many that it’s become known as the SSO tax. There’s even a website that’s been created to name and shame the companies that do this. We charge a nominal fee since ultimately we have built in costs with each new SSO connection we add.

 

Setting Up SSO in Tactic

Prerequisites

To set up SSO, an organization will need three things:

  • Know which company email domain URL(s) that they will want to have forwarded to their authentication provider.
  • They will need Administrator / Global Admin access to their SSO provider’s admin portal.
  • They will need an Admin-Level Tactic User Account to login to Tactic with.

Steps

  1. Log in to Tactic as an Admin-Level User
  2. In the bottom left hand corner, select your Profile.
  3. Navigate to Settings > Organization Settings.
  4. At the top of this page, click on the "SSO & DSync" tab.
    Screenshot 2025-09-03 at 3.45.37 PM.png

  5. Under Authorized Domains, enter your company’s email domain(s). Separate multiple domains with commas. (eg: gettactic.com, trytactic.com) and select the "Get Started" button to finalize.

  6. Upon hitting "Get Started" you will see a green checkmark indicating your domain was saved, and the two "Get Started" buttons for SSO & Directory Sync will now unlock. 
  7. Next to the "Add SSO Connection" section, click the "Get Started" button.
    Screenshot 2025-09-03 at 5.14.08 PM.png

  8. Select your identity provider from the available options.Screenshot 2025-09-03 at 5.19.29 PM.png

  9. Once you’ve selected your organization's identity provider, this will open a new tab to a step-by-step, guided, self-service set up portal wizard. 
  10. The self-service portal will walk you through each step in the process, providing you with detailed instructions and screenshots that are specifically tailored to integrate Tactic SSO with your selected identity provider platform.
    Screenshot 2025-09-03 at 5.26.21 PM.png
  11. In the example above, we selected "Entra ID (Azure AD) SAML" as our identity provider and so the self-service portal has provided step by step instructions that show the specific process for how to create the enterprise application within Azure, which will handle the SSO connection with Tactic. 
  12. After completing all steps in the self-service set up portal wizard, you will be prompted to Test SSO. If the test comes back successful, then the process is complete! 

💡 Note: It is CRUCIAL that you or your organizations IT Department follows each step in the self-service guide EXACTLY as stated. Since Tactic Support cannot directly log into your organization's IdP Admin Portal, it can sometimes prove difficult to troubleshoot any errors afterwards. In the case that you are unsuccessful with setting up your SSO connection to your enterprise Tactic Account, please reach out to our dedicated Support Team directly via Support@gettactic.com so we can help you clear the established SSO connection, so that you may attempt the set up process again. 

💡 Note: Common email addresses with domains ending in gmail.com, yahoo.com, hotmail.com, etc. will not work with Tactic SSO. These selected domain must be owned by your organization.

💡 Note: If you do not see your provider, don’t worry. You may still be able to set up SSO via the “Custom SAML” or “Custom OIDC” options at the bottom of the IdP provider list.  You will need to check if your provider allows for generic SAML or OpenId connections. If so, you can use those options.

 

Post-Setup Validation and Support

Now that SSO is all set up, any user that attempts to log in to Tactic using a company provided email address, will be redirected to authenticate on your enterprise authentication provider. Once successfully authenticated, they will be logged into your organization's enterprise Tactic account.

At this point you may consider:

  • Test the login experience with a few colleagues from your organization.
  • Login to your IdP Admin Console to confirm successful login session attempts.

As always, if you run into any issues during set up or testing, please contact our Support Team via Support@gettactic.com

 

Just-In-Time (JIT) Account Creation

Tactic supports Just-In-Time (JIT) account creation by default. When a user authenticates through SSO for the first time, Tactic automatically provisions an account for them.

If your organization requires tighter provisioning controls, contact support@gettactic.com to disable JIT.

 

Frequently Asked Questions

What SSO systems does Tactic integrate with?

We're always adding to the list but currently the list includes:

  • AD FS SAML (Active Directory Federated Services)
  • ADP OIDC
  • Auth0 SAML
  • Azure SAML
  • CAS SAML
  • ClassLink SAML
  • Cloudflare SAML
  • CyberArk SAML
  • Duo SAML
  • SAML (Generic)
  • Google OAuth
  • Google SAML
  • JumpCloud SAML
  • Keycloak SAML
  • Microsoft OAuth
  • miniOrange SAML
  • NetIQ SAML
  • Okta SAML
  • OneLogin SAML
  • Oracle SAML
  • PingFederate SAML
  • PingOne SAML
  • SimpleSAML.php
  • Salesforce SAML
  • VMWare SAML

 

What if my SSO provider is not on the list?

Please send an email to support@gettactic.com so we can get it added to our product roadmap! Also, that's why the "SAML (Generic)" option is on the list. If your provider has a SAML option, you can use the generic setup and it still should work. If you're seeing any funny business, again please reach out and someone on our team will try to help.

 

What if a user’s Tactic account has not been created yet and they try to log in?

As long as SSO JIT is enabled and the user is configured within your SSO provider to have access to Tactic, an account will be created during the process of their first login. All of the data that your SSO provider gives to Tactic during this login process will be used to populate their account i.e. name, email address, etc.

 

Can I use SSO instead of / without Directory Sync in Tactic?

Single Sign-On and Directory Sync are different features that can be purchased and used separately, but we strongly recommend using them together. SSO used separately means that users will be redirected to your enterprise identity provider to authenticate.

The downside is that many data attributes will not be passed automatically to Tactic AND any data attributes that may be passed will only be updated each time that a user is forced to manually log in i.e. if they check the “Remember me” box when logging in, that could be quite some time.

Directory sync is especially important if you are relying upon Tactic for features like desk, meeting room, or zone assignments being made to specific teams or users. Without having user accounts pre-created and team assignments being accurate, assignment to specific resources within Tactic will be impossible to achieve accurately.

 

Can I use Directory Sync without or instead of SSO?

Yes, though we typically discourage it. The onboarding process especially can be a little tricky for users since they'll need to receive an invite email, allowing them to create a password and essentially "claim" their pre-created account.

 

What if I don’t want SSO JIT enabled?

Not a problem. Send an email to support@gettactic.com and we will manually deactivate the feature for your account.

 

Related articles