Enable SSO for Tanda

Purpose

Tanda offers single sign-on via SAML integration with Practice Protect. This provides a seamless login experience to the Tanda platform using IdP-initiated SSO.

Practice Protect will configure this on your behalf. Please send us an email at support@practiceprotect.com

Prerequisites

• Must be on either Workforce Success or Enterprise Plan
• Active Tanda account with administrator rights for your organization (Note: this can be your account so you don’t have to pay and create for another license account)
• Admin Access to Practice Protect
• Tanda Username/Email for staff should match the login names in Practice Protect.

Instructions

1. Login to your Practice Protect and switch to Admin portal (ex. mydomain.practiceprotect.app)
2. On Core Services, Click on Roles > Add Roles. Create a role and set the name field to Tanda SSO Users. Then Save.
3. With the created role, click on Members > Add. Add each user that will have access to the app. Then Save.
4. From the Apps & Widgets, go to Web Apps section. Then, choose Add Web Apps on the top right corner.
5. Select Custom then next to SAML click Add.
6. On Settings, set name as Tanda SSO and select Save. You can also set category and logo.
7. Click on Trust > under Identity Provider Configuration select Metadata. Select on Signing Certificate then Download. Keep the file as this will be needed for the next steps.
8. Copy both IdP Entity ID / Issuer and Single Sign On URL. Put it on Notepad temporarily then hit Save. 
9. On the Service Provider Configuration, select Manual configuration.
10. Copy and paste the following details below:
    • SP Entity ID / Issuer / Audience – https://my.tanda.co
    • Assertion Consumer Service (ACS) URL – https://my.tanda.co/users/auth/saml/callback
11. Sign Response or Assertion: Choose both
12.  Click Save.
13. Login to Tanda using the Admin Account.
14. Click on Settings and pick Integrations.
15. Choose Single Sign On > Click New SSO Settings > SAML.
16. On the SAML Configuration settings, follow the below setup:
    • Identity Provider Issuer – Paste the IdP Entity ID / Issuer URL you copied from Step 8.
    • IdP SSO Target URL –  Paste the Single Sign On URL you copied from Step 8.
    • SAML assertion subject: Choose Email
    • Authentication Method. Choose Password and SSO Authentication.  This will temporarily let users be able to sign in using SSO or Password to avoid issues while setting up SSO.
    • Certificate: Upload the certificate file downloaded from Step 7.
17. Click Add SAML settings.

Enable and Enforce Tanda SSO

1. Return to the Tanda SSO app in Practice Protect and go to Permissions. Add the role we created in an earlier step to the permissions page (e.g. Tanda SSO Users) and click Save.
2. Test user by signing in to Tanda login. Once you type the username, the system will know that SSO (Single sign-on is enabled). Click Log in with SSO. If should redirect you to Practice Protect Portal if you’re not signed in yet.
3. Once the SSO is working, go back to Tanda > Settings > Integrations > Single Sign On > Click the SSO configuration on the list
4. On the SAML Configuration, change the Authentication method to SSO Only Authentication then Click Update SAML Settings. This enforces users to only sign in via SSO.
5. Tanda SSO Integration is now completed. Please use Tanda SSO app on your Practice Protect User Portal to automatically sign in to the app.