SSO Configuration Overview

This topic provides instructions on configuring Single Sign-On (SSO) connections in the Domain Management section of Apptio Access Administration. SSO enhances user experience by allowing seamless access across multiple applications with a single set of credentials. Both SAML and OIDC connections are supported.

Process Overview

Your Access Administration SSO Admin works with your organization’s Identity Provider (IDP) team to create a new SSO service provider configuration using Apptio metadata provided in Frontdoor Domain Management.

Your SSO Admin creates a new SSO connection in Frontdoor Domain Management using their IDP’s metadata as instructed here.

Testing : Initially, we recommend the connection scope be limited to one or more test users via a usage rule until testing has verified it is working as expected. For more info, see Testing section.

1. Configure the following attributes while setting up the SAML SSO service provider configuration within your organization’s IDP using the metadata file available for download in Domain Management. To download the Frontdoor metadata, log into Domain Management as described in the Accessing the Domain Management Section and then select the Export SAML Metadata button.
   • Name attribute is required. This usually includes First and Last name.
   • Email attribute is required. Your email address is unique identifier.
   • Role attribute is optional. This contains Apptio roles that should be granted to you. Roles can be multi valued or single valued.
2. After the service provider connection is complete, obtain a copy of the SAML metadata XML file from your IDP.
3. Return to Domain Management and continue with setting up the connection as specified below.

Accessing the Domain Management Section

To access Domain Management you will need to have Admin or equivalent role. To make changes in Domain Management you will need to additionally have the SSO Admin role. Users with Admin or equivalent role can grant this access. For more information on managing environment access see Manage user access to environments

1. Login into your Apptio account.
2. In the top right corner select gear icon ( ) and select Access Administration and then select Domain Management
3. Select the authentication domain you want to configure from the dropdown menu. This will display domain details and existing SSO connections associated with that authentication domain.
4. In the Domain Details section, review the list of supported Email Domains to confirm that all your SSO users domains are listed. If required select Edit to make changes.

Refer the following to complete your SSO connections.

• How to configure SSO Connections
• User Provisioning and Role Mapping
• Persona Mapping & Usage Rules
• Testing the connections
• Appendix I - MS Entra configuration and Microsoft Entra Portal