Single Sign-On (SSO) EN
- Ole Zachlod
Troi supports SSO using the Security Assertion Markup Language (SAML) 2.0 standard, an open standard for exchanging authentication and authorization data between parties. This provides a high level of security and significantly simplifies user access.
Troi acts as the Service Provider (SP). Your organization provides the Identity Provider (IdP).
How SSO with Troi Works
The login flow is as follows:
The user tries to access Troi.
Troi redirects the login request to your IdP.
The IdP authenticates the user and returns a SAML response.
Troi reads this response, identifies the user, and logs them in – optionally assigning them to the right group.
Implementation Steps
Configure your IdP with the required attributes and (optionally) the user group, language, and client claims
Send us your SAML metadata file (
metadata.xml), including the Entity ID, SSO URL, and certificate.Provide a list of email addresses (as used in your IdP) for existing Troi users so we can convert local usernames to SSO accounts.
We schedule a short activation session to enable SSO and perform a live login test with you.
SAML Attributes Overview
Once you're ready to configure your IdP, you will need the following:
Attribute Name | Required | Transmitted data | Handling |
|---|---|---|---|
General Attributes |
|
|
|
| Yes | Email address | Used to set the Troi user's e-mail address and contact, as well as to generate the user name. |
| Yes | Family name (surname) | Used to set the last name of the user. |
| Yes | Given name (first name) | Used to set the first name of the user. |
User groups |
|
|
|
| No | Group name or IDs (as array) | Used to assign the user to a user group. |
Language |
|
|
|
| No | Preferred language (as string) | Used to set the default language for the user and contact. Various formats are supported, e.g., |
Clients |
|
|
|
| No | Main client of the user | Used to set the main client of the user. |
| No | Assigned clients of the user | Used to set clients assigned to the user. |
Attributes & Handling
General Attributes
The email address (
urn:oid:1.2.840.113549.1.9.1) is the unique user identifier.If a user does not exist yet in Troi, they will be automatically created on first login. No manual pre-creation of users is necessary, as long as the SAML login is successful and the required attributes are included.
If a user already exists in Troi with a local username, we will automatically update that account to use the email address from the SAML login. This switch is handled by us during the SSO activation. The old username will no longer be used after that.
User groups
Troi supports automatic assignment of users to internal user groups during SSO login, based on identity provider attributes or fallback logic.
Supported Attributes
Troi uses the following attribute for group assignment:
troi:group
A string value that matches an internal user group’s SSO mapping (defined in the group settings)
Assignment Options
Option 1: Automatic Group Assignment
The Identity Provider (IdP) sends the
troi:groupclaim during login.Troi attempts to match the received value to an internal user group mapping.
If a match is found, the user is automatically assigned to that group.
Example (Microsoft Entra): The attribute is set in "Attributes & Claims" with the name
troi:group.
Option 2: Default Group Fallback
If the IdP does not send the troi:group attribute:
Troi assigns the user to a default user group.
This default group is configured within Troi.
Admins can manually reassign the user to a different group later if needed.
Language
The user's preferred language can be provided using the following SAML attribute:
urn:oid:2.16.840.1.113730.3.1.39
(commonly known aspreferredLanguagein many identity systems)
Accepted Formats
To ensure compatibility, the following values are supported and automatically normalized:
German:
de,de-de,de_de,ger,german,deutschEnglish:
en,en-us,en_us,en_gb,eng,english,englischFrench:
fr,fr-fr,fr_fr,fre,french,französisch
Behavior
If no language is provided by the identity provider:
The language defined in the assigned client is used.
If that is not available either, the default language (German) is applied.
Unknown Attachment
Clients
Troi supports SSO-based client assignment, similar to group-based assignment via troi:group.
Each client can be configured with:
A preferred language (used during login)
An SSO mapping key for automated assignment
Supported Attributes
Troi uses the following attributes for client assignment:
troi:main_client
A unique string matching a client’s SSO mapping key (defined in the client details)troi:clients
Can be provided as either:A comma-separated string, e.g.
"troi1-mandant, troi2-mandant"An array of strings, e.g.
["troi1-mandant", "troi2-mandant"]
(same format as used fortroi:groups)
Behavior
If the identity provider provides no client assignment:
The user will be assigned to the default SSO client.
FAQ
Once SSO has been activated – can direct Troi accounts still be used in parallel?
No. When SSO is activated, direct Troi accounts can no longer be used.
SSO is an either/or system, meaning you either use SSO or direct Troi accounts – but not both at the same time.
Setup Examples
The following examples do not include the language and clients attributes/claims, as their configuration varies significantly depending on the identity provider.
Some providers have a built-in preferred language property, similar to how an email address (e.g. urn:oid:1.2.840.113549.1.9.1) is defined as a user property. In such cases, the language can be configured in a similar way.
Other providers do not offer this option, and the attribute must be assigned as a custom user attribute instead.
The same applies to troi:main_client and troi:clients, which may either be system properties or need to be defined manually per user depending on the provider's capabilities.
Setup on Microsoft Entra (Microsoft Azure)
Create the Application:
Application → Enterprise applications → New application → Create your own application
What's the name of your app? → Example: Troi SAML SSO
What are you looking to do with your application? → Integrate any other application you don't find in the gallery
Open the Application
Click on Properties
Enabled for users to sign-in? → Yes
Click on Single sign-on
Basic SAML Configuration
Identifier (Entity ID) →
https://<domain>.troi.softwareReply URL →
https://<domain>.troi.software/site/login.php?page=login&action=authenticatorExternal
Attributes & Claims
Add a group claim (optional):
Which groups associated with the user should be returned in the claim? → All groups
Source attribute → Group ID
Advanced options → Customize the Name of the group Claim → Name →
troi:group
Add new claims:
Email Address
Name:
urn:oid:1.2.840.113549.1.9.1Namespace: empty
Source: Attribute
Source attribute:
user.mail
Family Name
Name:
urn:oid:2.5.4.4Namespace: empty
Source: Attribute
Source attribute:
user.surname
Given Name
Name:
urn:oid:2.5.4.42Namespace: empty
Source: Attribute
Source attribute:
user.givenname
General
Ensure that users are granted access to the Troi application within Microsoft Entra. (API permissions)
Setup on Ping Identity
Connections → Applications → New Application
Web App
ACS URLs →
https://<customer>.troi.software/site/login.php?page=login&action=authenticatorExternalSIGNING KEY → Signing Algorithm →
RSA_SHA256Entity ID →
https://<customer>.troi.softwareSLO Binding →
PostSubject NameID Format →
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressSave
Switch to Attribute Mappings
Add new ones:
troi:group→ Group Namesurn:oid:1.2.840.113549.1.9.1→ EMail Addressurn:oid:2.5.4.4→ Family Nameurn:oid:2.5.4.42→ Given Name