This guide outlines how to authenticate users using Single Sign-On (SSO) instead of password authentication.
Prerequisites
Users who were added with password authentication will retain the ability to log in with their password even after SSO is enabled. Both authentication methods will work unless you disable password authentication organization-wide.
Make sure you have:
- Admin access to your identity provider (Azure AD, Google, Okta, etc.)
- Admin permissions in Tekst
- Communication plan to inform users about the change
Step 1: Enable SSO for your organization
First, set up SSO authentication for your organization so users can log in with their work credentials:
- Navigate to Settings → SSO in your Tekst dashboard
- Click Create new SSO
- Select your identity provider and follow the setup guide:
- Complete the configuration and enable the SSO method
Once SSO is enabled, all users in your organization will see the SSO login option on the Tekst login page, even if they were originally added with password authentication.
Step 2: Communicate the change to users
Since Tekst doesn't automatically force users to switch authentication methods, you need to inform your team:
- Send an email to all users explaining that SSO is now available
- Provide clear instructions on how to log in with SSO:
- Go to your organization's Tekst login page (e.g.,
https://<yourcompany>.tekst.com) - Enter their work email address
- Click the SSO option (e.g., "Continue with Microsoft", "Continue with Google")
- Complete authentication through their identity provider
- Go to your organization's Tekst login page (e.g.,
- Let users know that their existing password will still work if they prefer
Create a short video or screenshot guide showing the new SSO login process. This helps users understand exactly what changed and reduces support requests.
Step 3: Verify users are using SSO
After enabling SSO, you can check which authentication methods your users are using:
- Navigate to Settings → Users
- Review the Authentication column in the members table
- Look for badges showing:
- "UPA" means the user is still using password authentication
- Provider names like "google", "microsoft", or "okta" indicate SSO usage
When a user logs in with SSO for the first time, their authentication methods are automatically updated to include the SSO provider. You'll see this reflected in the Authentication column.
Troubleshooting
| Symptom | Likely cause | Resolution |
|---|---|---|
| User doesn't see SSO option on login page | SSO method is not enabled in Tekst | Go to Settings → SSO and ensure the SSO method is enabled and configured correctly |
| User sees "SSO not configured" error | SSO metadata or certificates are incorrect | Review your SSO configuration and update the Federation Metadata XML or certificates |
| User can't log in with SSO on mobile | Certificate renewal or configuration issue | Check that your identity provider's certificates are current and properly configured in Tekst |
| Authentication column still shows "UPA" after user logged in with SSO | User hasn't actually logged in with SSO yet | Confirm the user is clicking the SSO button, not entering their password on the login page |
Limitations
- Admins cannot manually change a user's authentication method - it updates automatically when the user logs in
- Users added before SSO was enabled will retain password authentication unless they log in with SSO
- There is no bulk migration tool to force all users to SSO
- Both password and SSO authentication can coexist unless password authentication is explicitly disabled
Getting help
If you encounter issues switching users to SSO, collect the following information before contacting support:
- The email address of affected users
- The identity provider you're using (Azure AD, Google, Okta, etc.)
- Screenshots of any error messages
- Whether the SSO configuration was recently changed
- Confirmation that SSO is enabled in Settings → SSO