Skip to main content
Tuple supports SAML Single Sign-On as part of the Standard and Enterprise plans. SSO lets your team authenticate through your identity provider instead of managing separate Tuple credentials.

Provider-specific guides

Okta

Includes optional SCIM provisioning

Google Workspace

Google Admin console setup

Microsoft Entra ID

Formerly Azure AD

OneLogin

SAML Test Connector setup

General SSO setup

If your identity provider is not listed above, you can configure SAML SSO manually using the values below.
Email addresses in and Tuple must match exactly. For example, dev+tuple@company.com does not match dev@company.com. Verify your team’s email addresses before enabling SSO.

What you need from your identity provider

  • Your SSO IdP Entity ID
  • Your SSO target URL that performs authentication
  • Your auth certificate or its SHA1 fingerprint
  • Attributes that include first_name, last_name, and email

Tuple’s SAML endpoints

FieldValue
Entity IDhttps://production.tuple.app/users/saml/metadata
Assertion Consumer Service (ACS) URLhttps://production.tuple.app/users/saml/auth

Enable SAML in Tuple

Navigate to the Settings tab of the team management dashboard.
Only team owners can enable SAML. To find out who your team owner is, check your profile.
Under Sign-in methods, set Required Authentication Provider to SAML SSO. The Update SAML Configuration form appears: SAML configuration form in Tuple Fill in the values with your metadata: Select the Email Domain that SAML should apply to. Only domains with confirmed team members are available. Click Save as draft. Your draft is saved as a Pending Update alongside your current sign-in method, so no one on your team is affected yet. Pending SAML update showing Test and Publish actions Click Test to verify the configuration end-to-end. Tuple signs you in through so you can confirm that authentication succeeds before the change affects anyone else on your team. Once the test succeeds, click Publish to make the configuration live. Active Tuple sessions persist, but new sign-ins are routed through . Use Edit to tweak the draft, or Discard to throw it away without publishing.

Managing your SAML configuration

Tuple keeps a single Active Configuration plus any Pending Update draft you’re working on. Changes are staged as drafts so you can test them before they affect the rest of your team.

Update an existing configuration

On the Settings tab of the team management dashboard, click Update configuration on the Active Configuration card. The Update SAML Configuration form opens pre-filled with your current values. Leave the Certificate field empty to keep the existing certificate, or upload a new file to replace it. The current fingerprint is shown above the upload field. Click Save as draft to create a Pending Update. From there, Test the draft, then Publish it when you’re ready. You can also Edit the draft to make further changes, or Discard it to throw it away.

Archived configurations

When you publish a new SAML configuration, the previous one is automatically archived. Expand archived SAML configurations on the Settings tab to see past configurations: Archived SAML configurations with Restore and Delete actions
  • Restore — bring an archived configuration back so you can test and publish it again. This is useful if you need to roll back to a previous identity provider setup.
  • Delete — permanently remove an archived configuration.

Reference

The first time a user authenticates through your identity provider, Tuple provisions an account for them. If you are on a per-seat billing plan, billing begins for that seat immediately.You can disable a user’s access in your identity provider, but deprovisioning their Tuple account (and stopping billing for that seat) must be done on the team management page by your team owner.For automated provisioning, see SCIM provisioning.
Tuple has three roles: team owner, team manager, and user.
  • Team owners can manage team settings, add and remove users, promote managers, and update billing information.
  • Team managers can manage team settings, add and remove users, and promote other managers.
  • Users can make and receive calls and share team invite links.
See Team Owner and Managers for the full permissions breakdown.Accounts provisioned through your identity provider are created as users. The team owner is typically the person who first created your team on Tuple. Contact support@tuple.app if you need to transfer ownership.
Email addresses in your identity provider and Tuple must match exactly. For example, dev+tuple@company.com does not match dev@company.com. Verify your team’s email addresses before enabling SSO.

Questions?

Email us and we’ll help you get set up.