Skip to main content
This guide walks through configuring SAML SSO with Microsoft Entra ID (formerly Azure AD) as your identity provider.
Email addresses in and Tuple must match exactly. For example, dev+tuple@company.com does not match dev@company.com. Verify your team’s email addresses before enabling SSO.
1

Create an enterprise application

Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.Navigate to Identity > Applications > Enterprise applications and click New application. Then click Create your own application.Enter “Tuple” as the application name, select Integrate any other application you don’t find in the gallery (Non-gallery), and click Create.
2

Assign users

Before configuring SSO, assign the users who need access to Tuple. In your new Tuple application, go to Users and groups and add the users or groups that should have SSO access.
3

Configure SAML

In your Tuple application, navigate to Single sign-on in the left sidebar and select SAML as the sign-on method.SAML-based Sign-on configuration page in Microsoft Entra IDClick Edit on the Basic SAML Configuration card and fill in the following fields:Identifier (Entity ID)
https://production.tuple.app/users/saml/metadata
Reply URL (Assertion Consumer Service URL)
https://production.tuple.app/users/saml/auth
Click Save.
4

Configure attributes and claims

Click Edit on the Attributes & Claims card. Add two custom claims so Tuple receives the user’s first and last name.Click Add new claim and create each of the following:
NameSource attribute
first_nameuser.givenname
last_nameuser.surname
Leave the Namespace field empty for both claims.Tuple also reads email from the SAML response. The default claim for email address mapped to user.mail works automatically — no changes needed.
5

Set up SAML in Tuple

On the SAML Certificates card, download the Certificate (Base64) file.Then, in the Set up Tuple card, copy the following values:
  • Login URL — this is your IdP authentication URL
  • Microsoft Entra Identifier — this is your IdP entity ID
Navigate to the Settings tab of the team management dashboard.
Only team owners can enable SAML. To find out who your team owner is, check your profile.
Under Sign-in methods, set Required Authentication Provider to SAML SSO. The Update SAML Configuration form appears:SAML configuration form in TupleFill in the values with your metadata:Select the Email Domain that SAML should apply to. Only domains with confirmed team members are available.Click Save as draft. Your draft is saved as a Pending Update alongside your current sign-in method, so no one on your team is affected yet.Pending SAML update showing Test and Publish actionsClick Test to verify the configuration end-to-end. Tuple signs you in through so you can confirm that authentication succeeds before the change affects anyone else on your team.Once the test succeeds, click Publish to make the configuration live. Active Tuple sessions persist, but new sign-ins are routed through .Use Edit to tweak the draft, or Discard to throw it away without publishing.