Skip to main content
This guide walks through configuring SAML SSO with Okta as your identity provider.
Email addresses in and Tuple must match exactly. For example, dev+tuple@company.com does not match dev@company.com. Verify your team’s email addresses before enabling SSO.
1

Create a SAML app

After signing in to your Okta account, click Applications in the navigation bar and then click Create App Integration.Create App IntegrationSelect SAML 2.0 as the sign-in method.Select SAML 2.0 sign-in method
2

Configure the app

Name the app “Tuple” and upload an icon, which you can download here.General SettingsFill in the following fields:Configure SAMLSingle sign on URL
https://production.tuple.app/users/saml/auth
Audience URI (SP Entity ID)
https://production.tuple.app/users/saml/metadata
There are three additional attributes that Tuple requires: email, first_name, and last_name.
3

Set up SAML in Tuple

After finishing the install wizard, click View SAML Setup Instructions on the Sign On tab.View Setup InstructionsThis provides the metadata needed to configure SAML in Tuple:
  • Identity Provider Single Sign-On URL
  • Identity Provider Issuer URL
  • Downloaded certificate file View certificate
Navigate to the Settings tab of the team management dashboard.
Only team owners can enable SAML. To find out who your team owner is, check your profile.
Under Sign-in methods, set Required Authentication Provider to SAML SSO. The Update SAML Configuration form appears:SAML configuration form in TupleFill in the values with your metadata:Select the Email Domain that SAML should apply to. Only domains with confirmed team members are available.Click Save as draft. Your draft is saved as a Pending Update alongside your current sign-in method, so no one on your team is affected yet.Pending SAML update showing Test and Publish actionsClick Test to verify the configuration end-to-end. Tuple signs you in through so you can confirm that authentication succeeds before the change affects anyone else on your team.Once the test succeeds, click Publish to make the configuration live. Active Tuple sessions persist, but new sign-ins are routed through .Use Edit to tweak the draft, or Discard to throw it away without publishing.

SCIM provisioning

Okta supports automated user provisioning via SCIM. See SCIM provisioning with Okta for setup instructions.