> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tuple.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Okta

> How to configure SAML SSO with Okta for your Tuple team

export const provider_1 = "Okta"

export const children_0 = undefined

export const provider_0 = "Okta"

This guide walks through configuring SAML SSO with Okta as your identity provider.

<Info>
  Email addresses in {provider_0} and Tuple must match exactly. For example, `dev+tuple@company.com` does not match `dev@company.com`. Verify your team's email addresses before enabling SSO.
</Info>

<Steps>
  <Step title="Create a SAML app">
    After signing in to your Okta account, click **Applications** in the navigation bar and then click **Create App Integration**.

    <img src="https://mintcdn.com/tuple-0f82e5be/mvUxndXY5Na4FaZB/images/team-management/sso/okta/create-app-integration-1.png?fit=max&auto=format&n=mvUxndXY5Na4FaZB&q=85&s=4e576384a3306821438b7b654afbb65b" alt="Create App Integration" width="1299" height="553" data-path="images/team-management/sso/okta/create-app-integration-1.png" />

    Select **SAML 2.0** as the sign-in method.

    <img src="https://mintcdn.com/tuple-0f82e5be/mvUxndXY5Na4FaZB/images/team-management/sso/okta/create-app-integration-2.png?fit=max&auto=format&n=mvUxndXY5Na4FaZB&q=85&s=603863b66a24db235abf242e336e7c94" alt="Select SAML 2.0 sign-in method" width="979" height="625" data-path="images/team-management/sso/okta/create-app-integration-2.png" />
  </Step>

  <Step title="Configure the app">
    Name the app "Tuple" and upload an icon, which you can [download here](https://s3.wasabisys.com/tuple/images/tuple-sso.png).

    <img src="https://mintcdn.com/tuple-0f82e5be/mvUxndXY5Na4FaZB/images/team-management/sso/okta/create-saml-integration-1.png?fit=max&auto=format&n=mvUxndXY5Na4FaZB&q=85&s=8b5faeeaf3982e1f17b02cbb830f6af2" alt="General Settings" width="798" height="600" data-path="images/team-management/sso/okta/create-saml-integration-1.png" />

    Fill in the following fields:

    <img src="https://mintcdn.com/tuple-0f82e5be/mvUxndXY5Na4FaZB/images/team-management/sso/okta/create-saml-integration-2.png?fit=max&auto=format&n=mvUxndXY5Na4FaZB&q=85&s=dd8c6170de4f859ffd6594e5a0bad830" alt="Configure SAML" width="918" height="1040" data-path="images/team-management/sso/okta/create-saml-integration-2.png" />

    **Single sign on URL**

    ```
    https://production.tuple.app/users/saml/auth
    ```

    **Audience URI (SP Entity ID)**

    ```
    https://production.tuple.app/users/saml/metadata
    ```

    There are three additional attributes that Tuple requires: `email`, `first_name`, and `last_name`.
  </Step>

  <Step title="Set up SAML in Tuple">
    After finishing the install wizard, click **View SAML Setup Instructions** on the Sign On tab.

    <img src="https://mintcdn.com/tuple-0f82e5be/mvUxndXY5Na4FaZB/images/team-management/sso/okta/saml-configuration-1.png?fit=max&auto=format&n=mvUxndXY5Na4FaZB&q=85&s=b84a8cbff5d09957f7fa47fa654a8f5a" alt="View Setup Instructions" width="1830" height="1710" data-path="images/team-management/sso/okta/saml-configuration-1.png" />

    This provides the metadata needed to configure SAML in Tuple:

    * Identity Provider Single Sign-On URL
    * Identity Provider Issuer URL
    * Downloaded certificate file

          <img src="https://mintcdn.com/tuple-0f82e5be/mvUxndXY5Na4FaZB/images/team-management/sso/okta/saml-configuration-2.png?fit=max&auto=format&n=mvUxndXY5Na4FaZB&q=85&s=6ea6373789f5b9b1f4a69d535ff3a13b" alt="View certificate" width="698" height="871" data-path="images/team-management/sso/okta/saml-configuration-2.png" />

    Navigate to the **Settings** tab of the [team management dashboard](https://production.tuple.app/team_management/settings).

    <Info>
      Only [team owners](/team-management/team-owner-and-managers) can enable SAML. To find out who your team owner is, check [your profile](https://production.tuple.app/profile#team).
    </Info>

    Under **Sign-in methods**, set **Required Authentication Provider** to **SAML SSO**. The **Update SAML Configuration** form appears:

    <img src="https://mintcdn.com/tuple-0f82e5be/DYhTWyURiIllHPbV/images/team-management/sso/update-configuration.png?fit=max&auto=format&n=DYhTWyURiIllHPbV&q=85&s=e70c9481be3de1a3c3fca8b4ab6b71a4" alt="SAML configuration form in Tuple" width="1338" height="1163" data-path="images/team-management/sso/update-configuration.png" />

    Fill in the values with your {provider_1} metadata:

    {children_0}

    Select the **Email Domain** that SAML should apply to. Only domains with confirmed team members are available.

    Click **Save as draft**. Your draft is saved as a **Pending Update** alongside your current sign-in method, so no one on your team is affected yet.

    <img src="https://mintcdn.com/tuple-0f82e5be/DYhTWyURiIllHPbV/images/team-management/sso/pending-update.png?fit=max&auto=format&n=DYhTWyURiIllHPbV&q=85&s=3cd1871de2b84121fb99798a48d7acd0" alt="Pending SAML update showing Test and Publish actions" width="1190" height="835" data-path="images/team-management/sso/pending-update.png" />

    Click **Test** to verify the configuration end-to-end. Tuple signs you in through {provider_1} so you can confirm that authentication succeeds before the change affects anyone else on your team.

    Once the test succeeds, click **Publish** to make the configuration live. Active Tuple sessions persist, but new sign-ins are routed through {provider_1}.

    Use **Edit** to tweak the draft, or **Discard** to throw it away without publishing.
  </Step>
</Steps>

## SCIM provisioning

Okta supports automated user provisioning via SCIM. See [SCIM provisioning with Okta](/team-management/scim-okta) for setup instructions.