Skip to main content
This guide walks through configuring SAML SSO with OneLogin as your identity provider.
Email addresses in and Tuple must match exactly. For example, dev+tuple@company.com does not match dev@company.com. Verify your team’s email addresses before enabling SSO.
1

Create a SAML connector

After signing in to your OneLogin account, click Applications > Applications in the top navigation bar.Add SSO SAML AppIn the search field, enter SAML Test and select SAML Test Connector (Advanced) from the results.Locate App From SearchFill in any required metadata, upload company logos, and save the new application.SAML Metadata
2

Configure Tuple's metadata

After saving, click Configuration in the left-hand sidebar.Tuple MetadataFill in the following fields:Audience (EntityID)
https://production.tuple.app/users/saml/metadata
Recipient
https://production.tuple.app/users/saml/auth
ACS (Consumer) URL Validator
https:\/\/production.tuple.app\/users\/saml\/auth
ACS (Consumer) URL
https://production.tuple.app/users/saml/auth
Login URL
https://production.tuple.app
3

Attach required parameters

Navigate to the Parameters section in the sidebar and click the plus button to add new fields.Tuple requires three fields in the SSO response: email, first_name, and last_name.Add User ParametersWhen adding each field, check the Include in SAML Assertion checkbox.Check assertionRepeat for first_name and last_name.Adding First NameOnce all required parameters are added, the screen looks like this:All Required Tuple Params
4

Enable SAML in Tuple

Download your X.509 certificate. Click SSO in the sidebar and find the link to View Details:View certificateClick Download to save the certificate file.Download certificateReturn to the SSO screen and locate the Issuer URL and SAML 2.0 Endpoint (HTTP).Entity ID and auth URLNavigate to the Settings tab of the team management dashboard.
Only team owners can enable SAML. To find out who your team owner is, check your profile.
Under Sign-in methods, set Required Authentication Provider to SAML SSO. The Update SAML Configuration form appears:SAML configuration form in TupleFill in the values with your metadata:Select the Email Domain that SAML should apply to. Only domains with confirmed team members are available.Click Save as draft. Your draft is saved as a Pending Update alongside your current sign-in method, so no one on your team is affected yet.Pending SAML update showing Test and Publish actionsClick Test to verify the configuration end-to-end. Tuple signs you in through so you can confirm that authentication succeeds before the change affects anyone else on your team.Once the test succeeds, click Publish to make the configuration live. Active Tuple sessions persist, but new sign-ins are routed through .Use Edit to tweak the draft, or Discard to throw it away without publishing.