- Print
How To Set Up SAML SSO on Your Tulip Account
Here's how IT administrators can configure the integration between their IdP and Tulip.
This feature is only available for Professional plans and above.
This guide will show you how to set up this mapping.
Three important notes to consider before setting up this mapping:
- Review this guide to understand the different types of roles in Tulip.
- To understand authorization and authentication methods supported by Tulip, please read this guide.
- If you would like operators to continue to log in with their badge ID, please speak to your Tulip representative.
Tulip-created SAML certificates expire yearly. Tulip will reach out to notify your team 2 weeks in advance to rotate the certificate.
Connecting your IdP via SAML (All Instances)
You will need to have the "Account Owner" role to set this up. Click your user profile in the top right of the screen, and select "Settings"
Then, select "SAML" from the list of options on the left.
From here, you are able to enable the SAML feature. Then, download our Metadata XML file and create the Tulip application in your Identity Provider.
Next, Tulip can accept a Metadata XML from your provider, or you can manually provide the following:
- SSO Login URL
- SSO Logout URL
- Certificates (in PEM format)
Setting Up User Mapping
See this guide for more details.
Testing the Configuration
Then, you can use the "Test SAML Authentication" tool at the top right of the screen to ensure that your setup works correctly. This will ensure that at least one user can continue to log into the instance after the configuration has been saved.
When you press the "Authenticate" button, you will be able to attempt to login with any SAML user's credentials.
Any errors will be shown if the login fails.
If the login succeeds, all details from that SAML user will be displayed on the right side of the screen. The nameID will be successfully mapped into Tulip, and this user will be able to log into Tulip with their IdP credentials going forward.
After you have entered all the integration details, hit the "Save" button at the bottom.
SAML SSO Migration (Existing Instance Only)
If you are already using email/password to authenticate users, here's how to switch.
In order to switch and keep existing user data, your account will need a user migration to SAML.
You can use the "Migration" tab at the top of the page to ensure that all existing users will be able to continue to use Tulip.
There are two columns needed:
- The SAML nameID of the user. While the format can be flexible, this must be a unique ID that will link a user’s Tulip account with their SAML account. Every user in Tulip must have a distinct nameID in SAML.
- The current user's email address that they use to sign into Tulip.
Make sure that you have already confirmed and verified that SAML is working in Tulip, see Testing Your SAML configuration. Make sure to turn off SAML once tested if you still need users to login with traditional email and password.
After uploading your CSV, you will get feedback on which users were successfully mapped into Tulip. The ones that were successfully mapped will be able to log in with their SAML credentials immediately.
If using Azure, please refer to the link here to ensure the setup is correct for Name ID Format. For an Email Name ID format, the format setting on the IdP must be changed to persistent.
Checking Your SAML Logins Over Time
On the Users page, you can see which users have successfully logged in with their SAML credentials.
Use the "Status" column on the right side of the Users page to see each user's connection to your IdP.