How To Set Up SAML SSO on Your Tulip Account
  • 12 Dec 2023
  • 4 Minutes to read
  • Contributors

How To Set Up SAML SSO on Your Tulip Account


Article summary

How To Set Up SAML SSO on Your Tulip Account

Here's how IT administrators can configure the integration between their IdP and Tulip.

Note

This feature is only available to users with the Account Owner role on "Professional" or "Enterprise" plans.

This guide will show you how to set up this mapping.

Two important notes to consider before setting up this mapping:

  1. Review this guide to understand the different types of roles in Tulip.
  2. To understand authorization and authentication methods supported by Tulip, please read this guide.
  3. If you would like operators to continue to log in with their badge ID, please speak to your Tulip representative.

Use SAML on a New Instance

Send a request to your Tulip Customer Success Manager that you would like to create a new instance with SAML. You should provide the following:

  • Instance name and URL
  • The name and email of the person from your organization who will log in and configure SAML

Tulip will create the instance and enable SAML.

The person responsible for configuration will receive an email to log into the instance, they will configure SAML as described here. They will configure the instance based on your access strategy, the two of which are defined below.

Ensure that you test access with users.

NOTE:

Once complete, the Account Owner needs to delete the user account of the person who configured SAML, as their account uses a Tulip username and password. If that person will be maintaining SAML for the future, they should be given Account Owner access and sign in with SAML for future configurations.

Tulip-created SAML certificates expire yearly. Tulip will reach out to notify your team 2 weeks in advance to rotate the certificate.

SAML SSO Migration (Existing Tulip Instance Only)

If you are already using email/password to authenticate users, here's how to switch.

In order to switch and keep existing user data, your account will need a user migration to SAML. A Tulip team member can help you with this migration. In order to make this switch, you will need to share a CSV file of users to be migrated.

There are two columns needed:

  • The SAML nameID of the user. While the format can be flexible, this must be a unique ID that will link a user’s Tulip account with their SAML account. Every user in Tulip must have a distinct nameID in SAML. This field is case sensitive.

  • The current user's email address that they use to sign into Tulip.

Make sure that you have already confirmed and verified that SAML is working in Tulip, see Testing Your SAML configuration. Make sure to turn off SAML once tested if you still need users to login.

Once you have a migration CSV and have confirmed SAML works, please speak to your Tulip rep to schedule your SAML migration. Once migrated, all users can begin logging in with SAML immediately.

Entering SAML Configuration Into Tulip (All Instances)

First, alert your Tulip representative that you would like to use SAML SSO. Then, the feature will be enabled on your account.

You will need to have the "Account Owner" role to set this up. Click your user profile in the top right of the screen, and select "Settings"

Then, select "SAML" from the list of options on the left.

From here, you are able to download our Metadata XML file and create the Tulip application in your Identity Provider.

Next, Tulip can accept a Metadata XML from your provider, or you can manually provide the following:

  • SSO Login URL
  • SSO Logout URL
  • Certificates (in PEM format)

Setting Up User Mapping

See this guide for more details.

Testing the Configuration

After you have entered all the integration details, hit the "Save" button at the bottom.

Then, you can use the "Test SAML Authentication" tool at the top right of the screen to ensure that your setup works correctly.

When you press the "Authenticate" button, you will be able to attempt to login with any SAML user's credentials.

Any errors will be shown if the login fails.

If the login succeeds, all details from that SAML user will be displayed on the right side of the screen.

Further Reading


Was this article helpful?