--- title: "Set up SAML SSO" slug: "set-up-saml-sso" updated: 2026-04-28T16:56:23Z published: 2026-04-28T16:56:23Z --- > ## Documentation Index > Fetch the complete documentation index at: https://support.tulip.co/llms.txt > Use this file to discover all available pages before exploring further. # Set up SAML SSO *Learn how IT administrators can configure the integration between their IdP and Tulip to use SAML.* Who can use this feature Users on Professional plans and above. This guide will show you how to set up this mapping. Three important notes to consider before setting up this mapping: 1. Review our [guide on adding and managing users](https://support.tulip.co/docs/adding-users-and-managing-user-roles) to understand the different types of roles in Tulip. 2. To understand authorization and authentication methods supported by Tulip, please read the [Authorization and Access Control using SAML](https://support.tulip.co/docs/authorization-and-access-control-using-saml) guide. 3. If you would like operators to continue to log in with their badge ID, there is a toggle under the "Player" page in "Account Settings" to allow you to do this. **Tulip-created SAML certificates expire yearly**. Contact Tulip Support before the expiration date to rotate the certificate. ## Connecting your IdP via SAML (all instances) User permissions You will need to have the **Account Owner** role to set this up. 1. Click your user profile in the top right of the screen, and select **Settings**. ![](https://cdn.document360.io/7c6ff534-cad3-4fc8-9583-912c4016362f/Images/Documentation/How%20To%20Set%20Up%20SAML%20SSO%20on%20Your%20Tulip%20Account_218225278.png) 1. Select **SAML** from the list of options on the left. ![](https://cdn.document360.io/7c6ff534-cad3-4fc8-9583-912c4016362f/Images/Documentation/How%20To%20Set%20Up%20SAML%20SSO%20on%20Your%20Tulip%20Account_218225546.png) From here, you can enable the SAML feature. 1. Download our Metadata XML file and create the Tulip application in your Identity Provider. 2. Tulip can accept a Metadata XML from your provider, or you can manually provide the following: - SSO Login URL - SSO Logout URL - Certificates (in PEM format) To verify SAML responses, **the certificates for your IdP server must be in PEM format**. You can enter multiple certificates separated by blank lines. ### Set up user mapping Learn about authorization and access control using SAML [here](https://support.tulip.co/docs/authorization-and-access-control-using-saml). ### Test the configuration Use the **Test SAML Authentication** tool at the top right of the screen to ensure that your setup works correctly. This will ensure that at least one user can continue to log into the instance after the configuration has been saved. ![](https://cdn.document360.io/7c6ff534-cad3-4fc8-9583-912c4016362f/Images/Documentation/How%20To%20Set%20Up%20SAML%20SSO%20on%20Your%20Tulip%20Account_218268978.png) When you click **Authenticate**, you can try to log in with any SAML user's credentials. Any errors will be shown if the login fails. If the login succeeds, all details from that SAML user will be displayed on the right side of the screen. The nameID will be successfully mapped into Tulip, and this user will be able to log into Tulip with their IdP credentials going forward. After you have entered all the integration details, click **Save** button at the bottom. ## SAML SSO migration (existing instance only) *If you are already using email/password to authenticate users, here's how to switch.* In order to switch and keep existing user data, your account will need a user migration to SAML. Use the **Migration** tab at the top of the SAML page to ensure that all existing users can continue to use Tulip. ![image.png](https://cdn.document360.io/7c6ff534-cad3-4fc8-9583-912c4016362f/Images/Documentation/image%28717%29.png) There are two columns needed in this order: - The current user's email address that they use to sign into Tulip. - The SAML nameID of the user. While the format can be flexible, this must be a **unique** ID that will link a user’s Tulip account with their SAML account. Every user in Tulip **must** have a distinct nameID in SAML. SAML nameIDs are case-sensitive. Do not include any headers. Make sure that you have already confirmed and verified that SAML is working in Tulip, see [Testing Your SAML configuration](/r230/docs/how-to-set-up-saml-sso-on-your-tulip-account#testing-the-configuration). Make sure to turn off SAML once tested if you still need users to login with traditional email and password. After uploading your CSV, you will get feedback on which users were successfully mapped into Tulip. The ones that were successfully mapped will be able to log in with their SAML credentials immediately. If using **Azure**, please refer to Microsoft's [Tutorial for using MS Entra with Tulip](https://learn.microsoft.com/en-us/entra/identity/saas-apps/tulip-tutorial) to ensure the setup is correct for Name ID Format. For an Email Name ID format, the format setting on the IdP must be changed to **persistent**. ## Check your SAML logins over time On the **Users** page, you can see which users have successfully logged in with their SAML credentials. Use the **Status** column on the right side of the [Users page](/r230/docs/add-and-manage-users) to see each user's connection to your IdP. ![image.png](https://cdn.document360.io/7c6ff534-cad3-4fc8-9583-912c4016362f/Images/Documentation/image%28718%29.png) ## Further reading - [How SAML Impacts Different Tulip Features](/r230/docs/how-saml-integrates-with-different-tulip-features) --- Did you find what you were looking for? You can also head to [community.tulip.co](https://community.tulip.co/?utm_source=intercom&utm_medium=article-link&utm_campaign=all) to post your question or see if others have solved a similar topic! **Security Assertion Markup Language** **Security Assertion Markup Language** is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. Within Tulip, SAML can be used to authenticate **Users.** **Single Sign On** **Single sign-on** is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-entering authentication factors