Note: If your Tulip account is already using email/password combinations for login, see this separate guide for migrating your account to SAML.

Note: This feature is only available to "Account Owners" on "Enterprise" plans.

Your IT administrator can configure the way that users are defined within Tulip based on SAML attributes.

This guide will show you how to set up this mapping.

Two important notes to consider before setting up this mapping:

  1. Review this guide to understand the different types of roles in Tulip.
  2. If you would like operators to continue to log in with their badge ID, please speak to your Tulip representative.

Entering SAML Configuration Into Tulip

First, alert your Tulip representative that you would like to use SAML SSO. Then, the feature will be enabled on your account.

You will need to have the "Account Owner" role to set this up. Click your user profile in the top right of the screen, and select "Settings"

Then, select "SAML" from the list of options on the left.

Tulip will need a file with your SAML Identity Provider's metadata XML.

This should provide the following:

  • SSO Login URL
  • SSO Logout URL
  • Certificates (in PEM format)

Setting Up Attribute Mapping

Next, you will set up the ways that different attributes from SAML connect to Tulip user attributes.

You must tie each of the following Tulip user fields to a SAML attribute:

  • Name
  • Email
  • Badge ID
  • Role

Then, you will enter specific values from the "Role" attribute in SAML, and map them to specific roles in Tulip. It looks like this:

Finally, you can configure the login button wording that is presented to users.

Testing the Configuration

After you have entered all the integration details, hit the "Save" button at the bottom.

Then, you can use the "Test SAML Authentication" tool at the top right of the screen to ensure that your setup works correctly.

When you press the "Authenticate" button, you will be able to attempt to login with any SAML user's credentials.

Any errors will be shown if the login fails.

If the login succeeds, all details from that SAML user will be displayed on the right side of the screen.

Further Reading

Did this answer your question?