One Login's logo

Okta SSO Setup Guide

A guide for Tuple customers who want to use SAML SSO with Okta as the Identity Provider.

Overview

  1. Create SAML SSO App
  2. Configure Tuple's required metadata
  3. Attach required Tuple parameters to SSO response
  4. Download X.509 certificate and send Tuple your metadata

Step 1 - Creating SAML SSO App

After signing in or creating your Okta account you'll need to add a new SAML SSO application. Click on Applications in the top navigation bar and then the 'Create New App' button.

Add SSO SAML App

Select Web as the platform and check the SAML 2.0 radio button.

Locate App From Search

Fill in any required metadata, upload company logos you'd like to use, and save the new application. Here is a link to our logo you can use.

SAML Metadata

Click 'Next' at the bottom right to start filling out Tuples required metadata.

Step 2 - Configure Tuple's Metadata

Fill in all the required fields like you see below:

Tuple Metadata
Single sign on URL
https://production.tuple.app/users/saml/auth
Audience URI (SP Entity ID)
https://production.tuple.app/users/saml/metadata
Default RelayState
https://production.tuple.app

Next, head to the Attribute Statements section to add our required fields.

These fields will be sent along in the SSO response. There are three fields that Tuple requires in order to work: email, first_name, and last_name.

Step 4 - Send Tuple Metadata

After finishing the install wizard, click on the Sign On tab and then View Setup Instructions

View certificate

Draft a new email to support@tuple.app and attach the downloaded certificate. Paste your Identity Provider Issuer (Entity ID) and Identity Provider Single Sign-On URL (authentication URL) into the body of the email. If you want to automate user priovisioning using SCIM (see below) not that here so we can issue credentials.

View certificate

Step 5 - Enable SCIM Provisioning (optional)

Enable System for Cross-domain Identity Management (SCIM) to automatically provision/deprovision user accounts and update profiles in Tuple when updated in Okta.

Your Okta app must be configured at creation time to use SCIM. If you have an existing app you'd like to use SCIM with, please contact Okta Support.

In "General", set Provisioning to "SCIM":

Setup SCIM
              Provisioning

In "Provisioning", configure with the following values:

Configure SCIM
SCIM connector base URL
https://production.tuple.app/scim/v2
Unique identifier field for users
email

Enable the features you'd like to use. Note that Tuple does not current support Groups.

For authorization, use the credentials sent to you after Step 4, or contact support@tuple.app

In "Provisioning", enable each feature in the direction from Okta -> Tuple

Enable SCIM Features