One Login's logo

OneLogin SSO Setup Guide

A guide for Tuple customers who want to use SAML SSO with OneLogin as the Identity Provider.

Important:

Email addresses for users in OneLogin and on Tuple must match exactly. For example, dev+tuple@company.com will not match dev@company.com. Please ensure your team's email addresses are correct before we enable the SSO integration.

Overview

  1. Create SAML SSO Connector
  2. Configure Tuple's required metadata
  3. Attach required Tuple parameters to SSO response
  4. Download X.509 certificate and set up SAML in Tuple using your metadata

Step 1 - Creating SAML Connector

After signing in or creating your OneLogin account you'll need to add a new SAML SSO application. Click on Applications > Applications in the top navigation bar.

Add SSO SAML App

In the search field, enter: SAML Test and select the SAML Test Connector (Advanced) from the results.

Locate App From Search

Fill in any required metadata, upload company logos you'd like to use, and save the new application.

SAML Metadata

Step 2 - Configure Tuple's Metadata

After saving, click on Configuration in the left-hand sidebar.

Tuple Metadata

Fill in all the fields circled in red.

Audience (EntityID)
https://production.tuple.app/users/saml/metadata
Recipient
https://production.tuple.app/users/saml/auth
ACS (Consumer) URL Validator*
https:\/\/production.tuple.app\/users\/saml\/auth
ACS (Consumer) URL*
https://production.tuple.app/users/saml/auth
Login URL
https://production.tuple.app

Step 3 - Attach Required Parameters

Next, head to the Parameters section in the side bar and find the plus button to add new fields.

These fields will be sent along in the SSO response. There are three fields that Tuple requires in order to work: email, first_name, and last_name.

Add User Parameters

When adding these new fields, ensure that the checkbox Include in SAML Assertion is checked.

Check assertion

Repeat for first_name and last_name.

Adding First Name

Once you're finished with adding the required parameters the screen should look like:

All Required Tuple Params

Step 4 - Enable SAML in Tuple using your metadata

Next, you'll download your X.509 certificate.

To download your certificate click on SSO in the sidebar and find the link to View Details:

View certificate

Click on Download. You'll need to upload this in Tuple shortly.

Download certificate

Finally, return back to the SSO screen and locate the Issuer URL and SAML 2.0 Endpoint (HTTP).

Entity ID and auth URL

Navigate to the Settings tab of the team management dashboard. Note: Only Team Owners have access to this page, so you will need to be Team Owner to access this page. If you need to find out who the Team Owner for your team is, view your profile.

Toggle to Enable SAML, and the configuration form will be revealed:

Create Tuple configuration

Fill in the values with your metadata:

  • IdP entity ID - your Issuer URL (Entity ID)
  • IdP authentication URL - your SAML 2.0 Endpoint (HTTP) (authentication URL)
  • Certificate - the downloaded certificate file

Press "Save Configuration" to turn on SAML for your team. Once SAML is enabled, any active Tuple sessions will persist, but any new logins will be forced to authenticate using OneLogin. Log in here to verify that it's working.