There are multiple ways that a Tulip account can be configured to work with an external identity provider. These options are detailed on the Enterprise Authentication page.
If a Tulip account is configured by a Tulip engineer to utilize a SAML directory for both authentication and authorization of users (called SAML Control Mode), then a user with the Account Owner role will need to use this page to determine which SAML attributes will map to certain Tulip user properties.
This must be done before SAML users are able to successfully log in to Tulip.
Create
Pages
This page can be accessed from:
Only users with "Account Owner" permissions can access this interface.
NOTE: SAML configuration settings only available with the samlConfigUI
set to True
Enable SAML Logins - When toggled, users will be prompted to login through SSO provider when authenticating.
Upload Identity Provider Metadata XML - Automatically fill the remaining fields based on a provider supplied metadata file.
FIELD | DESCRIPTION |
---|---|
SSO Login URL | The URL for your IdP which users log in with. |
SSO Logout URL | The URL for your IdP which users log out with. |
Certificates | The certificates for your IdP server, used to verify SAML responses. Must be in PEM format. You may enter multiple certificates separated by blank lines. |
Configure where and how users authenticate on your instance.
FIELD | DESCRIPTION |
---|---|
Authentication Context Class | The method by which users authenticate. You can read more about authentication context classes in the OASIS SAML Authentication Context Specification. Options: Enable Authentication Method Matching and Disable Authentication Method Matching |
Force Authentication | Whether or not to always require manual authentication in a given context. When in the "off" position, users may authenticate with an existing session. When in the "on" position, authentication will always require user interaction. Users can configure for Instance Login and Player registration, or Station Operator Login, or both. |
Configure how you want to map your SAML user attributes to Tulip user profile fields.
FIELD | DESCRIPTION |
---|---|
Name Attribute | The SAML attribute containing the user's display name. |
Email Attribute | The SAML attribute containing the user's email address. |
Badge Attribute | The SAML attribute containing the user's badge ID. |
Configure what level of access in Tulip users should be given based on their SAML attributes.
Options:
If Custom Role Mapping has been selected:
Configure which workspace users should be placed in based on their SAML attributes. Note: Users who are assigned the Account Owner role have access to all workspaces. These users are not required to have any workspace-mapping SAML attributes.
Options:
If Custom Role Workspace has been selected:
Restrict access to Tulip based on SAML attributes.
Options:
Options:
Login Button Label Optional - Label shown on the SAML login button on Tulip login pages.
ID | Name |
---|---|
QA-T292 | Settings SAML Config : 01 - Form shows an error when a non-SAML file is uploaded |
QA-T293 | Settings SAML Config : 02 - Form shows an error when a non-XML file is uploaded |
QA-T294 | Settings SAML Config : 03 - Upload IdP metadata file |
QA-T295 | Settings SAML Config : 04 - Configure SAML Settings |
QA-T298 | Settings SAML Config : 05 - Test Authentication |
QA-T1067 | Settings SAML Config : 06 / IdP Control Mode Setup |