--- title: Single sign-on url: https://www.tines.com/docs/admin/single-sign-on/ updated: 2026-05-14T14:27:49+00:00 --- *[tines.com](https://www.tines.com/llms.txt) › [Docs](https://www.tines.com/llms.txt) › [Admin](https://www.tines.com/llm/docs/admin.md)* # Single sign-on *[View on tines.com](https://www.tines.com/docs/admin/single-sign-on/)* We optionally support single sign-on (SSO) on all Tines tenants, paid and [Community Edition](https://www.tines.com/blog/announcing-the-tines-community-edition) alike. This allows users on your Tines account to sign in with their existing account on your external identity provider. ## Enabling SSO To turn SSO on for your tenant, go to the settings center and choose "Authentication" under "Access & security" and follow the instructions below after selecting an SSO option. > **TIP:** Consider generating [recovery codes](/docs/admin/recovery-codes/) for your user before setting up SSO so that you can regain access to your account in case of configuration issues. > **NOTE:** SSO only enables users to sign in, not sign up. Users must be invited to gain access or [automated user provisioning](/docs/admin/user-administration/user-provisioning/) must be enabled. ## Disabling SSO > **NOTE:** You should notify your users before making this change. Any users who were previously using SSO will now need to log in via default methods (email links, Google SSO, or Microsoft SSO). To disable SSO in the Authentication settings UI, set it to "default" - [tines.com](http://tines.com/). > **INFO:** If you are encountering an issue with your SSO on your self-hosted deployment of Tines and cannot access your tenant, please contact [support](https://www.tines.com/contact#support) to raise a priority request. ## SAML configuration Setting up SSO via SAML requires two pieces of information from your external [SAML](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) identity provider (IdP): 1. A URL, which we’ll redirect users to when signing in. 2. Your IdP’s X.509 public certificate. You can also instead use a fingerprint, which is a digest of the certificate. This must be generated using SHA-256, such as with [samltool.com](https://www.samltool.com/fingerprint.php). Using the fingerprint instead is discouraged, as it prevents extra security features. > **WARNING:** > If you will rely on SAML groups (e.g. for JIT or SSO-group-based page access), the group names need to be present in the SAML assertion without any additional tags or nesting. > > Here is an example of a valid attribute value for a membership to the **Administrators** group: > > xmlns:xs="http://www.w3.org/2001/XMLSchema" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:type="xs:string"> > Administrators > > > If this is not the case with your identity provider, a transformation may be required. ### Enhanced SAML Security Tines also supports additional SAML security features, such as encryption and signing. Contact our support team if you'd like to enable these for your tenant. ## OIDC configuration Setting up SSO via OpenID Connect (OIDC) requires six pieces of information from your external OpenID provider (OP): 1. Your OAuth client ID. 2. Your OAuth client secret. 3. The authorization endpoint URL - e.g. `https://accounts.google.com/o/oauth2/v2/auth` for Google or `https:///oauth2/authorize` for AWS Cognito. 4. The token endpoint URL - e.g. `https://accounts.google.com/o/oauth2/v2/auth` for Google or `https:///oauth2/token` for AWS Cognito. 5. The issuer or issuer identifier URL - e.g. `https://accounts.google.com` for Google or `https://cognito-idp..amazonaws.com/` for AWS Cognito. 6. The JSON Web Key Set (JWKS) URL - e.g. `https://www.googleapis.com/oauth2/v3/certs` for Google or `https://cognito-idp..amazonaws.com//.well-known/jwks.json` for AWS Cognito. Items 3 to 6 can be found in your OP’s "provider metadata" or "discovery document", which is normally located at a URL that ends with `.well-known/openid-configuration` - e.g. `https://accounts.google.com/.well-known/openid-configuration` for Google or `https://cognito-idp..amazonaws.com//.well-known/openid-configuration` for AWS Cognito. Tines requires that your OP supports the "Authorization code grant" OAuth flow and the "openid" and "profile" OAuth scopes. ### **Optional: email claim name** By default, Tines reads the user's email from the `email` claim in the ID token, which works for Google, Okta, and most popular identity providers. Override this only if your provider returns the email address under a different claim (e.g., `mail`). If you override this, make sure your identity provider is configured to include the chosen claim in the ID token. If the claim is missing from the ID token, sign-in will fail. ## Just-in-time user provisioning See [here](https://www.tines.com/docs/admin/user-administration/jit) for documentation on just-in-time configuration. ## SCIM user provisioning See [here](https://www.tines.com/docs/admin/user-administration/scim) for documentation on SCIM integration. ## SSO-group-based page access > **NOTE:** This feature is not available in all plans, please reach out to your Tines point of contact or [Tines support](mailto:support@tines.com) to learn more about enabling it. It's also possible to restrict access to specific pages based on SSO group membership. To enable this feature, you need to turn on **SSO-group-based page access** in Authentication settings. You will also need to provide a **Group attribute name**. This should match the name of the SAML or OIDC attribute containing the group name in your Identity Provider. ![](https://www.datocms-assets.com/55802/1719587896-screenshot-2024-06-28-at-16-17-56.png) When the setup is completed, you will be prompted to terminate all ongoing sessions on your tenant. This is advised as the groups memberships will not be refreshed for each user until a new session is started. Finally, you can [configure specific pages to use SSO-group-based-page-access](https://www.tines.com/docs/pages/distribution-and-access-control#controlling-end-user-access).