What is SSO?
Single sign-on (SSO) is a way for your users to access Tines using their existing account from your organization's identity provider. Instead of managing separate passwords for Tines, your team signs in once through your identity provider (like Okta, Azure AD, or Google Workspace) and gains access to Tines automatically.
ℹ️Info
Why SSO matters for tenant owners
As a tenant owner, SSO gives you centralized access control over your Tines tenant. When someone leaves your organization, you deactivate their account in one place (your identity provider), and they immediately lose access to Tines along with everything else. No need to remember to revoke access in multiple systems.
SSO also simplifies onboarding. New team members can start using Tines on day one without waiting for invitations or setting up new credentials. Their existing company account just works.
Key SSO terminology
Before diving into configuration, let's clarify some terms you'll encounter when setting up SSO in Tines:
Assertion: A package of information from your identity provider that confirms a user's identity. Think of it as a digital ID card that says "this person is who they claim to be."
Attribute: A piece of information about a user (like their email address, name, or group memberships) that your identity provider sends to Tines. Tines uses these attributes to create and update user profiles.
Group attribute: The specific attribute in your identity provider that contains information about which groups a user belongs to. This is crucial for automated provisioning and access control. In many identity providers, this is simply called "Group," but it might have a different name in yours.
Identity provider (IdP): The system that manages your organization's user accounts and handles authentication. Common examples include Okta, Azure AD, Google Workspace, and OneLogin. Your identity provider is the source of truth for who your users are.
OIDC (OpenID Connect): A newer authentication protocol built on top of OAuth 2.0. OIDC uses JSON instead of XML and is commonly used by cloud providers like Google and AWS.
Recovery code: A one-time password that lets you access your Tines account if your normal authentication method isn't working. These are your emergency backup for regaining access.
SAML (Security Assertion Markup Language): An XML-based protocol for exchanging authentication and authorization data between an identity provider and a service provider. SAML is widely supported by enterprise identity providers.
Service provider (SP): In this case, Tines. The service provider is the application that users want to access. Tines relies on your identity provider to verify user identities.
User provisioning: The process of automatically creating, updating, or deactivating user accounts. Instead of manually inviting each user to Tines, provisioning handles this automatically based on information from your identity provider.
X.509 certificate: A digital certificate used to verify the identity of your identity provider and encrypt communication. When configuring SAML, you'll provide Tines with your identity provider's certificate so Tines can trust the authentication responses it receives.