GuidesSSO Setup

SSO Setup

Tensoras.ai supports Single Sign-On (SSO) via a standalone SAML 2.0 Service Provider, enabling your team to authenticate using your existing identity provider. SSO is available on Enterprise plans.

Overview

With SSO enabled, members of your organization sign in through your identity provider (IdP) instead of using email and password. Tensoras supports SAML 2.0 for SSO connections.

Supported Identity Providers

Tensoras SSO works with any SAML 2.0-compatible provider, including:

  • Okta
  • Microsoft Entra ID (Azure AD)
  • Google Workspace
  • OneLogin
  • JumpCloud
  • PingIdentity
  • Custom SAML providers

SP Metadata

When configuring your identity provider, you will need the following values from Tensoras:

FieldValue
Entity ID (Audience URI)https://cloud.tensoras.ai/api/auth/saml/metadata
ACS URL (Assertion Consumer Service URL)https://cloud.tensoras.ai/api/auth/saml/callback
SP Metadata URLhttps://cloud.tensoras.ai/api/auth/saml/metadata

You can also download the SP metadata XML directly from the metadata URL.

Setup Steps

Step 1: Enable SSO in Console Settings

  1. Log in to cloud.tensoras.ai as an organization admin.
  2. Navigate to Settings > Security.
  3. Click Enable SSO.
  4. You will be prompted to enter the following values from your identity provider:
    • IdP Entity ID — the entity ID of your identity provider
    • SSO URL — the single sign-on URL where SAML requests are sent
    • Certificate — the X.509 signing certificate from your identity provider (PEM format)

Note: Keep the SP metadata values from the table above handy. You will need them when configuring your identity provider in the next step.

Step 2: Configure Your Identity Provider

Okta

  1. In the Okta Admin Console, go to Applications > Create App Integration.
  2. Select SAML 2.0 and click Next.
  3. Enter the following:
    • Single sign-on URL: https://cloud.tensoras.ai/api/auth/saml/callback
    • Audience URI (SP Entity ID): https://cloud.tensoras.ai/api/auth/saml/metadata
    • Name ID format: EmailAddress
    • Application username: Email
  4. Under Attribute Statements, add:
    • email -> user.email
    • firstName -> user.firstName
    • lastName -> user.lastName
  5. Click Next, then Finish.
  6. Assign the application to users or groups in Okta.
  7. From the Sign On tab, copy the IdP Entity ID, SSO URL, and download the X.509 Certificate.

Microsoft Entra ID (Azure AD)

  1. In the Azure portal, go to Microsoft Entra ID > Enterprise Applications > New Application.
  2. Click Create your own application, name it “Tensoras”, and select Integrate any other application.
  3. Go to Single sign-on > SAML.
  4. Under Basic SAML Configuration, set:
    • Identifier (Entity ID): https://cloud.tensoras.ai/api/auth/saml/metadata
    • Reply URL (Assertion Consumer Service URL): https://cloud.tensoras.ai/api/auth/saml/callback
  5. Under Attributes & Claims, verify that the emailaddress claim is mapped.
  6. Download the Certificate (Base64) and copy the Login URL and Azure AD Identifier from the SAML configuration page.
  7. Assign users or groups to the application.

Google Workspace

  1. In the Google Admin Console, go to Apps > Web and mobile apps > Add App > Add custom SAML app.
  2. Name the app “Tensoras” and click Continue.
  3. Copy the SSO URL, Entity ID, and Certificate from Google — you will paste these into Tensoras in Step 3.
  4. Set the ACS URL to https://cloud.tensoras.ai/api/auth/saml/callback and the Entity ID to https://cloud.tensoras.ai/api/auth/saml/metadata.
  5. Add attribute mappings:
    • email -> Basic Information > Primary email
    • firstName -> Basic Information > First name
    • lastName -> Basic Information > Last name
  6. Click Finish and turn on the app for your organizational units.

Step 3: Complete the Connection in Tensoras

  1. Return to Settings > Security in the Tensoras Console.
  2. Enter the IdP Entity ID, SSO URL, and Certificate you collected from your identity provider.
  3. Click Save Connection.
  4. The connection status should change to Active.

Step 4: Test the Connection

  1. Click Test Connection in the Tensoras Console.
  2. You will be redirected to your identity provider’s login page.
  3. After authenticating, you should be redirected back to Tensoras and signed in.
  4. If the test fails, verify that:
    • The ACS URL and Entity ID are entered correctly in your IdP
    • The user you are testing with is assigned to the Tensoras application in your IdP
    • Attribute mappings include email

How SSO Login Works

Once SSO is enabled and tested:

  1. Users navigate to cloud.tensoras.ai and enter their email address.
  2. Tensoras detects that their email domain has SSO configured and redirects them to the IdP.
  3. The user authenticates with the IdP.
  4. The IdP sends a SAML assertion back to the ACS URL.
  5. Tensoras validates the assertion, creates or updates the user account, and signs them in.

Note: When SSO is enabled, password-based login is disabled for all users in your organization. Organization admins retain the ability to log in with email and password as a fallback.

Enforcing SSO

By default, SSO is optional — users can still log in with email and password. To require SSO for all non-admin users:

  1. Navigate to Settings > Security.
  2. Enable Enforce SSO.
  3. All non-admin users will be required to authenticate through your identity provider.

SCIM Provisioning

SCIM (System for Cross-domain Identity Management) provisioning allows you to automatically create, update, and deactivate Tensoras user accounts from your identity provider.

Enabling SCIM

  1. Navigate to Settings > Security in the Tensoras Console.
  2. Under SCIM Provisioning, click Enable SCIM.
  3. A SCIM Bearer Token will be generated. Copy it immediately — it will only be shown once.
  4. The SCIM Base URL is displayed: https://cloud.tensoras.ai/api/scim/v2

Configuring Your IdP for SCIM

In your identity provider, create a SCIM integration using:

FieldValue
SCIM Base URLhttps://cloud.tensoras.ai/api/scim/v2
AuthenticationBearer Token (use the token generated above)

SCIM Endpoints

The following SCIM 2.0 endpoints are available:

EndpointDescription
GET /api/scim/v2/ServiceProviderConfigReturns the SCIM service provider configuration and supported capabilities
GET /api/scim/v2/UsersList all provisioned users
POST /api/scim/v2/UsersCreate a new user
GET /api/scim/v2/Users/:idGet a specific user
PUT /api/scim/v2/Users/:idReplace a user (full update)
PATCH /api/scim/v2/Users/:idUpdate specific user attributes
DELETE /api/scim/v2/Users/:idDeactivate a user
GET /api/scim/v2/GroupsList all groups
POST /api/scim/v2/GroupsCreate a new group
GET /api/scim/v2/Groups/:idGet a specific group
PUT /api/scim/v2/Groups/:idReplace a group
PATCH /api/scim/v2/Groups/:idUpdate group membership
DELETE /api/scim/v2/Groups/:idDelete a group

Token Management

  • To regenerate a SCIM token, go to Settings > Security > SCIM Provisioning and click Regenerate Token. The previous token will be immediately invalidated.
  • SCIM tokens do not expire automatically. Rotate them on a regular cadence (e.g., every 90 days) as a security best practice.

Troubleshooting

ProblemSolution
”SSO connection not found”Verify the email domain matches the domain configured in your SSO connection
Redirect loop after loginCheck that the ACS URL in your IdP matches https://cloud.tensoras.ai/api/auth/saml/callback exactly (no trailing slash)
User attributes missingVerify attribute mappings in your IdP include email, firstName, and lastName
”Invalid SAML response”Ensure your IdP’s signing certificate has not expired and matches the certificate entered in Tensoras
Users cannot access Tensoras after IdP loginConfirm the user is assigned to the Tensoras application in your IdP
SCIM provisioning not syncingVerify the SCIM Base URL and Bearer Token are entered correctly in your IdP

Next Steps

WebhooksS3 Connector