TofuPilotTofuPilot

SSO

Allow members to sign in with your identity provider.

SSO is available on Enterprise plans. Contact us to upgrade.

Overview

Single Sign-On (SSO) allows your team members to sign in to TofuPilot using your company's identity provider (IdP). TofuPilot supports:

  • OIDC (OpenID Connect) - Works with Okta, Azure AD, Auth0, OneLogin
  • SAML 2.0 - Works with most enterprise identity providers

When SSO is configured, users with your email domain will be automatically redirected to your identity provider.

Configure OIDC

In your identity provider, create a new OIDC application for TofuPilot.

Navigate to Settings > Organization and find the Single Sign-On card.

Select the OIDC tab and enter:

  • Email Domain: Your company domain (e.g., acme.com)
  • Issuer URL: Your IdP's issuer URL
  • Client ID: From your IdP application
  • Client Secret: From your IdP application

Copy the Callback URL and add it to your IdP's allowed redirect URIs.

Click Save OIDC Configuration.

Required OIDC Scopes

Ensure your IdP application requests these scopes:

  • openid
  • profile
  • email

Configure SAML 2.0

In your identity provider, create a new SAML application for TofuPilot.

Navigate to Settings > Organization and find the Single Sign-On card.

Select the SAML 2.0 tab and enter:

  • Email Domain: Your company domain (e.g., acme.com)
  • IdP SSO URL: Your identity provider's SSO endpoint
  • IdP Certificate: The X.509 certificate from your IdP (PEM format)

Copy the SP Metadata URL and import it into your IdP, or manually configure:

  • ACS URL: The callback URL shown in TofuPilot
  • Entity ID: The metadata URL

Click Save SAML Configuration.

Required SAML Attributes

Map these attributes in your IdP:

  • email - User's email address (required)
  • name or displayName - User's full name (optional)

Testing SSO

After configuration:

  1. Open a private browser window
  2. Go to your TofuPilot sign-in page
  3. Enter an email with your configured domain
  4. You should be redirected to your identity provider

Keep at least one owner account that can sign in without SSO in case of IdP issues.

Troubleshooting

Users not redirected to IdP

  • Verify the email domain matches exactly
  • Check that the SSO configuration is saved

Authentication fails after IdP login

  • Verify the callback URL is correctly configured in your IdP
  • Check that required scopes/attributes are mapped
  • Review IdP logs for error details

How is this guide?

Subscription

Manage TofuPilot subscriptions and billing settings.

SCIM

Automatically sync users from your identity provider.

On this page

Overview
Configure OIDC
Required OIDC Scopes
Configure SAML 2.0
Required SAML Attributes
Testing SSO
Troubleshooting
Users not redirected to IdP
Authentication fails after IdP login