Single Sign-on (SAML)
Tuskr supports SAML 2.0 for Single Sign-On (SSO). SSO is available on select plans. If your plan includes SSO, follow the steps below to connect Tuskr with your identity provider (Google, Okta, Azure AD, etc.).
Tuskr SAML Setup Instructions
These instructions are intended as general guidance for setting up SAML with Tuskr. Since every identity provider may have slightly different steps, labels, or requirements, we recommend consulting your internal IT or identity provider (IdP) expert if you have any questions or need help setting up the SAML app. Our team can help you with what Tuskr expects, but we’re unable to provide support for configuring your IdP itself.
Step 1: Create a new SAML app in your Identity Provider
When creating the app in your IdP, use the following values:
| Field (depending on your IdP) | Value |
|---|---|
| ACS URL / Single Sign-On URL | https://api.tuskr.live/api/auth/sso/callback |
| Entity ID / Audience URI / SP Entity ID | https://tuskr.live |
| Name ID Format | EmailAddress or leave default |
| RelayState | Leave it blank, we'll handle this automatically |
Step 2: Enter IdP details in Tuskr
After creating the app, your IdP will give you:
- SSO URL (Login URL)
- X.509 Certificate (public certificate)
In Tuskr, go to Main Menu ▸ Administration ▸ Global Settings and in the SSO Authentication section:
Choose Optional which allows you to test your SSO setup.
Enter the following information carefully:| Field in Tuskr | What to Enter |
|---|---|
| SSO URL | Paste the Login URL (also called SSO URL) from your IdP |
| Entity ID | Paste the exact same Entity ID you used when creating the SAML app |
| Certificate | Paste the X.509 certificate from your identity provider. It should start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----. |
Step 3: Test your Setup
Only switch from Optional to Required after you have fully tested your SSO setup. Switching too soon may lock you out of your account. If that happens, our team will need to manually restore access, which could take time.
- Test your setup by clicking Login using SSO on the Tuskr login page.
In case of any problems double check the instructions above. The most common mistake is entering the wrong Entity ID in Tuskr or your SAML App.
Common Setup Mistakes
- Mismatched Entity ID
- The Entity ID entered in Tuskr must match exactly what you used when creating the SAML app in your identity provider.
- Wrong ACS URL
- Make sure the ACS (Assertion Consumer Service) URL in your identity provider is set correctly. Even a small typo (like missing https:// or a trailing slash) can break the login flow.
- Incorrect or Expired Certificate
- Paste the full X.509 certificate from your IdP — it must start with -----BEGIN CERTIFICATE----- and be current (not expired).
- Users Not Assigned to the App
- Some identity providers (like Okta, OneLogin) require you to explicitly assign users to the SAML app before they can use SSO.
- NameID Format or Attribute Mapping Issues (optional)
- Tuskr expects the NameID to be the user’s email address. If your IdP is sending a username or internal ID instead, SSO may fail.