Documentation
Solutions Guide

Single Sign-On

One login for all infrastructure. Integrate with your existing identity provider for seamless, secure access.

Estimated time: 20 minutes

Supported Identity Providers

Okta

OIDC/SAML

Azure AD

OIDC/SAML

Google Workspace

OIDC

OneLogin

OIDC/SAML

Ping Identity

OIDC/SAML

Custom SAML

SAML 2.0

Configuration Steps

1

Configure OIDC Provider

Set up OpenID Connect with your identity provider.

tacctl create -f - <<EOF
kind: oidc
metadata:
  name: okta
spec:
  issuer_url: https://company.okta.com
  client_id: ${OKTA_CLIENT_ID}
  client_secret: ${OKTA_CLIENT_SECRET}

  # Redirect URL
  redirect_url: https://access.company.com/v1/webapi/oidc/callback

  # Claims mapping
  claims_to_roles:
    - claim: groups
      value: engineering
      roles: [developer]
    - claim: groups
      value: platform
      roles: [admin]
EOF
2

Configure SAML Provider

Set up SAML 2.0 with your identity provider.

tacctl create -f - <<EOF
kind: saml
metadata:
  name: azure-ad
spec:
  # Azure AD metadata
  entity_descriptor_url: https://login.microsoftonline.com/.../metadata.xml

  # Or provide directly
  sso_url: https://login.microsoftonline.com/.../saml2
  cert: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

  # Attribute mapping
  attributes_to_roles:
    - name: groups
      value: "SG-TigerAccess-Admins"
      roles: [admin]
EOF
3

Enable SCIM Provisioning

Automatically sync users and groups from your IdP.

tacctl create -f - <<EOF
kind: scim
metadata:
  name: okta-scim
spec:
  enabled: true
  token: ${SCIM_TOKEN}

  # Auto-provision settings
  auto_create_users: true
  auto_create_groups: true

  # Sync interval
  sync_interval: 5m
EOF
4

Configure Group Mappings

Map IdP groups to TigerAccess roles.

tacctl create -f - <<EOF
kind: role
metadata:
  name: sso-developer
spec:
  # Assign to users with this IdP group
  allow:
    logins: ["{{internal.logins}}"]
    node_labels:
      env: [dev, staging]

  # Group condition
  conditions:
    - type: group
      value: "Engineering"
EOF
5

Test SSO Login

Verify SSO is working correctly.

# Login via SSO
tac login --proxy=access.company.com

# Browser opens to IdP login page
# After authentication, certificate is issued

# Verify identity
tac status

# List available resources
tac ls

SSO Enabled

With SSO configured, you have:

  • Single identity across all infrastructure
  • Automatic user provisioning via SCIM
  • Group-based role assignment
  • Centralized access management

Related Guides

Multi-Factor Authentication

Add MFA to SSO

Passwordless Authentication

Eliminate passwords

Zero Trust Security

Identity-based access