SAML SSO Setup Guide

This guide walks through everything needed to configure SAML-based Single Sign-On (SSO) for Tulip, covering both the identity provider (client side) and Admin Console (Tulip side) setup.

Overview

Tulip supports SAML 2.0 for authenticating app users against an external identity provider. When SSO is configured, Tulip redirects users to the client’s login page. After successful authentication, the identity provider redirects back to Tulip with a signed SAML response containing user information.

Key Terminology

Term	Description
Identity Provider (IdP)	The client’s authentication system (e.g., Microsoft Entra ID, Okta, Ping Identity). This is where users log in.
Service Provider (SP)	Tulip. Tulip receives and validates the SAML response from the IdP.
Assertion Consumer Service (ACS) URL	The Tulip endpoint that receives the SAML response after authentication.
EntityID	A unique identifier for the SAML application. Used by both sides to identify each other.
NameID	The unique identifier for the user within the SAML assertion. This is used to match the user to a Tulip employee record.
SAML Assertion	The signed data payload returned by the IdP, containing user identity and attribute claims.

How It Works

A user opens the Tulip app and is redirected to the IdP’s login page.
The user authenticates with the IdP (including any MFA the client has configured).
The IdP sends a signed SAML Response back to Tulip’s ACS URL.
Tulip validates the response signature using the IdP’s certificate.
Tulip matches the NameID in the assertion to a Tulip employee record (by externalId or samlNameId).
Tulip converts the SAML session into internal OpenID Connect tokens and logs the user in.

Prerequisites

Before starting configuration, ensure the following:

Employee data is loaded into Tulip. Each employee must have an externalId (or samlNameId) that matches the NameID value that will be sent in the SAML assertion. See Employee Data Requirements below.
Access to Admin Console. You need admin-level access to configure identity providers.
Access to the client’s IdP admin portal. An admin on the client side must configure the SAML application.
Test accounts. Request at least two test accounts from the client (one associate, one manager) to validate the setup.

Step 1: Provide SAML Configuration Details to the Client

The client’s IT team needs the following information to configure their IdP:

Field	Value
Assertion Consumer Service (ACS) URL	`https://<tenant>.tulipretail.com/auth/saml`
EntityID	`https://tulip.com/` (default) or a custom identifier if needed
NameID Format	Persistent (recommended)
Binding	HTTP-POST
Requests Signed	No

Replace <tenant> with the client’s actual Tulip tenant hostname.

If the client has multiple Tulip environments (e.g., staging and production), provide the ACS URL for each environment. The EntityID can remain the same across environments if the IdP supports multiple Reply URLs under one application, or it can differ per environment.

Required SAML Assertion Attributes

The IdP’s SAML assertion must include the following attributes. Attribute names are case-sensitive.

Attribute	Description	Required
NameID	The unique employee identifier. Must match the employee’s `externalId` (or `samlNameId` if SAML Login For Lookup is enabled) in Tulip.	Yes (always)
username	A unique username for the user. May be identical to NameID. Displayed next to the user’s avatar in the app.	Yes (for auto-provisioning)
first_name	User’s first name.	Yes (for auto-provisioning)
last_name	User’s last name.	Yes (for auto-provisioning)
primary_email	User’s email address.	Yes (for auto-provisioning)
home_store_id	The store’s `externalId` in Tulip.	Yes (for auto-provisioning)
role	The user’s role in the system. Must match a role `externalId` configured in Tulip.	Yes (for auto-provisioning)

Attributes beyond NameID are required when Provision Users is enabled (automatic user provisioning). If provisioning is disabled, only NameID is mandatory – but the employee must already exist in Tulip.

Step 2: Client Configures Their Identity Provider

The client creates a SAML application in their IdP and configures it with the values from Step 1. They then provide Tulip with:

Field	Where to Find It
Issuer / EntityID	Usually found in the IdP’s metadata XML under the `EntityDescriptor` tag’s `entityID` attribute.
Login URL (SSO URL)	The IdP’s single sign-on endpoint. Found in metadata XML under `SingleSignOnService` > `Location` attribute.
Logout URL	The IdP’s single sign-out endpoint (optional).
Verification Certificate	The X.509 certificate used to sign SAML responses. Found in metadata XML under the `X509Certificate` tag. The string typically starts with “MII”.
Metadata XML	Some IdPs allow exporting a Federation Metadata XML file that contains all of the above.

Step 3: Configure the Identity Provider in Admin Console

Navigate to Admin Console > Integrations > Identity Providers > Create.

Create New Identity Provider form in Admin Console

Field Reference

Field	Required	Description
Name	Yes	A display name for this identity provider (e.g., “Contoso Entra ID”).
Enabled	–	Toggle the IdP on or off. Must be enabled for SSO to work.
Provision Users	–	When enabled, Tulip automatically creates an employee and auth user if they don’t already exist when a user logs in via SAML. Requires additional assertion attributes (see Required Attributes).
Sync Profiles	–	When enabled, updates existing users' roles based on the role attribute in the SAML assertion on each login.
Replace Roles	–	Only applies when Sync Profiles is enabled. When on, the user’s existing roles are replaced with the role from the assertion. When off, the assertion role is appended to the user’s existing roles.
ForceAuthn	–	When enabled, the IdP always prompts the user to log in (no cached sessions). Recommended to keep on unless Logout URL is configured.
SAML Login For Lookup	–	When enabled, Tulip matches the SAML NameID against the employee’s `samlNameId` field instead of `externalId`. See The samlNameId Field.
Issuer	Yes	The IdP’s EntityID / Issuer. Must exactly match the `Issuer` value in the SAML response.
Login URL	Yes	The IdP’s SSO endpoint URL where users are redirected to authenticate.
Logout URL	No	The IdP’s logout endpoint. Required if ForceAuthn is disabled (for single sign-out).
Metadata	No	The IdP’s metadata XML (optional, for reference).
Verification Certificate	Yes	The X.509 certificate from the IdP used to validate SAML response signatures. Paste the certificate string (typically starts with “MII”).
SP Sign Request	–	When enabled, Tulip signs outgoing AuthnRequests. If enabled, you must provide the SP certificate to the client’s IdP. Typically left off.
Binding	Yes	The binding type for SAML requests. HTTP-Post is the standard choice. HTTP-Redirect is also supported.
Authn Context Class	Yes	The authentication context class references to include in login requests. Can be left as “None selected” for most setups.
NameID Format	Yes	The expected format of the NameID in the SAML response. Persistent Identifier is recommended. Other options: Unspecified, Email Address, Transient Identifier, X.509 Subject Name, Kerberos Principal Name, Entity Identifier.

After saving, Tulip’s authentication service (Bouncer) will pick up the new configuration within approximately one minute. The login screen will then show the SSO option.

Employee Data Requirements

For SAML login to succeed, the NameID in the SAML assertion must match a Tulip employee record. There are two ways this matching works:

The NameID from the SAML assertion is matched against the employee’s externalId field. This means whatever value the IdP sends as NameID must exactly match the externalId set on the employee in Tulip.

When loading employees (via TGEN, the Aerial API, or another method), ensure each employee’s externalId is set to the value that will come through as their SAML NameID.

If the employee’s externalId needs to remain different from their SAML login identifier (e.g., externalId is an HR system ID while SAML uses email), you can use the samlNameId field to decouple them.

When this is configured, the SAML NameID is matched against the employee’s samlNameId field instead of externalId.

To use this approach:

Enable the SAML Login For Lookup toggle on the identity provider in Admin Console.
Set the samlNameId field on each employee record to match the value that will come through as their SAML NameID.

The samlNameId Field

The samlNameId is an optional field on the employee resource. It is available in:

Aerial API – as the samlNameId property on the employee object. Defined as:
“If using SSO for authentication against a third party system, set the login username in this field if different than the value set in externalId."
TGEN – as the samlNameId column in employee import CSV files.

Aerial API example (PATCH an employee to set samlNameId):

PATCH /api/2026-04/storeOps/employees/{id}

{
  "samlNameId": "jane.doe@contoso.com"
}

TGEN CSV example (columns):

externalId,samlNameId,disabled,store,displayName,...
EMP001,jane.doe@contoso.com,false,STORE01,Jane Doe,...

In this example, the employee’s externalId is EMP001 (used by other integrations) while their SAML login identifier is jane.doe@contoso.com.

For new tenants with automatic user provisioning enabled, it is recommended to enable SAML Login For Lookup from the start.

Auth User Setup

If you are pre-loading employees (not using auto-provisioning), each employee also needs an authUser record. The authUser.username must match the SAML NameID value:

{
  "externalId": "EMP001",
  "samlNameId": "jane.doe@contoso.com",
  "firstName": "Jane",
  "lastName": "Doe",
  "authUser": {
    "username": "jane.doe@contoso.com",
    "password": "placeholder123",
    "disabled": false
  }
}

The password will not be used for SAML authentication but must be a valid value (3+ characters).

Example: Setting Up SAML with Microsoft Entra ID (Azure AD)

This walkthrough demonstrates how to configure SAML SSO using Microsoft Entra ID as the identity provider.

1. Create an Enterprise Application in Entra ID

Sign in to the Microsoft Entra admin center.
Navigate to Identity > Applications > Enterprise applications.
Click New application > Create your own application.
Enter a name (e.g., “Tulip Retail”) and select Integrate any other application you don’t find in the gallery (Non-gallery).
Click Create.

2. Configure SAML Single Sign-On

In the new application, go to Single sign-on and select SAML.
In Basic SAML Configuration, click Edit and enter:

Setting	Value
Identifier (Entity ID)	`https://tulip.com/`
Reply URL (ACS URL)	`https://<tenant>.tulipretail.com/auth/saml`

If you have multiple environments (staging + production), add each ACS URL as a separate Reply URL under the same application. Each environment will include its ACS URL in the SAML request, and Entra ID will respond to the correct one.

Click Save.

In Azure, if you configure multiple Reply URLs, remove the Login URL field from the SAML configuration, as it can only point to a single tenant and may cause routing issues.

3. Configure User Attributes and Claims

In the SAML configuration page, open Attributes & Claims > Edit.
Configure the NameID (Name identifier):
- Click on the Name identifier value row.
- Set the Source attribute to the field that matches the employee’s externalId (or samlNameId) in Tulip. Common choices:
  - user.employeeid – if the employee ID is synced to Entra
  - user.mail – if using email as the identifier
  - user.userprincipalname – if using UPN
- Set the Name identifier format to Persistent.
- Click Save.
If Provision Users is enabled in Tulip, add the following additional claims. Click Add new claim for each:

Claim Name	Source Attribute
`username`	`user.userprincipalname` (or the same as NameID)
`first_name`	`user.givenname`
`last_name`	`user.surname`
`primary_email`	`user.mail`
`home_store_id`	A custom attribute or extension attribute containing the store ID
`role`	A custom attribute or app role containing the Tulip role external ID

Make sure claim names are lowercase and match exactly as specified (e.g., first_name, not FirstName).

4. Download the IdP Metadata

In the SAML Certificates section, download the Federation Metadata XML file.
From this file, extract:
- Issuer: The entityID attribute from the EntityDescriptor tag.
- Login URL: The Location attribute from the SingleSignOnService tag with Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".
- Certificate: The content of the X509Certificate tag.

Alternatively, the Login URL, Entra Identifier, and Logout URL are displayed directly on the SAML setup page under Set up Tulip Retail.

5. Assign Users

Go to Users and groups in the Enterprise Application.
Click Add user/group.
Assign the users or groups that should have access to Tulip.

Only users assigned to the application will be able to authenticate.

6. Configure Tulip Admin Console

Using the values from Step 4, create the identity provider in Admin Console as described in Step 3:

Admin Console Field	Value from Entra ID
Issuer	EntityID from metadata (e.g., `https://sts.windows.net/<tenant-id>/`)
Login URL	Login URL from the SAML setup page
Logout URL	Logout URL from the SAML setup page
Verification Certificate	The X.509 certificate string from the metadata
Binding	HTTP-Post
NameID Format	Persistent Identifier

7. Test the Integration

Ensure the test employee accounts exist in Tulip with externalId (or samlNameId) values matching what Entra ID sends as NameID.
Open the Tulip app or navigate to https://<tenant>.tulipretail.com.
The login page should redirect to the Microsoft login screen.
Log in with a test account.
On successful authentication, the user should be redirected back to Tulip and logged in.

Troubleshooting

“SAMLResponse from unknown identity provider issuer”

The Issuer (EntityID) in the SAML response does not match the Issuer configured in Admin Console. Verify that the Issuer field in the identity provider settings exactly matches the entityID from the IdP’s metadata.

User authenticates at the IdP but gets an error in Tulip

Verify that the NameID value in the SAML assertion matches an employee’s externalId or samlNameId in Tulip.
Ensure that the employee account is not disabled.
Check that the verification certificate in Admin Console is correct and not expired.

Shared EntityID across multiple environments

If the client’s IdP requires unique Entity IDs per application (e.g., Entra ID), but Tulip expects https://tulip.com/, you can use a single IdP application with multiple Reply URLs (ACS URLs). Each Tulip environment sends its own ACS URL in the SAML request, and the IdP responds to the appropriate one.

IdP-initiated login flows will always redirect to the default Reply URL. SP-initiated login (user starts from the Tulip app) is recommended for multi-environment setups.

ForceAuthn and Logout URL

If ForceAuthn is disabled and no Logout URL is configured, users may remain logged in via cached IdP sessions even after logging out of Tulip. Either keep ForceAuthn enabled or configure a Logout URL for single sign-out.

SAML SSO Setup Guide

Overview#

Key Terminology#

How It Works#

Prerequisites#

Step 1: Provide SAML Configuration Details to the Client#

Required SAML Assertion Attributes#

Step 2: Client Configures Their Identity Provider#

Step 3: Configure the Identity Provider in Admin Console#

Field Reference#

Employee Data Requirements#

Default Behavior (SAML Login For Lookup OFF)#

Using the samlNameId Field (SAML Login For Lookup ON)#

The samlNameId Field#

Auth User Setup#

Example: Setting Up SAML with Microsoft Entra ID (Azure AD)#

1. Create an Enterprise Application in Entra ID#

2. Configure SAML Single Sign-On#

3. Configure User Attributes and Claims#

4. Download the IdP Metadata#

5. Assign Users#

6. Configure Tulip Admin Console#

7. Test the Integration#

Troubleshooting#

“SAMLResponse from unknown identity provider issuer”#

User authenticates at the IdP but gets an error in Tulip#

Shared EntityID across multiple environments#

ForceAuthn and Logout URL#