Back to Guides
Intermediate
40 minutes

SSO Configuration Guide

Configure single sign-on with your identity provider. Support for OIDC and SAML protocols with automatic role mapping and user provisioning.

Overview

TigerAccess supports both OIDC and SAML protocols for SSO integration:

  • OIDC Support: Okta, Azure AD, Google Workspace, Auth0, and more
  • SAML 2.0: Compatible with all major enterprise IdPs
  • Auto Provisioning: Create users automatically on first login
  • Role Mapping: Map IdP groups to TigerAccess roles

Prerequisites

  • TigerAccess auth service running with HTTPS enabled
  • Admin access to your identity provider
  • Public domain name for TigerAccess (e.g., tigeraccess.example.com)
  • Valid SSL certificate for your domain

Okta (OIDC) Configuration

Step 1: Create Okta Application

  1. Log in to Okta Admin Console
  2. Navigate to Applications → Create App Integration
  3. Select "OIDC - OpenID Connect"
  4. Choose "Web Application"
  5. Set redirect URI: https://tigeraccess.example.com:3080/v1/webapi/oidc/callback
  6. Note the Client ID and Client Secret

Step 2: Configure Groups Claims

In Okta, configure group claims to send group membership:

  1. In your app, go to Sign On → OpenID Connect ID Token
  2. Add a groups claim with filter: "Matches regex: .*"
  3. Value type: "Expression" with value: getFilteredGroups(app.profile.groupwhitelist, "group.name", 100)

Step 3: Configure TigerAccess

tac connectors create okta --spec - <<EOF
kind: oidc
version: v3
metadata:
  name: okta
spec:
  issuer_url: "https://your-org.okta.com"
  client_id: "YOUR_CLIENT_ID"
  client_secret: "YOUR_CLIENT_SECRET"
  redirect_url: "https://tigeraccess.example.com:3080/v1/webapi/oidc/callback"
  display: "Okta"
  scope: ["openid", "profile", "email", "groups"]
  claims_to_roles:
    - claim: "groups"
      value: "TigerAccess-Admins"
      roles: ["access", "editor"]
    - claim: "groups"
      value: "TigerAccess-Developers"
      roles: ["developer"]
EOF

Azure AD (OIDC) Configuration

Step 1: Register Application

  1. Log in to Azure Portal
  2. Navigate to Azure Active Directory → App registrations
  3. Click "New registration"
  4. Set redirect URI: https://tigeraccess.example.com:3080/v1/webapi/oidc/callback
  5. Click "Register"

Step 2: Create Client Secret

  1. In your app, go to Certificates & secrets
  2. Click "New client secret"
  3. Add description and expiration
  4. Copy the secret value (shown only once)

Step 3: Configure API Permissions

  1. Go to API permissions
  2. Add Microsoft Graph permissions: User.Read, GroupMember.Read.All
  3. Grant admin consent

Step 4: Configure TigerAccess

tac connectors create azure-ad --spec - <<EOF
kind: oidc
version: v3
metadata:
  name: azure-ad
spec:
  issuer_url: "https://login.microsoftonline.com/YOUR_TENANT_ID/v2.0"
  client_id: "YOUR_APPLICATION_ID"
  client_secret: "YOUR_CLIENT_SECRET"
  redirect_url: "https://tigeraccess.example.com:3080/v1/webapi/oidc/callback"
  display: "Azure AD"
  scope: ["openid", "profile", "email", "User.Read", "GroupMember.Read.All"]
  claims_to_roles:
    - claim: "groups"
      value: "ADMIN_GROUP_ID"
      roles: ["access", "editor"]
    - claim: "groups"
      value: "DEVELOPER_GROUP_ID"
      roles: ["developer"]
EOF

Google Workspace (OIDC) Configuration

Step 1: Create OAuth 2.0 Client

  1. Go to Google Cloud Console
  2. Navigate to APIs & Services → Credentials
  3. Create OAuth 2.0 Client ID
  4. Application type: Web application
  5. Authorized redirect URI: https://tigeraccess.example.com:3080/v1/webapi/oidc/callback
  6. Note Client ID and Client Secret

Step 2: Configure TigerAccess

tac connectors create google --spec - <<EOF
kind: oidc
version: v3
metadata:
  name: google
spec:
  issuer_url: "https://accounts.google.com"
  client_id: "YOUR_CLIENT_ID.apps.googleusercontent.com"
  client_secret: "YOUR_CLIENT_SECRET"
  redirect_url: "https://tigeraccess.example.com:3080/v1/webapi/oidc/callback"
  display: "Google"
  scope: ["openid", "profile", "email"]
  google_admin_email: "admin@example.com"
  google_service_account_uri: "path/to/service-account.json"
  claims_to_roles:
    - claim: "hd"
      value: "example.com"
      roles: ["access"]
EOF

SAML Configuration

Step 1: Get SAML Metadata

# Download TigerAccess metadata
curl https://tigeraccess.example.com:3080/v1/webapi/saml/metadata > tigeraccess-metadata.xml

Step 2: Configure SAML in IdP

In your IdP (Okta, OneLogin, etc.):

  1. Create a new SAML application
  2. Upload the TigerAccess metadata file
  3. Or manually configure:
    • ACS URL: https://tigeraccess.example.com:3080/v1/webapi/saml/acs
    • Entity ID: https://tigeraccess.example.com:3080
    • Name ID format: EmailAddress
  4. Download IdP metadata file

Step 3: Configure TigerAccess

tac connectors create saml-idp --spec - <<EOF
kind: saml
version: v2
metadata:
  name: saml-idp
spec:
  acs: "https://tigeraccess.example.com:3080/v1/webapi/saml/acs"
  entity_descriptor: |
$(cat idp-metadata.xml | sed 's/^/    /')
  attributes_to_roles:
    - name: "groups"
      value: "Admins"
      roles: ["access", "editor"]
    - name: "groups"
      value: "Developers"
      roles: ["developer"]
  display: "Corporate SSO"
EOF

Role Mapping

Dynamic Role Assignment

Map IdP groups/claims to TigerAccess roles dynamically:

# Multiple role mappings
claims_to_roles:
  # Exact match
  - claim: "groups"
    value: "TigerAccess-SuperAdmins"
    roles: ["access", "editor", "auditor"]

  # Regex match
  - claim: "groups"
    value: "TigerAccess-.*-Admins"
    roles: ["access", "editor"]

  # Email domain
  - claim: "email"
    value: "*@example.com"
    roles: ["access"]

Default Roles

# Assign default roles to all SSO users
spec:
  # ... other config ...
  default_roles: ["access"]
  # Optional: require explicit role mapping
  allow_default_role: true

Testing SSO

Test SSO Login

# CLI SSO login
tac login --auth=okta --proxy=proxy.example.com:3023

# Or use web UI
# Navigate to https://tigeraccess.example.com:3080

Verify User Roles

# Check your current user info
tac status

# View all SSO users
tac users ls --auth-type=sso

Test Role Mapping

# View connector configuration
tac connectors show okta

# Test role mapping
tac connectors test okta --user=test@example.com

Troubleshooting

Redirect URI Mismatch

Ensure the redirect URI in your IdP exactly matches TigerAccess configuration:

# Check configured redirect URL
tac connectors show okta | grep redirect_url

Groups Not Mapping

Verify group claims are included in the ID token:

# Enable debug logging
# In config.yaml:
log:
  severity: DEBUG

# Check auth logs
journalctl -u tigeraccess -f | grep OIDC

Certificate Errors

Ensure TigerAccess has a valid SSL certificate:

# Test SSL certificate
openssl s_client -connect tigeraccess.example.com:3080

# Verify in browser
# Navigate to https://tigeraccess.example.com:3080

Related Guides

Beginner

Quick Start Guide

Advanced

Custom RBAC Policies

Advanced

High Availability Deployment

Ready to Secure Your Infrastructure?

Join thousands of security-conscious teams using TigerAccess to protect their critical infrastructure and AI agents.

Start Free TrialContact Sales

No credit card required • 14-day free trial • Enterprise support available