Set Up SSO for Tropic

Configuring SSO by Provider

Setting Up SSO with Okta

• Sign in to the Okta Admin Console.
• Navigate to Applications > Applications > Create App Integration.
• Select SAML 2.0 and click Next.
• In General Settings, enter an app name (e.g., Tropic) and click Next.
• In SAML Settings, configure:
  • Single Sign-On URL: https://auth.tropicapp.io/login/callback?connection=[CUSTOMER]-okta
  • Audience URI: urn:auth0:tropic-next:[CUSTOMER]-okta
  • Replace [CUSTOMER] with your Tropic organization slug.
• Map Okta attributes to Tropic user fields:
  • firstName → user.firstname 
  • lastname→ user.lastname
  • email→ user.email 
  • Click Finish and download the Okta Certificate.
• Send the Okta Certificate and Identity Provider Single Sign-On URL to Tropic Support.
• Assign users/groups to the Tropic app in Okta.

Setting Up SSO with Microsoft Entra

• Sign in to Microsoft Entra Admin Center.
• Navigate to Identity > Applications > Enterprise Applications.
• Click + New Application, name the app, and select "Integrate any other application".
• In Single Sign-On, configure:
  • Identifier (Entity ID): urn:auth0:tropic-next:[CUSTOMER]-okta
  • Reply URL: https://auth.tropicapp.io/login/callback?connection=[CUSTOMER]-okta
  • Sign-On URL:https://app.tropicapp.io/login?org=[CUSTOMER-ID]
  • Save the configuration and download the SAML Signing Certificate.
  • Send the certificate and Login URL to Tropic Support.

Note: In the provided example, [CUSTOMER-ID] refers to the unique identifier associated with your organization within Tropic's system. For instance, if your organization's name in Tropic is "Acme Corp," then the Sign-On URL would be "https://app.tropicapp.io/login?org=acme-corp". This ensures that the authentication process is tailored to your organization's specific account within Tropic.

Setting Up SSO with OneLogin

• Sign in to the OneLogin Admin Portal.
• Navigate to Applications > Applications > Add App.
• Search for "SAML Custom Connector (Advanced)" and select it.
• In Configuration, enter:
  • Entity ID: urn:auth0:tropic-next:[CUSTOMER]-okta
  • ACS URL: Tropic Authentication Callback
  • Login URL: Tropic Login
• Set SAML Initiator to Service Provider, then save your changes.
• In the SSO settings, download the X.509 Certificate and copy the SAML 2.0 Endpoint URL.
• Send these details to Tropic Support for verification.
• Assign Tropic users or groups to the application in OneLogin to finalize access.

IdP Login (Optional Direct Login Link)

If you want to enable direct login from your Identity Provider (IdP), update the login URL by replacing org=tropic with your organization’s slug.

• You can find the correct organization slug in the authoritative SSO configuration page here
• For example, if your organization's slug is oktatest, the URL would be: https://app.tropicapp.io/login?org=oktatest

⚠️ After SSO setup, your organization's portal users can still access Tropic using only their work email address. See [Access the Purchasing Portal].

Required Permissions

• SSO Provider Admin Access: You must have admin rights in your SSO provider to configure settings.
• Tropic Role: Owner: Only Tropic Owners can enable and configure SSO.

Post-Setup Steps

Once SSO is configured:

• Confirm login access via your SSO provider or Tropic login page.
• Test user access to ensure successful authentication.
• Assign users/groups to the Tropic app in your SSO provider.

Limitations

• Tropic supports SAML-based provisioning only (SCIM and JIT provisioning are not supported).
• User creation in Tropic must be manual (creating users in your SSO provider does not automatically create them in Tropic).
• Tropic user roles can only be changed in Tropic, not via SSO.

Additional Resources

To get more information about configuring the login preferences that best suit your organization, please refer to Configuring Login Options