Overview
Single sign-on (SSO) allows Tropic users to log in using an SSO provider, such as Okta, Microsoft Entra, or OneLogin, without needing to manage separate passwords. This enhances security and simplifies access management.
This guide provides step-by-step instructions for setting up SSO with Tropic, including prerequisites, configuration steps, and key limitations.
Once your SSO is set up, you can log in from your SSO provider (IdP-initiated) or the Tropic login page (SP-initiated). Please note that you won’t be able to set a Tropic password.
Setting up SSO requires a short handoff with Tropic Support. You configure your SSO provider, then send your SSO certificate and login URL to Tropic, so our team can complete the setup.
Prerequisites
- Role required: Owner
- An active SSO provider (Okta, Microsoft Entra, OneLogin, etc.).
- Access to Tropic's Login Configuration settings.
- Your organization slug (found in Tropic’s SSO settings).
⚠️ SSO cannot be fully enabled without Tropic Support. Submitting your SSO details is required.
Steps to Connect SSO with Tropic
To enable SSO, you need to register Tropic as an app in your SSO provider and configure the necessary settings.
- Navigate to Settings → Login Configuration in Tropic.
- Register Tropic as an app within your SSO provider (Okta, Microsoft Entra, OneLogin).
- Configure the necessary SAML settings (outlined in the provider-specific sections below).
- Download your SSO certificate and Login URL and send them to Tropic Support. Tropic completes the SSO configuration on your behalf.
- Assign users or groups to the Tropic app within your SSO provider.
Configuring SSO by Provider
Setting Up SSO with Okta
- Sign in to the Okta Admin Console.
- Navigate to Applications > Applications > Create App Integration.
- Select SAML 2.0 and click Next.
- In General Settings, enter an app name (e.g., Tropic) and click Next.
- In SAML Settings, configure:
- Single Sign-On URL: https://auth.tropicapp.io/login/callback?connection=[CUSTOMER]-okta
- Audience URI: urn:auth0:tropic-next:[CUSTOMER]-okta
- Replace [CUSTOMER] with your Tropic organization slug.
- Map Okta attributes to Tropic user fields:
- firstname → user.firstname
- lastname→ user.lastname
- email→ user.email
- Click Finish and download the Okta Certificate.
- Send the Okta Certificate and Identity Provider Single Sign-On URL to Tropic Support.
- Assign users/groups to the Tropic app in Okta.
Setting Up SSO with Microsoft Entra
- Sign in to Microsoft Entra Admin Center.
- Navigate to Identity > Applications > Enterprise Applications.
- Click + New Application, name the app, and select "Integrate any other application".
- In Single Sign-On, configure:
- Identifier (Entity ID): urn:auth0:tropic-next:[CUSTOMER]-okta
- Reply URL: https://auth.tropicapp.io/login/callback?connection=[CUSTOMER]-okta
- Sign-On URL:https://app.tropicapp.io/login?org=[CUSTOMER-ID]
- Save the configuration and download the SAML Signing Certificate.
- Send the certificate and Login URL to Tropic Support.
Note: In the provided example, [CUSTOMER-ID] refers to the unique identifier associated with your organization within Tropic's system. For instance, if your organization's name in Tropic is "Acme Corp," then the Sign-On URL would be "https://app.tropicapp.io/login?org=acme-corp". This ensures that the authentication process is tailored to your organization's specific account within Tropic.
Setting Up SSO with OneLogin
- Sign in to the OneLogin Admin Portal.
- Navigate to Applications > Applications > Add App.
- Search for "SAML Custom Connector (Advanced)" and select it.
- In Configuration, enter:
- Entity ID: urn:auth0:tropic-next:[CUSTOMER]-okta
- ACS URL: https://auth.tropicapp.io/login/callback
- Login URL: https://app.tropicapp.io/login
- Set SAML Initiator to Service Provider, then save your changes.
- In the SSO settings, download the X.509 Certificate and copy the SAML 2.0 Endpoint URL.
- Send these details to Tropic Support for verification.
- Assign Tropic users or groups to the application in OneLogin to finalize access.
IdP Login (Optional Direct Login Link)
If you want to enable direct login from your Identity Provider (IdP), update the login URL by replacing org=tropic with your organization’s slug.
- You can find the correct organization slug in the authoritative SSO configuration page here
- For example, if your organization's slug is oktatest, the URL would be: https://app.tropicapp.io/login?org=oktatest
⚠️ After SSO setup, your organization's portal users can still access Tropic using only their work email address. See [Access the Purchasing Portal].
Required Permissions
- SSO Provider Admin Access: You must have admin rights in your SSO provider to configure settings.
- Tropic Role: Owner: Only Tropic Owners can enable and configure SSO.
Post-Setup Steps
Once SSO is configured:
- Confirm login access via your SSO provider or Tropic login page.
- Test user access to ensure successful authentication.
- Assign users/groups to the Tropic app in your SSO provider.
Limitations
- Tropic supports SAML-based provisioning only (SCIM and JIT provisioning are not supported).
- User creation in Tropic must be manual (creating users in your SSO provider does not automatically create them in Tropic).
- Tropic user roles can only be changed in Tropic, not via SSO.
Additional Resources
To get more information about configuring the login preferences that best suit your organization, please refer to Configuring Login Options