Single Sign-On (SSO)
Single Sign-On
Single Sign-On (SSO) lets your users authenticate to Tabnine using your existing identity provider (IdP). You can configure SSO using either SAML or OAuth 2.0 / OpenID Connect, depending on what your IdP supports. Each organization can use one of these protocols at a time (SAML or OAuth 2.0, not both).
How To Configure Single Sign-On
In the Tabnine Admin Console, go to Settings, then General.
Next, open the Single Sign-On section and toggle Enable Single Sign-On (SSO) on.
Then, under SSO Protocol, choose either SAML or OAuth 2.0 (v6.0.0).
When SAML is selected as your SSO protocol:
Copy the SAML Callback URL from the Tabnine console.
In your IdP (for example Azure AD or Okta), paste this URL into the SAML application as the Reply URL / Assertion Consumer Service URL (ACS).
In the Tabnine console, fill in the following SAML provider parameters with values from your IdP:
Certificate – the IdP’s X.509 certificate (Base64‑encoded).
Entry point – the IdP’s SAML SSO / login URL.
Identifier format (optional) – the SAML NameID format your IdP uses (for example, email address).
AuthnContext (optional) – the authentication context class your IdP requires.
“Identifier format” refers to the name identifier format of the request your IdP expects. “
AuthnContext” specifies the authentication mechanism and level of assurance the IdP should use.(Optional) Adjust the SAML flags if required by your IdP:
wantAuthnResponseSignedwantsAssertionSigneddisableRequestedAuthnContext
Click Save.
When OAuth 2.0 (supported since 6.0.0) is selected as your SSO protocol:
Copy the OAuth Redirect URI from the Tabnine console.
In your IdP / OAuth provider, paste this URI into the application configuration as the Redirect URI / Callback URL.
In the Tabnine console, fill in the following OAuth provider parameters with values from your IdP:
Client ID – the application’s client identifier.
Client Secret – the application’s client secret.
Auth URL – the authorization endpoint URL (for example,
https://provider.com/oauth/authorize).Token URL – the token endpoint URL.
User Info URL – the user info endpoint URL (if your provider uses one).
Scopes (optional) – used when retrieving the user’s identity
For example,
openid email profile(used by default) is used when using OpenID Connect.
Expand Advanced Settings and configure:
Email Claim (optional) – the field in the token that contains the user’s email (for example,
emailorupn).Name Claim (optional) – the field that contains the user’s display name (for example,
name).Resource (optional) – a resource / audience value if your IdP requires it.
Custom CA Cert (optional) – a Base64‑encoded CA certificate if your IdP uses a custom CA.
Click Save.
After saving, test logging in via SSO to make sure the email and name claims map correctly to your Tabnine users.
Use Azure as a SAML IdP
Use Azure as a SAML IdPEnter https://portal.azure.com/.
After logging into Azure, go to the Azure Active Directory tab.
Select Enterprise applications service.
Choose New application.
Choose Create your own application.
Choose Non-gallery application. (Integrate any other application you don't find in the gallery.)
Name it (for example, "TabnineSSO") and click Add.
Choose Setup single sign-on.
Select SAML-based Sign-on as the SSO mode.
Next, add the Tabnine service provider details to the configuration in Azure. Set the following values in Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL), replacing tabnine.customer.com with your Tabnine cluster domain:\
Choose user.mail as the value for Unique User Identifier:\
In Section 3 - SAML Certificates, choose Download certificate (Base64).
In Section 4, copy Login URL value to use in the next step.
Finally, make sure the following are checked at the bottom: &#xNAN;☑ wantsAssertionSigned and ☑ disableRequestedAuthnContext
Use Okta as a SAML IdP
Use Okta as a SAML IdPEnter your Okta admin panel in Applications > Create App Integration > SAML2 integration.
Set an App name (e.g., "Tabnine"):\
Next, set the following values: Single sign-on URL: https://tabnine.customer.com/auth/sign-in/sso/saml/callback Audience URI (SP Entity ID): https://tabnine.customer.com/auth/sign-in/sso/saml Name ID format:
EmailAddress&#xNAN;NOTE: Replace tabnine.customer.com with your Tabnine cluster domain.\
Choose 🔵 I'm an Okta customer adding an internal app.\
In the created App in Okta ("Tabnine"), Sign on tab, copy Sign on URL value and Signing Certificate values.
Last updated
Was this helpful?