# Single Sign-On (SSO)

## Single Sign-On

Single Sign-On (SSO) lets your users authenticate to Tabnine using your existing identity provider (IdP). You can configure SSO using either SAML or OAuth 2.0 / OpenID Connect, depending on what your IdP supports. Each organization can use one of these protocols at a time (SAML or OAuth 2.0, not both).

### How To Configure Single Sign-On

In the Tabnine Admin Console, go to **Settings**, then **General**.

Next, open the <mark style="color:blue;">**Single Sign-On**</mark> section and toggle Enable Single Sign-On (SSO) on.

Then, under **SSO Protocol**, choose either **SAML** or **OAuth 2.0 (**[**v6.0.0**](https://docs.tabnine.com/main/administering-tabnine/managing-your-team/settings/pages/risy3bTOlfBfgFRRXK8K#v6.0.0)**)**.

<figure><img src="/files/homO7ZVSSiNCfIeUGyjj" alt=""><figcaption></figcaption></figure>

{% tabs %}
{% tab title="Configuring SAML" %}
![](/files/djkPPZPDC5Y5z4bvRo7L)

When **SAML** is selected as your SSO protocol:

1. Copy the **SAML Callback** URL from the Tabnine console.
2. In your IdP (for example Azure AD or Okta), paste this URL into the SAML application as the **Reply URL / Assertion Consumer Service URL (ACS)**.
3. In the Tabnine console, fill in the following **SAML provider parameters** with values from your IdP:

   * **Certificate** – the IdP’s X.509 certificate (Base64‑encoded).
   * **Entry point** – the IdP’s SAML SSO / login URL.
   * **Identifier format** (optional) – the SAML NameID format your IdP uses (for example, email address).
   * **AuthnContext** (optional) – the authentication context class your IdP requires.

   “Identifier format” refers to the name identifier format of the request your IdP expects.\
   “`AuthnContext`” specifies the authentication mechanism and level of assurance the IdP should use.
4. (Optional) Adjust the SAML flags if required by your IdP:
   * **`wantAuthnResponseSigned`**
   * **`wantsAssertionSigned`**
   * **`disableRequestedAuthnContext`**
5. Click **Save**.
   {% endtab %}

{% tab title="Configure OAuth 2.0" %} <br>

<figure><img src="/files/KhwUoSusIFCqZ8De7hHZ" alt=""><figcaption></figcaption></figure>

When OAuth 2.0 (supported since [6.0.0](https://docs.tabnine.com/main/administering-tabnine/managing-your-team/settings/pages/risy3bTOlfBfgFRRXK8K#v6.0.0)) is selected as your SSO protocol:

1. Copy the OAuth Redirect URI from the Tabnine console.
2. In your IdP / OAuth provider, paste this URI into the application configuration as the Redirect URI / Callback URL.
3. In the Tabnine console, fill in the following OAuth provider parameters with values from your IdP:

* **Client ID** – the application’s client identifier.
* **Client Secret** – the application’s client secret.
* Auth URL – the authorization endpoint URL (for example, `https://provider.com/oauth/authorize`).
* **Token URL** – the token endpoint URL.
* **User Info URL** – the user info endpoint URL (if your provider uses one).
* **Scopes** (optional) – used when retrieving the user’s identity
  * For example, `openid email profile` (used by default) is used when using OpenID Connect.

4. Expand **Advanced Settings** and configure:

<figure><img src="/files/paUKjkTiJcYHwuq5hWm2" alt=""><figcaption></figcaption></figure>

* **Email Claim** (optional) – the field in the token that contains the user’s email (for example, `email` or `upn`).
* **Name Claim** (optional) – the field that contains the user’s display name (for example, `name`).
* **Resource** (optional) – a resource / audience value if your IdP requires it.
* **Custom CA Cert** (optional) – a Base64‑encoded CA certificate if your IdP uses a custom CA.

5. Click **Save**.
   {% endtab %}
   {% endtabs %}

After saving, test logging in via SSO to make sure the email and name claims map correctly to your Tabnine users.

### <img src="/files/gxSyhs5B0n6G8eISARi9" alt="" data-size="line"> Use Azure as a SAML IdP

1. Enter <https://portal.azure.com/>.
2. After logging into Azure, go to the **Azure Active Directory** tab.
3. Select **Enterprise applications** service.
4. Choose **New application.**
5. Choose **Create your own application.**
6. Choose **Non-gallery application.** (Integrate any other application you don't find in the gallery.)
7. Name it (for example, "TabnineSSO") and click **Add.**
8. Choose **Setup single sign-on**.
9. Select **SAML-based Sign-on** as the SSO mode.
10. Next, add the Tabnine service provider details to the configuration in Azure. Set the following values in **Identifier (Entity ID)** and **Reply URL (Assertion Consumer Service URL),** replacing **tabnine.customer.com** with your Tabnine cluster domain:\\

    <figure><img src="/files/P40VHNiAg7NsIUlCBxRb" alt=""><figcaption></figcaption></figure>
11. Choose **user.mail** as the value for **Unique User Identifier:**\\

    <figure><img src="/files/4nQOr1Qjvp5Sy76HsNUZ" alt=""><figcaption></figcaption></figure>
12. In Section 3 - SAML Certificates, choose **Download certificate (Base64).**
13. In Section 4, copy **Login URL** **value** to use in the next step.
14. Finally, make sure the following are checked at the bottom:\
    \&#xNAN;**☑ wantsAssertionSigned** and **☑ disableRequestedAuthnContext**

<figure><img src="/files/cWI0Ki13krwhq8PY826u" alt=""><figcaption><p>Be sure to have checked off <strong>☑ wantsAssertionSigned</strong> and <strong>☑ disableRequestedAuthnContext</strong> for Azure configurations</p></figcaption></figure>

### <picture><source srcset="/files/dbvk04uWisWp73msLgab" media="(prefers-color-scheme: dark)"><img src="/files/CGt2aXUNCk2lj8F3h9dS" alt="" data-size="line"></picture> Use Okta as a SAML IdP

1. Enter your Okta admin panel in **Applications > Create App Integration > SAML2 integration.**
2. Set an App name (e.g., "Tabnine"):\\

   <figure><img src="/files/zwjPEYXNTtWegDDdiZQj" alt=""><figcaption></figcaption></figure>
3. Next, set the following values:\
   \
   **Single sign-on URL:** *https\://**tabnine.customer.com**/auth/sign-in/sso/saml/callback*\
   \
   **Audience URI (SP Entity ID):** *https\://**tabnine.customer.com**/auth/sign-in/sso/saml*\
   \
   **Name ID format:** `EmailAddress`\
   \
   \&#xNAN;*NOTE: Replace **tabnine.customer.com** with your Tabnine cluster domain.*\\

<figure><img src="/files/NJiApWdFVDstbouVnFzt" alt=""><figcaption></figcaption></figure>

4. Choose 🔵 **I'm an Okta customer adding an internal app.**\\

<figure><img src="/files/siXeULLtXIoSPITBiAB2" alt=""><figcaption></figcaption></figure>

5. In the created App in Okta ("Tabnine"), Sign on tab, copy **Sign on URL** value and **Signing Certificate** values.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.tabnine.com/main/administering-tabnine/managing-your-team/settings/single-sign-on-sso.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.