Skip to main content
Single Sign-On (SSO) lets your team sign in to Tensorlake through your company’s identity provider (IdP). Once configured, members authenticate with your IdP instead of managing separate Tensorlake credentials.

Prerequisites

  • You must be an organization admin.
  • SSO access must be enabled for your organization. If you don’t have access, request it from the SSO settings page in the dashboard.

Setup

1

Configure your SSO provider

Navigate to Organization Settings > SSO and click Configure SSO Connection.Tensorlake supports two protocols:
  • OIDC (OpenID Connect) — recommended for providers like Google Workspace, Okta, and Auth0.
  • SAML 2.0 — supported for providers like Azure AD (Entra ID), OneLogin, and other SAML-compatible IdPs.
Provide the following details:
FieldDescription
DomainYour organization’s email domain (e.g. yourcompany.com). Users with this domain will be directed to your IdP.
Issuer URLThe issuer or entity ID from your IdP.
Client IDThe application/client ID assigned by your IdP.
Client SecretThe client secret from your IdP (OIDC only).
Authorization EndpointThe URL where users are sent to authenticate (OIDC).
Token EndpointThe URL used to exchange authorization codes for tokens (OIDC).
ACS URL / SSO URLThe Assertion Consumer Service URL (SAML). Provided by Tensorlake.
CertificateThe X.509 signing certificate from your IdP (SAML).
Attribute mapping: Ensure your IdP sends at minimum the user’s email address. Name attributes (first name, last name) are recommended for a complete profile.
2

Test the SSO connection

After saving your configuration, test the connection by performing a test login.
  1. Click Test Connection in the SSO settings.
  2. You will be redirected to your IdP to authenticate.
  3. After successful authentication, you are redirected back to Tensorlake and the provider is marked as Verified.
SSO enforcement cannot be enabled until you have completed a successful test login. Enforcing an untested configuration could lock users out of your organization.
3

Enforce SSO (optional)

SSO enforcement requires all organization members to sign in through your IdP. When enabled, password-based login is disabled for all members — the only way to sign in is through the IdP.To enable enforcement:
  1. Designate at least one organization admin as a bypass user. This is required before enforcement can be enabled.
  2. Toggle Enforce SSO in the SSO settings.
Bypass users are organization admins who retain password-based login for emergency recovery — for example, if your IdP goes down and you need to access the dashboard to disable enforcement. Only organization admins can be designated as bypass users.
Enabling SSO enforcement invalidates all existing sessions for the organization. All members (except bypass users) will be signed out and must re-authenticate through the IdP.
Only organization admins can enable or disable SSO enforcement and manage bypass users.

How SSO login works

When SSO is configured for your organization, the login flow works as follows:
  1. A user enters their email on the Tensorlake login page.
  2. Tensorlake checks whether the email domain has an SSO provider configured.
  3. If SSO is configured and enforced, the user is redirected to the IdP with an SSO_REQUIRED response. Password-based login is not available.
  4. If SSO is configured but not enforced, the user can choose to sign in with SSO or with their Tensorlake password.
  5. After authenticating with the IdP, the user is redirected back to Tensorlake and signed in.
New users who sign in via SSO on their first login are automatically provisioned with a Tensorlake account. Users who previously signed in with email OTP may need to be invited to the organization before SSO login will work for them.

Frequently Asked Questions

Tensorlake supports any IdP that implements OIDC or SAML 2.0. Common providers include Okta, Azure AD (Entra ID), Google Workspace, OneLogin, and Auth0.
Each organization supports one SSO provider at a time. If you need to switch providers, update the existing SSO configuration with the new provider’s details.
All members must authenticate through your IdP. Password-based login is disabled for the entire organization, except for designated bypass users.
Only organization admins can be designated as bypass users. At least one bypass user is required before SSO enforcement can be enabled. Bypass users retain password-based login solely for emergency recovery, such as disabling enforcement if your IdP becomes unavailable.
API keys are not affected by SSO enforcement. Existing API keys continue to work regardless of SSO settings. API keys authenticate directly with the Tensorlake API and do not go through the IdP login flow.
If your IdP is unavailable, members will not be able to sign in. A bypass user (org admin with password-based login retained) can sign in and disable enforcement until the IdP is restored.
Yes. SSO is not enforced until you explicitly enable enforcement. During setup and testing, all users can continue to sign in with their existing credentials.
No. Existing organization members continue to have access. They will simply be redirected to the IdP on their next login if enforcement is enabled.