# SAML

### Configuring SAML Authentication in Tellius

Tellius supports SAML 2.0 as a secure, enterprise-grade authentication method. By integrating your organization’s Identity Provider (IdP) such as Okta, OneLogin, or Azure AD, users can log in to Tellius using Single Sign-On (SSO) credentials they already use within your enterprise environment.

Steps to configure Tellius in the different identity providers and get the metadata XML file is described in this [**section**](/tellius-6.3/settings/security/authentication/saml/using-okta-as-an-idp-saml-integration.md).

### What is SAML?

SAML (Security Assertion Markup Language) is an XML-based open standard for exchanging authentication and authorization data between parties—specifically between an IdP and a Service Provider like Tellius. 

When enabled:

* Tellius no longer manages login credentials directly.
* Authentication requests are routed to your IdP.
* Users are automatically created in Tellius on first login.
* Users are authenticated using your existing identity system.

### Prerequisites

Before configuring SAML on Tellius, make sure you have:

1. Access to Tellius with Admin privileges and access to your IdP admin dashboard (e.g., Okta, OneLogin).
2. A valid [SAML metadata XML](/tellius-6.3/settings/security/authentication/saml/xml-file.md) file that includes:
   * IdP Entity ID
   * IdP Login URL (Single Sign-On URL)
   * IdP Logout URL
   * X.509 Certificate

Your internal IT team typically provides this metadata file, or you can generate it from your IdP during setup. For clarifications during setup, contact your internal SAML team, or reach out to Tellius Support.

### Upload SAML Configuration in Tellius

Under **Settings → Security → Authentication → SAML**, provide the following details.

<figure><img src="/files/YmqdpJwYGabCE3HYroZP" alt="" width="563"><figcaption><p>SAML</p></figcaption></figure>

1. **Entity ID (Audience URI):** This is the unique identifier for Tellius as the Service Provider. Must match the Audience URI value provided during IdP setup.

These mappings connect the user identity details from your IdP to Tellius user profiles. You can skip this section, but it is highly recommended for complete user profile creation. These values should exactly match the user information shared by your IdP during SAML login.

2. **Username mapping:** The IdP attribute that identifies the user (usually email or username).
3. **Email:** Attribute in your IdP that stores the user's email
4. **First Name:** Attribute for user's first name
5. **Last Name:** Attribute for user's last name
6. **Default user role:** Selects the role assigned to all new users signing in via SAML for the first time.

Once saved, Tellius is now set to use SAML for authentication.

### How SAML login works in Tellius

* Users visiting the Tellius login page will see a **“Login”** button.
* Clicking the button redirects them to the SAML IdP (e.g., Okta) for authentication.
* If it’s the user’s first login, Tellius will automatically create the user account based on SAML attributes.
* No password setup or user creation is required within Tellius itself.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.tellius.com/tellius-6.3/settings/security/authentication/saml.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.