Single Sign-On (SSO)

Tidelift supports several Single Sign-On (SSO) methods, in addition to username and password authentication.

SAML SSO

Tidelift allows customers on the Enterprise plan to set up authentication via SAML. When using SAML for SSO, all signups and logins for your domain must be through SSO. To set up a SAML connection for your enterprise, contact us at support@tidelift.com to begin the setup process.

⚠️ Note: We do not support IdP-initiated login

SAML configuration options

1. Basic setup
   With this option, each user must be manually invited to the org by an org administrator, and Support must manually enable SAML SSO for each user.  We set this up at first no matter what, and only enable additional options after testing is complete.
   
   
2. Domain-wide SSO login
   With this option, we enable SAML SSO for all users within your organization. Users must join the organization before they can log in with SSO. Users can be invited to join your organization by an org admin, and must accept the invite before they can log in with SSO. The benefit of this option over Basic setup is that your administrators can add new users in your domain without having to reach out to Support.
   
   Please note that this is enabled by domain. For example - if we configure this for user@yourcompany.com, users with an email address domain other than @yourcompany.com will not have access. Later on, if you want to enable SAML SSO for additional email domains, or individual users with a different email domain, please reach out to our Support team.
   
   
3. User auto-join
   This option can only be enabled in addition to Domain-wide SSO login, and cannot be enabled without it. With user auto-join, new users who have access to Tidelift via your IdP do not have to be invited to your Tidelift organization to join. Any user who does not already belong to your Tidelift organization will have a Tidelift user account automatically created when they authenticate with SSO for the first time.
   
   

Setting up SAML SSO for your Tidelift organization

First, you'll need to create a SAML config in your authentication system (ie, Okta, GSuite, OneLogin). Then, provide Tidelift Support with the following info from your Identity Provider (IdP):

• XML metadata file
• x509 Signing certificate (in PEM or CER format)
• The email addresses of 1 or 2 users we can enable SAML SSO for initially, who will test and confirm the setup works.

What's next?
Our Support team will create the connection in our SAML Service Provider (SP), and provide you with the information to configure in your IdP. Then, once you let us know it's configured on your side, we’ll enable SAML SSO for the users you specified for testing. 

After we confirm the initial test is successful, we’ll enable SAML SSO for the rest of your organization according to the configuration option you choose.

Other SSO options

Sign in with Google

Tidelift allows users to sign up and log in with their Google credentials via OAuth2. We require (read-only) access to basic profile information about the user.

Sign in with GitHub

Tidelift allows users to sign up and log in with their GitHub credentials via OAuth2. We require (read-only) access to profile information including your email address as well as information about the organizations and teams that you have access to. Note that teams which are using our GitHub app are required to log in via GitHub, as we use GitHub's repository permissions to decide which GitHub repositories a user can access.