Sign-in methods
Configure which methods are available in Settings → Authentication. Enable any combination, or require SSO only.Email and password
Users create an account with their email. You can disable this method entirely if you require SSO.MFA
For email/password accounts, you can require multi-factor authentication. Users signing in via SSO or social login use their provider’s MFA instead.Social login
Users sign in with an existing account. Enable the providers you want to allow:GitHub
Microsoft
Single sign-on
Connect your identity provider. Users authenticate through your IdP with your existing security policies. Tero supports SAML 2.0 and OpenID Connect with all major providers:Okta
Azure AD
Google Workspace
OneLogin
JumpCloud
PingFederate
Auth0
ADFS
Duo
Setup
Go to Settings → Authentication → Configure SSO to open the admin portal.Connect your IdP
Follow the guided setup for your identity provider. The portal provides IdP-specific instructions.
Directory sync
Sync users and groups from your identity provider automatically. Enable directory sync in the admin portal after configuring SSO.- User provisioning — Users are created when they’re added to your IdP and removed when they leave. No manual account management.
- Group sync — Select which IdP groups to sync. Map them to Tero teams so users get access to the right services automatically.
- Real-time updates — Changes propagate automatically. Your IdP is the source of truth.
Roles
- Admin — Full access. Manage settings, integrations, users, and teams. Approve any policy.
- Member — Access to assigned services. Review and approve policies for those services.
For security details, data handling, and compliance, see the Trust Center.