Sign-in methods
Configure which methods are available in Settings → Authentication. Enable any combination, or require SSO only.Email and password
Users create an account with their email. You can disable this method entirely if you require SSO.MFA
For email/password accounts, you can require multi-factor authentication. Users signing in via SSO or social login use their provider’s MFA instead.Social login
Users sign in with an existing account. Enable the providers you want to allow:GitHub
Microsoft
Single sign-on
Connect your identity provider. Users authenticate through your IdP with your existing security policies. Tero supports SAML 2.0 and OpenID Connect with all major providers:Okta
Azure AD
Google Workspace
OneLogin
JumpCloud
PingFederate
Auth0
ADFS
Duo
Setup
Go to Settings → Authentication → Configure SSO to open the admin portal.1
Verify your domain
Add a DNS TXT record to prove you own your domain.
2
Connect your IdP
Follow the guided setup for your identity provider. The portal provides IdP-specific instructions.
3
Test the connection
Verify SSO works before enabling for your organization.
Directory sync
Sync users and groups from your identity provider automatically. Enable directory sync in the admin portal after configuring SSO.- User provisioning — Users are created when they’re added to your IdP and removed when they leave. No manual account management.
- Group sync — Select which IdP groups to sync. Map them to Tero teams so users get access to the right services automatically.
- Real-time updates — Changes propagate automatically. Your IdP is the source of truth.
Roles
- Admin — Full access. Manage settings, integrations, users, and teams. Approve any policy.
- Member — Access to assigned services. Review and approve policies for those services.
For security details, data handling, and compliance, see the Trust Center.