SAML SSO
This page explains how to set up and use SAML SSO in Termius, including authentication flow, encryption password requirements, and configuration with identity providers.
Overview
SAML SSO enables organizations to authenticate users in Termius through an external identity provider (IdP).
Instead of managing separate credentials for Termius, users sign in using the same identity system already used across the organization.
This approach centralizes authentication, simplifies user management, and aligns Termius access with existing security and compliance policies.
SAML SSO is available as an add-on in the Termius Business plan.
Set up encryption password
Even when signing in with SAML SSO, you still need to set up an encryption password in Termius.
This password is used to encrypt and decrypt your data within the Termius app, including credentials, SSH keys, and more. It is separate from your SSO login and is never shared with your identity provider.
Your SAML SSO credentials authenticate your account, while the encryption password protects your data.
Store your encryption password in a password manager. If you forget it and need to reset it, Termius won't be able to decrypt your data. This means you will lose access to your data and have to start from scratch.
Find more information about how encryption works in Termius in the Encryption overview.
SAML SSO providers in Termius
Termius uses WorkOS to provide support for a variety of SAML SSO providers. Major providers include Google, Okta, OneLogin, Microsoft Azure Active Directory, Auth0, Duo Security, and many others.
If your preferred SAML SSO provider is not listed, you can opt for Custom SAML SSO or Custom OpenID configurations.
SAML SSO providers list
ADP OpenID Connect
Auth0
Azure AD SAML
CAS SAML
ClassLink
Cloudflare
CyberArk SAML
Duo SSO
Google SAML
JumpCloud SAML
Keycloak
LastPass
Microsoft AD FS SAML
miniOrange
NetIQ
Okta SAML
OneLogin SAML
Oracle SAML
PingFederate SAML
PingOne SAML
Rippling SAML
Salesforce
Shibboleth Generic SAML
Shibboleth Unsolicited SAML
SimpleSAML.php
VMware
Set up SAML SSO
SAML SSO is available only as an add-on to the Business plan.
To set up SAML SSO:
Navigate to the account management portal >
SAML SSO.Click
Configure now.Add your domain(s), then click
Configure now.On the WorkOS setup page, select your identity provider from the list and follow the instructions.
You can make changes to your configuration in SAML SSO > Configure Provider within the WorkOS settings page.
Test your SAML SSO configuration with Termius
By default, once SAML SSO is set up, your account is in the hybrid mode - you already can use SAML SSO but you still have an option to log in with email and encryption password as a fallback.
To test your SAML SSO configuration:
Ensure the test session on the WorkOS side passes successfully.
Log out of your Termius account.
Click
Continue with SAML SSOon the login page.Enter your work email address and click
Continue.You will be redirected to your identity provider's login page. Enter your credentials and log in.
If the configuration is successful, you will be redirected back to Termius and logged in via SAML SSO.
After the successful test, you can enforce SAML SSO for your team by enabling the Require to log in with SSO toggle.
Disable SAML SSO
You have an option to disable SAML SSO temporarily or completely.
If you have issues with your provider and want to disable SAML SSO only temporarily, just disable the toggle Require to log in with SSO. Once disabled, you will be able to use just your email address and encryption password as a fallback.
If you want to deactivate SAML SSO completely:
Disable the toggle
Require to log in with SSO.Remove your configuration via
SAML SSO>Configure Providerwithin the WorkOS settings page.
Last updated
Was this helpful?