Configuring OneLogin as an Identity Provider

Configure app on OneLogin dashboard

Go to OneLogin dashboard and click on Apps > Add Apps.

Search for saml and select SAML Test Connector (IdP w/attr)

Change the Display Name of your app if you wish and click SAVE.

Go to the SSO tab and copy the values of SAML 2.0 Endpoint (HTTP) and SLO Endpoint (HTTP). Click on the View Details link at the X.509 Certificate field.

Download the X.509 certificate (onelogin.pem)

Configure connection on Auth0 dashboard

Go to Auth0 dashboard > Connections > Enterprise > SAMLP Identity Provider and click Create New (plus icon)

Set a Connection Name (e.g. onelogin-customer) and copy the SAML 2.0 Endpoint (HTTP) on the Sign In URL input, and the SLO Endpoint (HTTP) on the Sign Out URL input. Upload the onelogin.pem certificate.

Click on SAVE. You will get a dialog with a Continue button and a link, both will take you to the following instructions:

The information here is what the OneLogin admin needs to finish the configuration of the SAML application.

  • SAML Consumer URL: https://YOUR_AUTH0_DOMAIN/login/callback
  • SAML Audience: urn:auth0:YOUR_TENANT:YOUR_CONNECTION_NAME

Copy the values of the post-back URL and the Entity ID and head back to your OneLogin app. At the Configuration tab copy the post-back URL on the ACS (Consumer) URL input, the Entity ID on the Audience input, and set a valid regular expression on the ACS (Consumer) URL Validator input (e.g. [-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)).

Testing

If you do not already have a user on OneLogin go at the Users tab and add one. Also, your new Auth0 SAMLP connection should be associated with an App, otherwise you will get an invalid_request: the connection was disabled error.

We are now set to test the connection! On your SAMLP Identity Provider connection click the Try button.

You are redirected to a page informing you that the connection works. Well done!

Note: the Try button only works for users logged in to Auth0 dashboard. You can't send this to an anonymous user (e.g. a customer). If you don't have a OneLogin user, read the following section to configure Idp Initiated SignOn so the customer can try on their portal.

IdP Initiated SignOn

OneLogin has an Application Portal / Launcher for their users. If you want to support that, you will have to change the SAML Consumer URL in OneLogin dashboard to be:

  • SAML Consumer URL: https://YOUR_AUTH0_DOMAIN/login/callback?connection=onelogin-customer

Where onelogin-customer is the connection name you assigned in Auth0 dashboard.

Also, you have to pick the application to redirect after the SAML assertion is consumed. You can find this in the Connection > IdP Initiated SSO tab.

Edit connection mappings

If you use OneLogin and Auth0 out-of-the-box, users logging in using OneLogin and being created in the Auth0 dashboard, will be missing some information. Go to Auth0 dashboard > Users and check your login. It should look like that:

You have to edit the mappings in the Auth0 connection, along with the parameters in the OneLogin dashboard in order to map the information. Let's see how we could add the EmailAddress information to our login.

Before you map the EmailAddress information, you have to add it as a custom parameter to the OneLogin dashboard. Use EmailAddress as Field name and Email as Value. You can find details on the steps here. Save your changes and test the connection via Auth0 dashboard. Check that the EmailAddress is included in the attributes and the value is correct. You are now ready to proceed with mapping the information.

Go to the Settings of your SAMLP Identity Provider and navigate to the tab Mappings. Copy the mappings below and paste it in the text box.

{
  "email": "EmailAddress"
}

Save your changes and try your connection again. Once you have successfully logged in, go to Auth0 dashboard > Users and check your login. It should look like that:

Customize the User Profile

Some times the standard User Profile Attributes are not enough for the functionality you want to build. If this is the case, you can use custom attributes in order to enhance the SAML token. Let's work through a basic example.

The SAML token contains, among others, two attributes: FirstName and LastName. Let's add a new custom attribute, named FullName that will contain the concatenation of first and last name.

In order to do so navigate to the OneLogin dashboard and edit your app.

At the Parameters tab click the Add Parameter link.

At the popup set a name for your new custom attribute at the Field name text box. Make sure you check the Include in SAML assertion flag. Click Save.

The new attribute you created is displayed. Click on the Value field, currently displaying - No default -.

Click on the Value dropdown menu and select - Macro -.

At the text box set the value to {firstname} {lastname}. Click Save.

Let's test this. Go back to Auth0 dashboard > Connections > Enterprise > SAMLP Identity Provider and on your SAMLP Identity Provider connection click the Try button. The result should include the new attribute FullName.

You can find more information on Attribute Macros at the OneLogin Help Center.