Configure app on OneLogin dashboard

Go to the OneLogin dashboard, and click on Apps > Add Apps.

Search for saml, and select SAML Test Connector (IdP w/attr)

Change the Display Name of your app if you wish, and click SAVE.

Go to the SSO tab, and copy the values of SAML 2.0 Endpoint (HTTP) and SLO Endpoint (HTTP). Click on the View Details link at the X.509 Certificate field.

Download the X.509 certificate: onelogin.pem.

Configure connection on Auth0 dashboard

Go to Auth0 dashboard > Connections > Enterprise > SAMLP Identity Provider, and click Create New (plus icon).

Set a Connection Name (such as onelogin-customer), and copy the SAML 2.0 Endpoint (HTTP) on the Sign In URL input, and the SLO Endpoint (HTTP) on the Sign Out URL input. Upload the onelogin.pem certificate.

Click on SAVE. You will get a dialog with a Continue button and a link; both will take you to the following instructions:

The information here is what the OneLogin admin needs to finish the configuration of the SAML application.

  • SAML Consumer URL: https://YOUR_AUTH0_DOMAIN/login/callback

Copy the values of the post-back URL and the Entity ID, and head back to your OneLogin app.

At the Configuration tab:

  • Copy the post-back URL on the ACS (Consumer) URL input and the Recipient input
  • Copy the Entity ID on the Audience input
  • Set a valid regular expression on the ACS (Consumer) URL Validator input (for example, [-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*))


If you do not already have a user on OneLogin, go to the Users tab and add one. Also, your new Auth0 SAMLP connection should be associated with an app, otherwise you will get an invalid_request: the connection was disabled error.

We are now set to test the connection! On your SAMLP Identity Provider connection, click the Try button.

You are redirected to a page informing you that the connection works. Well done!

The Try button only works for users logged in to the Auth0 dashboard. You can't send this to an anonymous user (such as a customer). If you don't have a OneLogin user, read the following section to configure Idp Initiated SignOn so the customer can try on their portal.

IdP Initiated SignOn

Beginning with auth0.js v9.3.4, you must enable the impersonation flags to use IdP-initiated login.

Impersonation has been deprecated and will not be enabled for customers any longer. The functionality will continue to work for the customers that have it already enabled. If this changes customers will be notified beforehand and given ample time to migrate.

OneLogin has an Application Portal / Launcher for their users. If you want to support that, you will have to change the SAML Consumer URL in OneLogin dashboard to be:

  • SAML Consumer URL: https://YOUR_AUTH0_DOMAIN/login/callback?connection=onelogin-customer

Where onelogin-customer is the connection name you assigned in Auth0 dashboard.

Also, you have to pick the application to redirect after the SAML assertion is consumed. You can find this in the Connection > IdP Initiated SSO tab.

Edit connection mappings

If you use OneLogin and Auth0 out-of-the-box, users logging in using OneLogin and being created in the Auth0 dashboard will be missing some information. Go to Dashboard > Users and check your login. It should look like this:

You have to edit the mappings in the Auth0 connection, along with the parameters in the OneLogin dashboard, in order to map the information. Let's see how we can add the EmailAddress information to our login.


Before you map the EmailAddress information, you have to add it as a custom parameter to the OneLogin dashboard. Use EmailAddress as Field name and Email as Value. You can find details on the steps here. Save your changes and test the connection via Auth0 dashboard. Check that the EmailAddress is included in the attributes and the value is correct. You are now ready to proceed with mapping the information.

Go to the Settings of your SAMLP Identity Provider and navigate to the tab Mappings. Copy the mappings below and paste them in the text box.

  "email": "EmailAddress"

Save your changes, and try your connection again. Once you have successfully logged in, go to Dashboard > Users, and check your login. It should look like this:

Customize the User Profile

Sometimes the standard User Profile Attributes are not enough for the functionality you want to build. If this is the case, you can use custom attributes in order to enhance the SAML token. Let's work through a basic example.

The SAML token contains, among others, two attributes: FirstName and LastName. Let's add a new custom attribute, named FullName, that will contain the concatenation of first and last name.

In order to do so, navigate to the OneLogin dashboard and edit your app.

At the Parameters tab, click the Add Parameter link.

At the popup, set a name for your new custom attribute at the Field name text box. Make sure you check the Include in SAML assertion flag. Click Save.

The new attribute you created is displayed. Click on the Value field, currently displaying - No default -.

Click on the Value dropdown menu and select - Macro -.

At the text box, set the value to {firstname} {lastname}. Click Save.

Let's test this. Go back to Auth0 dashboard > Connections > Enterprise > SAMLP Identity Provider and on your SAMLP Identity Provider connection, click the Try button. The result should include the new attribute FullName.

You can find more information on Attribute Macros at the OneLogin Help Center.