Configure OneLogin as SAML Identity Provider

Configure OneLogin as a SAML identity provider by completing the following steps:

  1. Configure OneLogin SAML integration

  2. Configure SAML connection in Auth0.

  3. Test connection.

Prerequisite

You must have OneLogin developer account.

Configure OneLogin

  1. Log in to the OneLogin Dashboard, and click Apps > Add Apps.

  2. Search for SAML, and select SAML Test Connector (IdP w/attr).

  3. When prompted, change the Display Name of your app.

  4. Click SAVE.

  5. Go to the SSO tab, and copy the values for SAML 2.0 Endpoint (HTTP) and SLO Endpoint (HTTP).

  6. Click on the View Details link at the X.509 Certificate field.

  7. Download the X.509 certificate onelogin.pem.

Configure Auth0 connection

  1. Go to Dashboard > Authentication > Enterprise > SAMLP and click the plus icon to be redirected to the page that allows you to create a new Connection.

  2. You will be prompted to provide the appropriate configuration settings for this Connection. The only mandatory fields are:

    Setting Description
    Sign In URL The SAML 2.0 Endpoint (HTTP) value you noted when setting up your OneLogin app.
    Sign Out URL The SLO Endpoint (HTTP) value you noted when setting up your OneLogin app.
    X509 Signing Certificate The certificate you downloaded from Onelogin. You will need to upload the certificate directly to Auth0.

  3. Click Save to proceed.

  4. In the next window, you'll be provided two options.

    1. If you are a domain administrator, you can click Continue for additional instructions on SAML Identity Provider Configuration.

    2. If you are not, you can give your domain administrator the provided URL so that they can finish the configuration.

Auth0 configuration values

To finish configuration of the SAML application, the admin will need the following information regarding Auth0:

  • SAML Consumer URL: https://{yourDomain}/login/callback

  • SAML Audience: urn:auth0:{yourTenant}:yourConnectionName

Also copy the values of the post-back URL and the Entity ID before heading back to the Configuration tab of your OneLogin app:

Auth0 value OneLogin configuration field
Post-back URL ACS (Consumer) URL and Recipient
Entity ID Audience

Also provide a valid regular expression for the ACS (Consumer) URL Validator. For example:

[-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)

Test connection

Before testing your connection:

  • Be sure that you have a OneLogin user that you can use for testing. If not, go to the Users tab on the OneLogin dashboard and add one

  • Be sure that your new Auth0 SAMLP connection has been associated with an application (otherwise you will get an invalid_request: the connection was disabled error)

Next to your SAML connection, click the Try button. If all goes well, you will be redirected to a page informing you that the connection works.

Identity provider-initiated SSO

OneLogin offers an Application Portal/Launcher to its users. If you want to take advantage of this functionality, you will have to change the SAML Consumer URL in OneLogin dashboard to include the connection parameter (e.g., https://{yourDomain}/login/callback?connection=onelogin-customer). Be sure to replace onelogin-customer with the name of your Auth0 connection.

Finally, be sure to enable IdP-initiated login for the connection and pick the application to which your user is redirected after the SAML assertion is consumed. To learn more, read Configure Identity-Provider-Initiated Single Sign-On.

Edit connection mappings

If you use OneLogin and Auth0 out of the box, users logging in using OneLogin and created in the Auth0 Dashboard will be missing some profile information you might like to have.

To collect additional user information, edit the appropriate parameters in the OneLogin dashboard, include the parameters in the SAML assertion, and create the mappings in the Auth0 connection.

User profile attributes

Sometimes the standard User Profile Attributes are not enough for the functionality you want to build. If this is the case, you can use custom attributes in order to enhance the SAML token. Let's work through a basic example.

The SAML token contains, among others, two attributes: FirstName and LastName. Let's add a new custom attribute, named FullName, that will contain the concatenation of first and last name.

  1. Navigate to the OneLogin dashboard and edit your app.

  2. On the Parameters tab, click Add Parameter.

  3. In the pop-up, set a name for your new custom attribute using the Field name text box. Make sure you check the Include in SAML assertion flag. Click Save.

  4. The new attribute you created is displayed. Click on the Value field, which is currently displaying - No default -.

  5. Click the Value dropdown menu and select - Macro -.

  6. At the text box, set the value to {firstname} {lastname}. Click Save.

  7. Test our changes. Go back to Auth0 dashboard > Authentication > Enterprise > SAML. On your SAML connection, click the Try button. The result should include the new attribute FullName.

You can find more information on Attribute Macros at the OneLogin Help Center.

Add new parameter to SAML assertion

For the purposes of demonstration, let's see how we can add the EmailAddress information, which is more than the concatenation of two fields we're already sending, to our login.

  1. Before you can map users' EmailAddress, you must add this field as a custom parameter to the OneLogin dashboard. Set Field name to EmailAddress and Value as Email.

  2. You can find details on the steps needed to customize the user profile in the section above.

  3. Once you've made your changes, save them, and test your connection once again.

  4. Review your Auth0 user, making sure that the EmailAddress information is now included and that the value is correct.

You are now ready to proceed with mapping the user information fields in Auth0.

  1. Go to the Settings of your SAML and navigate to the tab Mappings. For the email addresses, copy the mapping below, and paste it into the text box.

  2. Save your changes, and try your connection again. Once you have successfully logged in, go to Dashboard > User Management > Users, and check your login. You will see additional information for the appropriate user.