Skip to main content

Documentation Index

Fetch the complete documentation index at: https://www.truefoundry.com/llms.txt

Use this file to discover all available pages before exploring further.

This guide walks you through setting up SAML 2.0 single sign-on between TrueFoundry and OneLogin. OneLogin doesn’t ship a TrueFoundry-specific connector, so you’ll use the SAML Custom Connector (Advanced) app and wire it up manually. Once finished, members of your OneLogin account can sign in to TrueFoundry through a Login with OneLogin button.

Prerequisites

  • A TrueFoundry tenant with Admin access to Platform → Settings → SSO.
  • A OneLogin account with permission to create new Applications (Super User or Admin).
You’ll bounce between the OneLogin admin console and the TrueFoundry SSO settings. Keep both open in adjacent tabs to copy-paste values quickly.

Configuration overview

1

Create a custom SAML app in OneLogin

Add the SAML Custom Connector (Advanced) app — this is what TrueFoundry federates with.
2

Get the TrueFoundry SAML metadata

Save a SAML SSO configuration in TrueFoundry to surface the Callback URL and Issuer.
3

Configure the SAML connection on both sides

Paste TrueFoundry’s values into OneLogin, then paste OneLogin’s IdP values back into TrueFoundry.
4

Map SAML parameters and assign users

Add the user attributes TrueFoundry needs and assign users to the OneLogin app.

Step 1 — Create a SAML app in OneLogin

1

Open Applications

Sign in to the OneLogin admin console as an administrator. In the top navigation, click Applications, then click Applications again in the dropdown.
2

Add a new app

Click Add App in the top right corner. In the Find Applications search bar, type SAML Custom and select SAML Custom Connector (Advanced) from the results.
3

Name the application

Enter a Display Name such as TrueFoundry, optionally upload an app icon, and click Save.OneLogin lands you on the application’s detail page once it’s saved.

Step 2 — Create the SSO configuration in TrueFoundry

In a second browser tab, open TrueFoundry to generate the values OneLogin needs.
1

Open SSO settings

Go to Platform → Settings → SSO and click Configure.
2

Fill in the basic fields

  • Enabled: turn this on.
  • Name: a label such as OneLogin SAML.
  • SSO Provider: choose Custom. OneLogin isn’t in the dropdown, so the Custom option is the right pick.
  • Authentication Configuration: select SAML v2.
Leave Identity Provider Endpoint and X.509 Certificate blank for now — you’ll fill them in once OneLogin surfaces those values.
3

Save to reveal the Callback URL and Issuer

Click Save. TrueFoundry displays two values on the SSO row that OneLogin needs:
  • Callback URL — this is the ACS (Consumer) URL in OneLogin.
  • Issuer — this is the Audience (Entity ID) in OneLogin.

Step 3 — Enter TrueFoundry’s details into OneLogin

Back in OneLogin’s application detail page, switch to the Configuration tab on the left.
1

Fill in the Application details

Paste the TrueFoundry values into the corresponding OneLogin fields:
OneLogin fieldValue to paste
Audience (Entity ID)TrueFoundry Issuer
ACS (Consumer) URL ValidatorA regex that matches the TrueFoundry Callback URL, for example ^https:\/\/login\.truefoundry\.com\/.*$
ACS (Consumer) URLTrueFoundry Callback URL
Login URL(optional) The TrueFoundry login page, for IdP-initiated sign-in
The ACS (Consumer) URL Validator is a regex, not a plain URL. OneLogin rejects the SAML response if the URL doesn’t match this pattern. The example above accepts any path on login.truefoundry.com; tighten it if you prefer.
2

Set the SAML initiator and signature element

Scroll down in the Configuration tab and set:
  • SAML initiatorService Provider.
  • SAML signature elementAssertion.
Leave the other defaults (SAML nameID format, encryption, etc.) in place unless you have a specific reason to change them.
3

Save

Click Save in the top right.

Step 4 — Copy OneLogin’s IdP details back to TrueFoundry

Switch to the SSO tab on the left side of the OneLogin application.
1

Grab the IdP endpoint and certificate

From the SSO tab, collect:
  • SAML 2.0 Endpoint (HTTP) — this is the URL TrueFoundry uses to redirect users to OneLogin.
  • X.509 Certificate — click View Details under the certificate, then copy the entire PEM, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
If you’d rather upload metadata, open More Actions → SAML Metadata at the top of the page to download the XML file. TrueFoundry doesn’t ingest metadata XML directly, but the file contains the same endpoint and certificate values for cross-reference.
2

Paste into TrueFoundry

Return to Platform → Settings → SSO in TrueFoundry and edit the SSO configuration you created in Step 2. Set:
  • Identity Provider Endpoint → the SAML 2.0 Endpoint (HTTP) from OneLogin.
  • X.509 Certificate → the full PEM you copied from OneLogin.
Click Save.

Step 5 — Map SAML parameters in OneLogin

OneLogin doesn’t include user profile attributes in the SAML response by default. You need to add them under the Parameters tab so TrueFoundry can identify the user.
1

Open the Parameters tab

On the OneLogin application page, click the Parameters tab on the left.
2

Add the required parameters

Click the + icon to add each parameter below. For every entry, check Include in SAML assertion before saving. On the next screen, select the corresponding OneLogin user attribute as the Value.
Field nameValue (OneLogin attribute)
emailEmail
firstNameFirst Name
lastNameLast Name
These names match TrueFoundry’s defaults, so you don’t need to touch Email Claim or Unique ID Claim under Show advanced fields.
3

(Optional) Add a groups parameter

If you plan to use SCIM provisioning or want OneLogin group memberships in the SAML assertion, add one more parameter:
  • Field namegroups
  • Check Include in SAML assertion and Multi-value parameter.
  • Value → the OneLogin attribute that carries the user’s group memberships, typically MemberOf or a custom roles attribute.

Step 6 — Assign users in OneLogin

OneLogin only sends SAML responses for users assigned to the application.
1

Open Users

In the OneLogin top navigation, click Users → Users, then open the user you want to grant access to.
2

Assign the application

Click the Applications tab on the user page and click the + icon. In the popup, pick the TrueFoundry app you created and click Continue, then Save.
For bulk access, create a OneLogin Role that includes the TrueFoundry app and assign users to that role under Users → Roles. This pairs naturally with the optional groups parameter and with SCIM with OneLogin.
Users who haven’t been assigned to the OneLogin app — or whose assignment is still Pending approval — will see an “app not assigned” error when they click Login with OneLogin in TrueFoundry.

Step 7 — Test single sign-on

  1. Open a private/incognito window and go to your TrueFoundry login page.
  2. Click Login with OneLogin (or whichever label you set under Show advanced fields → Button Text).
  3. Authenticate with a OneLogin user that you assigned to the application.
If the sign-in succeeds you’ll land in the TrueFoundry dashboard. The user is created automatically if JIT provisioning is on, otherwise they must already exist in TrueFoundry or be invited.

Optional next steps

  • Automate user lifecycle with SCIM — see SCIM with OneLogin to push users and groups from OneLogin into TrueFoundry automatically.
  • Customize the login button — under Show advanced fields, set Button Text to Login with OneLogin and Button Image URL to a hosted logo if you’d like a branded button.

Troubleshooting

The ACS (Consumer) URL Validator regex in OneLogin doesn’t match the ACS (Consumer) URL. Re-open the Configuration tab and confirm that the validator pattern (for example ^https:\/\/login\.truefoundry\.com\/.*$) genuinely matches the Callback URL you copied from TrueFoundry. Don’t forget to escape the slashes in the regex.
The email parameter isn’t being sent. In OneLogin’s Parameters tab, open the email row and make sure Include in SAML assertion is checked and the value is set to the user’s Email attribute. The parameter name must be exactly email (lower-case) unless you’ve overridden Email Claim under TrueFoundry’s Show advanced fields.
The certificate copied into TrueFoundry doesn’t match OneLogin’s active signing certificate. From OneLogin’s SSO tab, click View Details on the certificate and copy the full PEM again, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines, then paste it back into TrueFoundry’s X.509 Certificate field.
Check the provisioning mode under Settings → Security & Access → Provisioning:
  • Invite-only — the user must be invited from Access → Users first.
  • JIT — the user is created on first login automatically.
  • SCIM — the user must be synced from your IdP first. See SCIM with OneLogin.
The Audience (Entity ID) in OneLogin doesn’t match TrueFoundry’s Issuer. Re-copy the Issuer value from the TrueFoundry SSO row and paste it verbatim into OneLogin’s Audience (Entity ID) field (no trailing slashes, no extra whitespace).