> ## Documentation Index
> Fetch the complete documentation index at: https://www.truefoundry.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SAML with OneLogin

> Configure SAML 2.0 single sign-on between TrueFoundry and OneLogin using the SAML Custom Connector (Advanced).

This guide walks you through setting up SAML 2.0 single sign-on between TrueFoundry and OneLogin. OneLogin doesn't ship a TrueFoundry-specific connector, so you'll use the **SAML Custom Connector (Advanced)** app and wire it up manually. Once finished, members of your OneLogin account can sign in to TrueFoundry through a **Login with OneLogin** button.

## Prerequisites

* A TrueFoundry tenant with **Admin** access to **Settings → Security & Access → SSO**.
* A OneLogin account with permission to create new **Applications** (Super User or Admin).

<Tip>
  You'll bounce between the **OneLogin admin console** and the **TrueFoundry SSO settings**. Keep both open in adjacent tabs to copy-paste values quickly.
</Tip>

## Configuration overview

<Steps>
  <Step title="Create the SSO configuration in TrueFoundry">
    Save a SAML SSO configuration in TrueFoundry to surface the **ACS URL**, **Audience (Entity ID)**, and **Relay URL**.
  </Step>

  <Step title="Create a custom SAML app in OneLogin">
    Add the **SAML Custom Connector (Advanced)** app — this is what TrueFoundry federates with.
  </Step>

  <Step title="Configure the SAML connection on both sides">
    Paste TrueFoundry's values into OneLogin, then paste OneLogin's IdP values back into TrueFoundry.
  </Step>

  <Step title="Map SAML parameters and assign users">
    Add the `email` and `sub` attributes TrueFoundry needs and assign users to the OneLogin app.
  </Step>
</Steps>

## Step 1 — Create the SSO configuration in TrueFoundry

<Steps>
  <Step title="Open SSO settings">
    Go to **Settings → Security & Access → SSO**.

    Click the **+** icon labeled **Add New SSO Config**.

    <Frame caption="SSO page in TrueFoundry — click the + icon to add a new SSO configuration">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/entra/saml-truefoundry-add-sso-config.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=f768205b84d9f33ce04a8b8576ab0070" alt="TrueFoundry SSO settings page with the Add New SSO Config plus button highlighted" width="1024" height="263" data-path="images/sso/entra/saml-truefoundry-add-sso-config.png" />
    </Frame>
  </Step>

  <Step title="Fill in the basic fields">
    * **Enabled**: turn this on.
    * **Name**: a lowercase alphanumeric label — for example, `oneloginsaml`.
    * **SSO Provider**: choose **Custom**.
    * **Authentication Configuration**: select **SAML v2**.

    Leave **Identity Provider Endpoint** and **X.509 Certificate** blank for now — you'll fill them in once OneLogin surfaces those values.
  </Step>

  <Step title="Save to reveal the Single sign-on URL, Audience URI (SP Entity ID), and Relay URL">
    Click **Save**. TrueFoundry displays the values you need for OneLogin on the SSO configuration card:

    | OneLogin field              | Value from TrueFoundry          |
    | --------------------------- | ------------------------------- |
    | **ACS (Consumer) URL**      | **Single Sign On URL**          |
    | **Audience (Entity ID)**    | **Audience URI (SP Entity ID)** |
    | **Relay State** *(if used)* | **Relay URL**                   |

    <Frame caption="TrueFoundry SSO configuration card showing the SAML values to copy into OneLogin">
      <img src="https://mintcdn.com/truefoundry/OlEFjoHwZJ0edSjd/images/sso/entra/saml-truefoundry-sp-metadata.png?fit=max&auto=format&n=OlEFjoHwZJ0edSjd&q=85&s=e061fae840c0fa4e8af3c4efe9961a2b" alt="TrueFoundry SSO configuration card displaying Audience URI, Single Sign On URL, Metadata URL, and Relay URL for SAML setup" width="1024" height="391" data-path="images/sso/entra/saml-truefoundry-sp-metadata.png" />
    </Frame>
  </Step>
</Steps>

## Step 2 — Create a SAML app in OneLogin

<Steps>
  <Step title="Open Applications">
    Sign in to the OneLogin admin console as an administrator. In the top navigation, click **Applications**, then click **Applications** again in the dropdown.

    <Frame caption="Applications page — click Add App in the top right">
      <img src="https://mintcdn.com/truefoundry/TVxonWTot44QL8ec/images/sso/onelogin/saml-applications-add-app.jpeg?fit=max&auto=format&n=TVxonWTot44QL8ec&q=85&s=69a0099e44138192f61c751ed197e9b2" alt="OneLogin Applications page with the Add App button highlighted in the top right corner" width="1024" height="235" data-path="images/sso/onelogin/saml-applications-add-app.jpeg" />
    </Frame>
  </Step>

  <Step title="Add a new app">
    Click **Add App** in the top right corner. In the **Find Applications** search bar, type `SAML Custom` and select **SAML Custom Connector (Advanced)** from the results.

    <Frame caption="Find Applications — search for SAML Custom and select SAML Custom Connector (Advanced)">
      <img src="https://mintcdn.com/truefoundry/TVxonWTot44QL8ec/images/sso/onelogin/saml-find-applications-saml-custom.jpeg?fit=max&auto=format&n=TVxonWTot44QL8ec&q=85&s=2b6475ad99787cfcba338d0a232bb50b" alt="OneLogin Find Applications page showing SAML Custom search results with SAML Custom Connector Advanced listed" width="1024" height="349" data-path="images/sso/onelogin/saml-find-applications-saml-custom.jpeg" />
    </Frame>
  </Step>

  <Step title="Name the application">
    Enter a **Display Name** such as `TrueFoundry`, optionally upload an app icon, and click **Save**.

    OneLogin lands you on the application's detail page once it's saved.
  </Step>
</Steps>

## Step 3 — Enter TrueFoundry's details into OneLogin

Back in OneLogin's application detail page, switch to the **Configuration** tab on the left.

<Steps>
  <Step title="Fill in the Application details">
    Paste the TrueFoundry values into the corresponding OneLogin fields:

    | OneLogin field                   | Value to paste                                                                                                 |
    | -------------------------------- | -------------------------------------------------------------------------------------------------------------- |
    | **Audience (Entity ID)**         | TrueFoundry **Audience URI (SP Entity ID)**                                                                    |
    | **ACS (Consumer) URL Validator** | A regex that matches the TrueFoundry Single Sign On URL, for example `^https:\/\/login\.truefoundry\.com\/.*$` |
    | **ACS (Consumer) URL**           | TrueFoundry **Single Sign On URL**                                                                             |
    | **Relay State**                  | TrueFoundry **Relay URL**                                                                                      |

    <Warning>
      The **ACS (Consumer) URL Validator** is a regex, not a plain URL. OneLogin rejects the SAML response if the URL doesn't match this pattern. The example above accepts any path on `login.truefoundry.com`; tighten it if you prefer.
    </Warning>

    <Frame caption="Configuration tab — Application details with Audience, ACS URLs, and Relay State">
      <img src="https://mintcdn.com/truefoundry/TVxonWTot44QL8ec/images/sso/onelogin/saml-configuration-application-details.jpeg?fit=max&auto=format&n=TVxonWTot44QL8ec&q=85&s=6a55e61c92ba912763a92823bf798fdf" alt="OneLogin Configuration tab Application details section showing Audience Entity ID, ACS Consumer URL Validator, ACS Consumer URL, and Relay State fields" width="1024" height="437" data-path="images/sso/onelogin/saml-configuration-application-details.jpeg" />
    </Frame>
  </Step>

  <Step title="Set the SAML initiator and signature element">
    Scroll down in the **Configuration** tab and set:

    * **SAML initiator** → **Service Provider**.
    * **SAML signature element** → **Assertion**.
    * **SAML nameID format** → **Email**.

    Leave the other defaults (encryption, etc.) in place unless you have a specific reason to change them.

    <Frame caption="Configuration tab — SAML initiator, signature element, and nameID format set to Email">
      <img src="https://mintcdn.com/truefoundry/TVxonWTot44QL8ec/images/sso/onelogin/saml-configuration-saml-settings.png?fit=max&auto=format&n=TVxonWTot44QL8ec&q=85&s=012c0badefc9a00a07d95eea25c3d409" alt="OneLogin Configuration tab showing SAML initiator set to Service Provider, SAML signature element set to Assertion, and SAML nameID format set to Email" width="1024" height="514" data-path="images/sso/onelogin/saml-configuration-saml-settings.png" />
    </Frame>
  </Step>

  <Step title="Save">
    Click **Save** in the top right.
  </Step>
</Steps>

## Step 4 — Copy OneLogin's IdP details back to TrueFoundry

Switch to the **SSO** tab on the left side of the OneLogin application.

<Steps>
  <Step title="Grab the IdP endpoint and certificate">
    From the **SSO** tab, collect:

    * **SAML 2.0 Endpoint (HTTP)** — this is the URL TrueFoundry uses to redirect users to OneLogin.

    <Frame caption="SSO tab — copy the SAML 2.0 Endpoint (HTTP)">
      <img src="https://mintcdn.com/truefoundry/TVxonWTot44QL8ec/images/sso/onelogin/saml-sso-endpoint.jpeg?fit=max&auto=format&n=TVxonWTot44QL8ec&q=85&s=0fc10d0db848156a7921a9b7a9a87380" alt="OneLogin SSO tab showing SAML 2.0 Endpoint HTTP, X.509 Certificate, and Issuer URL fields" width="1024" height="461" data-path="images/sso/onelogin/saml-sso-endpoint.jpeg" />
    </Frame>

    * **X.509 Certificate** — click **View Details** under the certificate, then copy the entire PEM, including the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines.

    <Frame caption="Certificate details — copy the X.509 PEM or use Download">
      <img src="https://mintcdn.com/truefoundry/TVxonWTot44QL8ec/images/sso/onelogin/saml-certificate-view-details.jpeg?fit=max&auto=format&n=TVxonWTot44QL8ec&q=85&s=28cbcaede2e584da2c0779c5eadaaae9" alt="OneLogin Standard Strength Certificate page showing the X.509 PEM certificate with copy and Download options" width="1024" height="525" data-path="images/sso/onelogin/saml-certificate-view-details.jpeg" />
    </Frame>
  </Step>

  <Step title="Paste into TrueFoundry">
    Return to **Settings → Security & Access → SSO** in TrueFoundry and edit the SSO configuration you created in Step 1. Set:

    * **Identity Provider Endpoint** → the **SAML 2.0 Endpoint (HTTP)** from OneLogin.
    * **X.509 Certificate** → the full PEM you copied from OneLogin.

    Click **Save**.
  </Step>
</Steps>

## Step 5 — Map SAML parameters in OneLogin

OneLogin doesn't include user profile attributes in the SAML response by default. You need to add them under the **Parameters** tab so TrueFoundry can identify the user.

<Steps>
  <Step title="Open the Parameters tab">
    On the OneLogin application page, click the **Parameters** tab on the left.
  </Step>

  <Step title="Add the required parameters">
    Click the **+** icon to add each custom parameter. For every entry, set the **Field name**, check **Include in SAML assertion**, then on the next screen set the **Value** to the OneLogin user attribute listed below.

    ### Add the `email` parameter

    1. Click **+** and set **Field name** to `email`. Check **Include in SAML assertion**, then click **Save**.
    2. On the edit screen, set **Value** to **Email**. Confirm **Include in SAML assertion** is checked, then click **Save**.

    <Frame caption="New Field — set Field name to email and check Include in SAML assertion">
      <img src="https://mintcdn.com/truefoundry/TVxonWTot44QL8ec/images/sso/onelogin/saml-parameters-new-field.png?fit=max&auto=format&n=TVxonWTot44QL8ec&q=85&s=a8337d1801dde90e3bc6aaaace32fbe6" alt="OneLogin New Field dialog with Field name set to email and Include in SAML assertion checked" width="565" height="452" data-path="images/sso/onelogin/saml-parameters-new-field.png" />
    </Frame>

    <Frame caption="Edit Field email — set Value to Email">
      <img src="https://mintcdn.com/truefoundry/TVxonWTot44QL8ec/images/sso/onelogin/saml-parameters-edit-field-email.png?fit=max&auto=format&n=TVxonWTot44QL8ec&q=85&s=8d258e245f93260756a37a5ee9bcece1" alt="OneLogin Edit Field email dialog with Value set to Email and Include in SAML assertion checked" width="574" height="485" data-path="images/sso/onelogin/saml-parameters-edit-field-email.png" />
    </Frame>

    ### Add the `sub` parameter

    Repeat the same flow for `sub`:

    1. Click **+** and set **Field name** to `sub`. Check **Include in SAML assertion**, then click **Save**.
    2. On the edit screen, set **Value** to **OneLogin ID**. Confirm **Include in SAML assertion** is checked, then click **Save**.

    When finished, your **Parameters** tab should look like this:

    | Field name | Value (OneLogin attribute) |
    | ---------- | -------------------------- |
    | `email`    | Email                      |
    | `sub`      | OneLogin ID                |

    <Frame caption="Parameters tab — final configuration">
      <img src="https://mintcdn.com/truefoundry/TVxonWTot44QL8ec/images/sso/onelogin/saml-parameters-final.png?fit=max&auto=format&n=TVxonWTot44QL8ec&q=85&s=3c9dbb0691a055416470b3554e9039da" alt="OneLogin Parameters tab showing NameID value Email, email mapped to Email, and sub mapped to OneLogin ID" width="1024" height="266" data-path="images/sso/onelogin/saml-parameters-final.png" />
    </Frame>

    Confirm your **Parameters** tab matches the screenshot above — including **NameID value** set to **Email**, plus the `email` and `sub` custom parameters. That is the final configuration before you assign users.
  </Step>
</Steps>

## Step 6 — Assign users in OneLogin

OneLogin only sends SAML responses for users assigned to the application.

<Steps>
  <Step title="Open Users">
    In the OneLogin top navigation, click **Users → Users**, then open the user you want to grant access to.
  </Step>

  <Step title="Assign the application">
    Click the **Applications** tab on the user page and click the **+** icon. In the popup, pick the TrueFoundry app you created and click **Continue**, then **Save**.

    <Tip>
      For bulk access, create a OneLogin **Role** that includes the TrueFoundry app and assign users to that role under **Users → Roles**. This pairs well with [SCIM with OneLogin](/docs/platform/sso/onelogin/scim).
    </Tip>
  </Step>
</Steps>

<Warning>
  Users who haven't been assigned to the OneLogin app — or whose assignment is still **Pending** approval — will see an "app not assigned" error when they click **Login with OneLogin** in TrueFoundry.
</Warning>

## Step 7 — Test single sign-on

1. Open a private/incognito window and go to your TrueFoundry login page.
2. Click **Login with OneLogin** (or whichever label you set under **Show advanced fields → Button Text**).
3. Authenticate with a OneLogin user that you assigned to the application.

If the sign-in succeeds you'll land in the TrueFoundry dashboard. The user is created automatically if [JIT provisioning](/docs/platform/user-management#user-provisioning) is on, otherwise they must already exist in TrueFoundry or be invited.

## Optional next steps

* **Automate user lifecycle with SCIM** — see [SCIM with OneLogin](/docs/platform/sso/onelogin/scim) to push users and groups from OneLogin into TrueFoundry automatically.
* **Customize the login button** — under **Show advanced fields**, set **Button Text** to `Login with OneLogin` and **Button Image URL** to a hosted logo if you'd like a branded button.

## Troubleshooting

<AccordionGroup>
  <Accordion title="OneLogin returns 'ACS URL does not match' or 'Invalid ACS URL'">
    The **ACS (Consumer) URL Validator** regex in OneLogin doesn't match the **ACS (Consumer) URL**. Re-open the **Configuration** tab and confirm that the validator pattern (for example `^https:\/\/login\.truefoundry\.com\/.*$`) genuinely matches the **Single Sign On URL** you copied from TrueFoundry. Don't forget to escape the slashes in the regex.
  </Accordion>

  <Accordion title="TrueFoundry sign-in fails with 'no email found in SAML response'">
    The `email` parameter isn't being sent. In OneLogin's **Parameters** tab, open the `email` row and make sure **Include in SAML assertion** is checked and the value is set to the user's **Email** attribute. The parameter name must be exactly `email` (lower-case) unless you've overridden **Email Claim** under TrueFoundry's **Show advanced fields**.
  </Accordion>

  <Accordion title="'Invalid Signature' or 'Could not validate SAML response'">
    The certificate copied into TrueFoundry doesn't match OneLogin's active signing certificate. From OneLogin's **SSO** tab, click **View Details** on the certificate and copy the full PEM again, including the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines, then paste it back into TrueFoundry's **X.509 Certificate** field.
  </Accordion>

  <Accordion title="The Login button works but the user gets 'no matching user found'">
    Check the provisioning mode under **Settings → Security & Access → Provisioning**:

    * **Invite-only** — the user must be invited from **Access → Users** first.
    * **JIT** — the user is created on first login automatically.
    * **SCIM** — the user must be synced from your IdP first. See [SCIM with OneLogin](/docs/platform/sso/onelogin/scim).
  </Accordion>

  <Accordion title="'Audience' or 'Entity ID mismatch' errors">
    The **Audience (Entity ID)** in OneLogin doesn't match TrueFoundry's **Audience URI (SP Entity ID)**. Re-copy the value from the TrueFoundry SSO configuration card and paste it verbatim into OneLogin's **Audience (Entity ID)** field (no trailing slashes, no extra whitespace).
  </Accordion>
</AccordionGroup>
