# SSO With OneLogin (SAML)

### Overview

This guide provides instructions to set up single sign-on (SSO) with OneLogin using the SAML 2.0 (Security Assertion Markup Language) login standard. In this scenario, OneLogin serves as your identity provider (IdP), authenticating users accessing StrongDM as the service provider (SP).

### Features

#### Basic features

* Users must authenticate using SSO every time they log in to StrongDM. Authentications from previous sessions cannot be reused.

#### Advanced features

* The current SAML integration uses SHA-256 with RSA signature encryption. See the [configuration steps](#configure-onelogin).
* Email address serves as the default user ID in the SAML assertion.
* A RelayState HTTP parameter cannot be included as part of the SAML request and response.
* IdP-initiated authentication is supported. If the setting is enabled, a user may initiate a login from the SSO provider.

#### Unsupported features

* The direct upload of an SSO provider's metadata file is not available.

### Prerequisites

To get started, make sure the following conditions are met:

* In OneLogin, you must be an administrator with the ability to manage application settings.
* In StrongDM, your permission level must be set to Administrator.
* Ensure you have a unique identifier for users. Only email address is currently supported.

### Configure StrongDM

Use the following steps to configure StrongDM to work with your IdP. Once the SAML feature is enabled in StrongDM, these values can be copied to the configuration settings used in OneLogin.

1. In the StrongDM Admin UI, go to **Settings** > **User Management**.
2. Click the **Lock** icon to make changes.
3. Click **Yes** to enable single sign-on.
4. Select **OneLogin (SAML)** from the **Provider** drop-down menu. With this setting, users log in to StrongDM using OneLogin and the SAML protocol.
5. Copy your organization's StrongDM domain name as it is needed for OneLogin.
6. Leave the StrongDM browser window open and continue with the [OneLogin configuration](#configure-onelogin).

### Configure OneLogin

Use the following steps to add the recommended SAML settings in OneLogin. These settings have been tested and confirmed. However, other configuration options may apply.

{% hint style="info" %}
These instructions vary based on your organization's StrongDM region (not your individual location).
{% endhint %}

{% tabs %}
{% tab title="US" %}

1. Log in to the [OneLogin admin dashboard](https://app.onelogin.com/login) using your company name.
2. Click **Applications > Applications** and then click **Add App**.
3.

```
![](sso-onelogin-app-type.png)
```

```
Search for **StrongDM** and select the **SAML 2.0 , provisioning** application type.
```

4\. Name the application **StrongDM** and click **Save**. 5. ![](/files/eHQ9WqleIVtIwZxsifUh)\
Once the application is created, go to the **Configuration** tab. Under section **Application details**, paste your StrongDM organization domain (copied when setting up the integration in StrongDM) in the **StrongDM Account ID** field. 6. Enter the **Login URL:** `https://app.strongdm.com` . 7. ![](/files/KLYptM6xap4NuqOvXcF9)\
Go to the **SSO** section. For the **SAML Signature Algorithm** setting, set the value to **SHA-256**. 8. Click **Save** to finish the SSO configuration in OneLogin.
{% endtab %}

{% tab title="UK" %}
*Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.*

1. Log in to the [OneLogin admin dashboard](https://app.onelogin.com/login) using your company name.
2. Click **Applications > Applications** and then click **Add App**.
3.

```
![](sso-onelogin-app-type.png)
```

```
Search for **StrongDM** and select the **SAML 2.0 , provisioning** application type.
```

4\. Name the application **StrongDM** and click **Save**. 5. ![](/files/eHQ9WqleIVtIwZxsifUh)\
Once the application is created, go to the **Configuration** tab. Under section **Application details**, paste your StrongDM organization domain (copied when setting up the integration in StrongDM) in the **StrongDM Account ID** field. 6. Enter the **Login URL:** `https://app.uk.strongdm.com` . 7. ![](/files/KLYptM6xap4NuqOvXcF9)\
Go to the **SSO** section. For the **SAML Signature Algorithm** setting, set the value to **SHA-256**. 8. Click **Save** to finish the SSO configuration in OneLogin.
{% endtab %}

{% tab title="EU" %}
*Follow instructions in the tab for the region of your organization's StrongDM control plane, not your own location. The default control plane region is US.*

1. Log in to the [OneLogin admin dashboard](https://app.onelogin.com/login) using your company name.
2. Click **Applications > Applications** and then click **Add App**.
3.

```
![](sso-onelogin-app-type.png)
```

```
Search for **StrongDM** and select the **SAML 2.0 , provisioning** application type.
```

4\. Name the application **StrongDM** and click **Save**. 5. ![](/files/eHQ9WqleIVtIwZxsifUh)\
Once the application is created, go to the **Configuration** tab. Under section **Application details**, paste your StrongDM organization domain (copied when setting up the integration in StrongDM) in the **StrongDM Account ID** field. 6. Enter the **Login URL:** `https://app.eu.strongdm.com` . 7. ![](/files/KLYptM6xap4NuqOvXcF9)\
Go to the **SSO** section. For the **SAML Signature Algorithm** setting, set the value to **SHA-256**. 8. Click **Save** to finish the SSO configuration in OneLogin.
{% endtab %}
{% endtabs %}

### Add SAML Metadata

SPs and IdPs swap XML metadata to share configurations, establish trust, and communicate with each other. For this purpose, you can copy the SAML metadata from OneLogin to the SSO section in the StrongDM Admin UI. After you have configured the application settings in OneLogin, use these steps to add the IdP metadata URL to StrongDM. This value is required for your SSO configuration to work correctly.

1. From the admin dashboard in OneLogin, click **Applications** > **Applications**.
2. Click to select the **StrongDM** application.
3. Select **SSO** from the side navigation.
4. Copy the value in the **Issuer URL** field.

   ![](/files/9KMyEiZhTqfrxpKlLTMP)
5. Go to the StrongDM browser window you left open while configuring the [OneLogin (SAML) settings](#configure-strongdm).
6. In the **Add SAML Metadata** section, paste the copied **Issuer URL** value from OneLogin into the **Metadata URL** field in StrongDM.
7. In the **Configure Common SAML Settings** section, you may enable **Allow IDP Initiated Authentication** if you wish to allow users to log in via a link from OneLogin.
8. Click **Save** to complete the setup.

{% hint style="info" %}
The SAML metadata is currently cached for three hours. If any configuration changes are made, they may not appear immediately.
{% endhint %}

### Troubleshooting

When troubleshooting your SAML integration, note that the following can prevent successful user logins:

* The correct [SAML metadata URL](#add-saml-metadata) must be added in StrongDM. If this URL is incorrect, you may get errors that the XML is invalid during login attempts.
* If the application is misconfigured or the field values are wrong in OneLogin, you can get a permission denied error in StrongDM. This error also displays if the user is not added to the app in OneLogin.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.strongdm.com/admin/principals/sso/onelogin-saml.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.