OneLogin SSO Configuration Guide

Start using OneLogin to login securely into

Updated over a week ago


Follow these steps in order to use OneLogin as your SSO provider for

1. Log in to the OneLogin Dashboard, and click Apps > Add Apps.

2. Search for SAML, and select SAML Custom Connector (Advanced)

3. When prompted, change the Display Name of your app.

4. Click SAVE.

5. Go to the SSO tab, and copy the values for SAML 2.0 Endpoint (HTTP) and SLO Endpoint (HTTP).

6. Click on the View Details link at the X.509 Certificate field. Download the X.509 certificate (onelogin.pem)

7. Share the values from step 5 and the file from step 6 with the team.

8. Provide a valid regular expression for the ACS (Consumer) URL Validator. Use the following: [-a-zA-Z0-9@:%._\\+~#=]{2,256}\\.[a-z]{2,6}\\b([-a-zA-Z0-9@:%_\\+.~#?&//=]*)

9. Set these values in the configuration:

10. Once has finished to setup the connection with the provided values, we will share the values that you need to configure for these fields:

  • ACS (Consumer) URL and Recipient

  • Audience

Once the connection is configured, your platform success representative will contact you to configure the first admin user for your team. By default, all SSO users are created with the "member" role.

Testing your connection

Once you configured the connection successfully, follow these steps to test the connection:

  1. Navigate to your tenant URL: US, EU, or your custom single-tenant URL.

  2. Write your email in the log in screen

  3. You will be redirected to log in to the OneLogin User Portal

  4. The browser will be redirected back to the application and be automatically logged in. If it it's the first time the user logs in, then the user it will be created in with the "member" role.


Here is a list of the frequently asked question regarding our SSO integration:



My organization uses an identity service provider (IdP) that's not in the list above. Will it be supported?

If your IDP provides a SAML metadata URL for dynamic configuration, you can follow the same setup steps as above. Please contact support for SAML configuration assistance for other IDPs.

Does Lang support IdP-initiatied flows?

IdP-initiated flows carry a security risk and are therefore are disabled by default. This may be enabled upon request. Make sure you understand the risks before enabling IdP-initiated SSO. In case you want to use it, set "SAML initiator" to "OneLogin".

How does Lang SAML SSO handle user provisioning?

Lang supports Just-in-Time (JIT) provisioning โ€” the user is created the first time it completes the first login into Lang. The default role for these users is the "member" role. We don't currently support user provisioning with SCIM.

Does Lang SAML SSO support Single Logout?

Not at this time. If Single Logout is important to you, please contact our support team to let us know. Take into account that users are logged out after 30 minutes of inactivity. We also have an absolute logout for users every 12 hours.

What version of SAML does Lang support?

We currently support SAML v2.0.

Did this answer your question?