Skip to main content
This guide walks you through setting up SAML 2.0 single sign-on between TrueFoundry and OneLogin. OneLogin doesn’t ship a TrueFoundry-specific connector, so you’ll use the SAML Custom Connector (Advanced) app and wire it up manually. Once finished, members of your OneLogin account can sign in to TrueFoundry through a Login with OneLogin button.

Prerequisites

  • A TrueFoundry tenant with Admin access to Settings → Security & Access → SSO.
  • A OneLogin account with permission to create new Applications (Super User or Admin).
You’ll bounce between the OneLogin admin console and the TrueFoundry SSO settings. Keep both open in adjacent tabs to copy-paste values quickly.

Configuration overview

1

Create the SSO configuration in TrueFoundry

Save a SAML SSO configuration in TrueFoundry to surface the ACS URL, Audience (Entity ID), and Relay URL.
2

Create a custom SAML app in OneLogin

Add the SAML Custom Connector (Advanced) app — this is what TrueFoundry federates with.
3

Configure the SAML connection on both sides

Paste TrueFoundry’s values into OneLogin, then paste OneLogin’s IdP values back into TrueFoundry.
4

Map SAML parameters and assign users

Add the email and sub attributes TrueFoundry needs and assign users to the OneLogin app.

Step 1 — Create the SSO configuration in TrueFoundry

1

Open SSO settings

Go to Settings → Security & Access → SSO.Click the + icon labeled Add New SSO Config.
TrueFoundry SSO settings page with the Add New SSO Config plus button highlighted
2

Fill in the basic fields

  • Enabled: turn this on.
  • Name: a lowercase alphanumeric label — for example, oneloginsaml.
  • SSO Provider: choose Custom.
  • Authentication Configuration: select SAML v2.
Leave Identity Provider Endpoint and X.509 Certificate blank for now — you’ll fill them in once OneLogin surfaces those values.
3

Save to reveal the Single sign-on URL, Audience URI (SP Entity ID), and Relay URL

Click Save. TrueFoundry displays the values you need for OneLogin on the SSO configuration card:
OneLogin fieldValue from TrueFoundry
ACS (Consumer) URLSingle Sign On URL
Audience (Entity ID)Audience URI (SP Entity ID)
Relay State (if used)Relay URL
TrueFoundry SSO configuration card displaying Audience URI, Single Sign On URL, Metadata URL, and Relay URL for SAML setup

Step 2 — Create a SAML app in OneLogin

1

Open Applications

Sign in to the OneLogin admin console as an administrator. In the top navigation, click Applications, then click Applications again in the dropdown.
OneLogin Applications page with the Add App button highlighted in the top right corner
2

Add a new app

Click Add App in the top right corner. In the Find Applications search bar, type SAML Custom and select SAML Custom Connector (Advanced) from the results.
OneLogin Find Applications page showing SAML Custom search results with SAML Custom Connector Advanced listed
3

Name the application

Enter a Display Name such as TrueFoundry, optionally upload an app icon, and click Save.OneLogin lands you on the application’s detail page once it’s saved.

Step 3 — Enter TrueFoundry’s details into OneLogin

Back in OneLogin’s application detail page, switch to the Configuration tab on the left.
1

Fill in the Application details

Paste the TrueFoundry values into the corresponding OneLogin fields:
OneLogin fieldValue to paste
Audience (Entity ID)TrueFoundry Audience URI (SP Entity ID)
ACS (Consumer) URL ValidatorA regex that matches the TrueFoundry Single Sign On URL, for example ^https:\/\/login\.truefoundry\.com\/.*$
ACS (Consumer) URLTrueFoundry Single Sign On URL
Relay StateTrueFoundry Relay URL
The ACS (Consumer) URL Validator is a regex, not a plain URL. OneLogin rejects the SAML response if the URL doesn’t match this pattern. The example above accepts any path on login.truefoundry.com; tighten it if you prefer.
OneLogin Configuration tab Application details section showing Audience Entity ID, ACS Consumer URL Validator, ACS Consumer URL, and Relay State fields
2

Set the SAML initiator and signature element

Scroll down in the Configuration tab and set:
  • SAML initiatorService Provider.
  • SAML signature elementAssertion.
  • SAML nameID formatEmail.
Leave the other defaults (encryption, etc.) in place unless you have a specific reason to change them.
OneLogin Configuration tab showing SAML initiator set to Service Provider, SAML signature element set to Assertion, and SAML nameID format set to Email
3

Save

Click Save in the top right.

Step 4 — Copy OneLogin’s IdP details back to TrueFoundry

Switch to the SSO tab on the left side of the OneLogin application.
1

Grab the IdP endpoint and certificate

From the SSO tab, collect:
  • SAML 2.0 Endpoint (HTTP) — this is the URL TrueFoundry uses to redirect users to OneLogin.
OneLogin SSO tab showing SAML 2.0 Endpoint HTTP, X.509 Certificate, and Issuer URL fields
  • X.509 Certificate — click View Details under the certificate, then copy the entire PEM, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
OneLogin Standard Strength Certificate page showing the X.509 PEM certificate with copy and Download options
2

Paste into TrueFoundry

Return to Settings → Security & Access → SSO in TrueFoundry and edit the SSO configuration you created in Step 1. Set:
  • Identity Provider Endpoint → the SAML 2.0 Endpoint (HTTP) from OneLogin.
  • X.509 Certificate → the full PEM you copied from OneLogin.
Click Save.

Step 5 — Map SAML parameters in OneLogin

OneLogin doesn’t include user profile attributes in the SAML response by default. You need to add them under the Parameters tab so TrueFoundry can identify the user.
1

Open the Parameters tab

On the OneLogin application page, click the Parameters tab on the left.
2

Add the required parameters

Click the + icon to add each custom parameter. For every entry, set the Field name, check Include in SAML assertion, then on the next screen set the Value to the OneLogin user attribute listed below.

Add the email parameter

  1. Click + and set Field name to email. Check Include in SAML assertion, then click Save.
  2. On the edit screen, set Value to Email. Confirm Include in SAML assertion is checked, then click Save.
OneLogin New Field dialog with Field name set to email and Include in SAML assertion checked
OneLogin Edit Field email dialog with Value set to Email and Include in SAML assertion checked

Add the sub parameter

Repeat the same flow for sub:
  1. Click + and set Field name to sub. Check Include in SAML assertion, then click Save.
  2. On the edit screen, set Value to OneLogin ID. Confirm Include in SAML assertion is checked, then click Save.
When finished, your Parameters tab should look like this:
Field nameValue (OneLogin attribute)
emailEmail
subOneLogin ID
OneLogin Parameters tab showing NameID value Email, email mapped to Email, and sub mapped to OneLogin ID
Confirm your Parameters tab matches the screenshot above — including NameID value set to Email, plus the email and sub custom parameters. That is the final configuration before you assign users.

Step 6 — Assign users in OneLogin

OneLogin only sends SAML responses for users assigned to the application.
1

Open Users

In the OneLogin top navigation, click Users → Users, then open the user you want to grant access to.
2

Assign the application

Click the Applications tab on the user page and click the + icon. In the popup, pick the TrueFoundry app you created and click Continue, then Save.
For bulk access, create a OneLogin Role that includes the TrueFoundry app and assign users to that role under Users → Roles. This pairs well with SCIM with OneLogin.
Users who haven’t been assigned to the OneLogin app — or whose assignment is still Pending approval — will see an “app not assigned” error when they click Login with OneLogin in TrueFoundry.

Step 7 — Test single sign-on

  1. Open a private/incognito window and go to your TrueFoundry login page.
  2. Click Login with OneLogin (or whichever label you set under Show advanced fields → Button Text).
  3. Authenticate with a OneLogin user that you assigned to the application.
If the sign-in succeeds you’ll land in the TrueFoundry dashboard. The user is created automatically if JIT provisioning is on, otherwise they must already exist in TrueFoundry or be invited.

Optional next steps

  • Automate user lifecycle with SCIM — see SCIM with OneLogin to push users and groups from OneLogin into TrueFoundry automatically.
  • Customize the login button — under Show advanced fields, set Button Text to Login with OneLogin and Button Image URL to a hosted logo if you’d like a branded button.

Troubleshooting

The ACS (Consumer) URL Validator regex in OneLogin doesn’t match the ACS (Consumer) URL. Re-open the Configuration tab and confirm that the validator pattern (for example ^https:\/\/login\.truefoundry\.com\/.*$) genuinely matches the Single Sign On URL you copied from TrueFoundry. Don’t forget to escape the slashes in the regex.
The email parameter isn’t being sent. In OneLogin’s Parameters tab, open the email row and make sure Include in SAML assertion is checked and the value is set to the user’s Email attribute. The parameter name must be exactly email (lower-case) unless you’ve overridden Email Claim under TrueFoundry’s Show advanced fields.
The certificate copied into TrueFoundry doesn’t match OneLogin’s active signing certificate. From OneLogin’s SSO tab, click View Details on the certificate and copy the full PEM again, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines, then paste it back into TrueFoundry’s X.509 Certificate field.
Check the provisioning mode under Settings → Security & Access → Provisioning:
  • Invite-only — the user must be invited from Access → Users first.
  • JIT — the user is created on first login automatically.
  • SCIM — the user must be synced from your IdP first. See SCIM with OneLogin.
The Audience (Entity ID) in OneLogin doesn’t match TrueFoundry’s Audience URI (SP Entity ID). Re-copy the value from the TrueFoundry SSO configuration card and paste it verbatim into OneLogin’s Audience (Entity ID) field (no trailing slashes, no extra whitespace).