> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to configure OneLogin as a SAML identity provider for use with Auth0.

# Configure OneLogin as SAML Identity Provider

Configure OneLogin as a <Tooltip tip="Security Assertion Markup Language (SAML): Standardized protocol allowing two parties to exchange authentication information without a password." cta="View Glossary" href="/docs/glossary?term=SAML">SAML</Tooltip> <Tooltip tip="Security Assertion Markup Language (SAML): Standardized protocol allowing two parties to exchange authentication information without a password." cta="View Glossary" href="/docs/glossary?term=identity+provider">identity provider</Tooltip> by completing the following steps:

1. Configure OneLogin SAML integration
2. Configure SAML connection in Auth0.
3. Test connection.

## Prerequisite

You must have OneLogin developer account.

## Configure OneLogin

1. Log in to the [OneLogin](https://www.onelogin.com/) Dashboard, and click **Apps** > **Add Apps**.
2. Search for **SAML**, and select **SAML Test Connector (IdP w/attr)**.
3. When prompted, change the **Display Name** of your app.
4. Click **SAVE**.
5. Go to the **SSO** tab, and copy the values for **SAML 2.0 Endpoint (HTTP)** and **SLO Endpoint (HTTP)**.
6. Click on the **View Details** link at the **X.509 Certificate** field.
7. Download the X.509 certificate **onelogin.pem**.

## Configure Auth0 connection

1. Go to [Dashboard > Authentication > Enterprise > SAMLP](https://manage.auth0.com/#) and click the **plus** icon to be redirected to the page that allows you to create a new Connection.
2. You will be prompted to provide the appropriate configuration settings for this Connection. The only mandatory fields are:

| Setting                      | Description                                                                                              |
| ---------------------------- | -------------------------------------------------------------------------------------------------------- |
| **Sign In URL**              | The SAML 2.0 Endpoint (HTTP) value you noted when setting up your OneLogin app.                          |
| **Sign Out URL**             | The SLO Endpoint (HTTP) value you noted when setting up your OneLogin app.                               |
| **X509 Signing Certificate** | The certificate you downloaded from Onelogin. You will need to upload the certificate directly to Auth0. |

3. Click **Save** to proceed.
4. In the next window, you'll be provided two options.

   1. If you are a domain administrator, you can click **Continue** for additional instructions on SAML Identity Provider Configuration.
   2. If you are not, you can give your domain administrator the provided URL so that they can finish the configuration.

### Auth0 configuration values

To finish configuration of the SAML application, the admin will need the following information regarding Auth0:

* **SAML Consumer URL**: `https://{yourDomain}/login/callback`
* **SAML <Tooltip tip="Audience: Unique identifier of the audience for an issued token. Named aud in a token, its value contains the ID of either an application (Client ID) for an ID Token or an API (API Identifier) for an Access Token." cta="View Glossary" href="/docs/glossary?term=Audience">Audience</Tooltip>**: `urn:auth0:{yourTenant}:yourConnectionName`

Also copy the values of the **post-back URL** and the **Entity ID** before heading back to the Configuration tab of your [OneLogin](https://www.onelogin.com/) app:

| Auth0 value   | OneLogin configuration field     |
| ------------- | -------------------------------- |
| Post-back URL | ACS (Consumer) URL and Recipient |
| Entity ID     | Audience                         |

Also provide a valid regular expression for the **ACS (Consumer) URL Validator**. For example:

`[-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)`

## Test connection

Before testing your connection:

* Be sure that you have a OneLogin user that you can use for testing. If not, go to the **Users** tab on the OneLogin dashboard and add one
* Be sure that your new Auth0 SAMLP connection has been associated with an application (otherwise you will get an `invalid_request: the connection was disabled` error)

Next to your **SAML** connection, click the **Try** button. If all goes well, you will be redirected to a page informing you that the connection works.

## Identity provider-initiated SSO

OneLogin offers an Application Portal/Launcher to its users. If you want to take advantage of this functionality, you will have to change the **SAML Consumer URL** in OneLogin dashboard to include the `connection` parameter (e.g., `https://{yourDomain}/login/callback?connection=onelogin-customer`). Be sure to replace `onelogin-customer` with the name of your Auth0 connection.

Finally, be sure to enable IdP-initiated login for the connection and pick the application to which your user is redirected after the SAML assertion is consumed. To learn more, read [Configure Identity-Provider-Initiated Single Sign-On](/docs/authenticate/protocols/saml/saml-sso-integrations/identity-provider-initiated-single-sign-on).

## Edit connection mappings

If you use OneLogin and Auth0 out of the box, users logging in using OneLogin and created in the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip> will be missing some profile information you might like to have.

To collect additional user information, edit the appropriate parameters in the OneLogin dashboard, include the parameters in the SAML assertion, and create the mappings in the Auth0 connection.

### User profile attributes

Sometimes the standard User Profile Attributes are not enough for the functionality you want to build. If this is the case, you can use custom attributes in order to enhance the SAML token. Let's work through a basic example.

The SAML token contains, among others, two attributes: `FirstName` and `LastName`. Let's add a new custom attribute, named `FullName`, that will contain the concatenation of first and last name.

1. Navigate to the OneLogin dashboard and edit your app.
2. On the **Parameters** tab, click **Add Parameter**.
3. In the pop-up, set a name for your new custom attribute using the **Field name** text box. Make sure you check the **Include in SAML assertion** flag. Click **Save**.
4. The new attribute you created is displayed. Click on the **Value** field, which is currently displaying `- No default -`.
5. Click the **Value** dropdown menu and select `- Macro -`.
6. At the text box, set the value to `{firstname} {lastname}`. Click **Save**.
7. Test our changes. Go back to [Auth0 dashboard > Authentication > Enterprise > SAML](https://manage.auth0.com/#/connections/enterprise). On your **SAML** connection, click the **Try** button. The result should include the new attribute `FullName`.

You can find more information on Attribute Macros at the [OneLogin Help Center](https://support.onelogin.com/hc/en-us/articles/201174464-Attribute-macros).

### Add new parameter to SAML assertion

For the purposes of demonstration, let's see how we can add the `EmailAddress` information, which is more than the concatenation of two fields we're already sending, to our login.

1. Before you can map users' **EmailAddress**, you must add this field as a custom parameter to the OneLogin dashboard. Set **Field name** to `EmailAddress` and **Value** as `Email`.
2. You can find details on the steps needed to customize the user profile in the section above.
3. Once you've made your changes, save them, and test your connection once again.
4. Review your Auth0 user, making sure that the `EmailAddress` information is now included and that the value is correct.

You are now ready to proceed with mapping the user information fields in Auth0.

1. Go to the **Settings** of your [SAML](https://manage.auth0.com/#/connections/enterprise) and navigate to the tab **Mappings**. For the email addresses, copy the mapping below, and paste it into the text box.
2. Save your changes, and try your connection again. Once you have successfully logged in, go to [Dashboard > User Management > Users](https://manage.auth0.com/#/users), and check your login. You will see additional information for the appropriate user.