Set up SSO with OneLogin
This guide connects OneLogin to KloudMate using SAML, via OneLogin’s SAML Custom Connector.
Before you start
Section titled “Before you start”- You’re the KloudMate organization owner on a paid plan.
- You’re an admin in OneLogin.
- Copy KloudMate’s values first from the Service provider details card — you’ll need the ACS URL and the SP Entity ID (the
entityIDin the downloaded SP metadata).
1. Create the SAML app
Section titled “1. Create the SAML app”- In the OneLogin admin portal, go to Applications → Applications → Add App.
- Search for SAML Custom Connector (Advanced) and add it.
- Give it a display name like
KloudMateand save.
2. Configure the SAML settings
Section titled “2. Configure the SAML settings”On the app’s Configuration tab, set:
- ACS (Consumer) URL — your KloudMate ACS URL,
https://api.kloudmate.com/sso/saml - ACS (Consumer) URL Validator — a regex that matches the ACS URL (OneLogin requires one; escape the dots, for example
^https:\/\/api\.kloudmate\.com\/sso\/saml$) - Audience (EntityID) — your KloudMate SP Entity ID
- Recipient — the same as the ACS URL
- NameID format —
Email
Save the configuration.
3. Map the email attribute
Section titled “3. Map the email attribute”On the Parameters tab, confirm the NameID (or an attribute named email) is set to the user’s Email. KloudMate reads the email from the NameID or an email attribute, so one of those must carry it.
4. Copy OneLogin’s metadata into KloudMate
Section titled “4. Copy OneLogin’s metadata into KloudMate”- On the app’s More Actions menu, choose SAML Metadata to download the IdP metadata XML (or copy the Issuer URL / metadata URL from the SSO tab).
- In KloudMate, open Connections → Add connection, choose SAML 2.0, keep Paste metadata XML, and paste the metadata into IdP metadata XML.
- Set Display name to
OneLoginand click Add connection.
To configure manually instead of pasting metadata, switch the dialog to Enter manually and copy OneLogin’s SAML 2.0 Endpoint (HTTP) into SSO URL (entry point), its Issuer URL into Issuer (IdP entity ID), and its X.509 Certificate into IdP signing certificate.
Finish up
Section titled “Finish up”- Verify your company domain.
- Choose a provisioning mode.
- Test sign-in with a work email on a verified domain via Sign in with SSO.
Hitting an error? See Troubleshooting.