SAML Integration

OneCloud administrators are able to configure users within their company to login via Single Sign-On. Through the use of SAML (Security Assertion Markup Language), it is possible to access a OneCloud tenant with credentials stored by another identity provider.

Identity Provider (IdP) specific instructions

OneCloud's implementation of SSO is not specific to any particular provider, but the documentation has been created for the following providers:


If a user belongs to the Admin Group, then SAML can be configured. Navigate Applications ➡️ Admin ➡️ Users & Groups ➡️ SAML. The SAML settings form will open.

Metadata Upload

The selected Identity Provider (IdP) should provide an XML file (usually referred to as “Identity Provider metadata”) to download. When this file is available, drop or click to upload the identity provider's XML file. In order to successfully upload the file, ensure that the file is a valid XML document and that the file's extension is ".XML".

Once a valid file has been uploaded, clicked “Save”, and a variety of new fields will appear. The first field will be a single sign-on URL for a particular company. Any user that follows this link will be logged into the OneCloud platform, provided they are configured to use SSO.

Below is a sample of the fields that will appear after a valid IdP file is uploaded.

Configure the IdP

The fields in the OneCloud service provider details section are used to configure a particular IdP to interact with the OneCloud platform and log a user in successfully. By default, OneCloud supports both service provider-initiated login and identity provider-initiated login, so there should not be any additional configuration required to allow for both types of login.

📓 Provider-specific documentation

Please see the identity provider-specific instructions above for additional provider-specific documentation.

Configuring Users in OneCloud to Use SSO

SSO is not enabled by default for existing users, so each user will need to be edited in the admin panel to ensure they are bound to login via SSO. Once a user is set to login via SSO, they can no longer access the application with a username and password. For this reason, it is highly recommended to provision at least one admin user without SSO to ensure that provider outages do not impact your ability to access the OneCloud platform.

  • Enable or disable a user’s ability to use single sign-on by toggling the checkbox.

    • If a change is made, a warning message will appear to confirm the change and that the user will have to change their password if SSO is disabled.

  • Click “Save” to confirm the changes.

📓 Must be an admin user in order to perform this function.

Configure a User to Login via SSO

To configure a user to login via SSO, navigate to:

Applications ➡️ Admin ➡️ Users & Groups ➡️ Users

  • Locate the user to enable SSO for.

  • Click on the edit button on the right side of said user.

  • Enable or disable a user’s ability to use single sign-on by toggling the checkbox.

    • If change is made, a warning message will appear, notifying that the user will have to change their password if SSO is disabled.

  • Click “Save” to confirm the changes.

  • When the change is made, users are notified individually via email.

📓 SSO is Enabled?

If SSO is enabled, the user will not be able to login with their old password.

Login Confirmation

Users should now be able to login with SSO after the change is made. As mentioned above the login can now happen in one-of-three ways:

  • The login can be initiated from your IdP’s portal;

  • By visiting the link provided in the admin section

    • Once the SSO provider has been configured, any new users will have SSO enabled by default. Although, it can be toggled on/off the invite form.; or

  • Visiting and providing your tenant name and email address.

Did this answer your question?