Skip to main content

Whether you’re looking for quick answers or in-depth guidance, our resources are here to assist you effectively.

SSO / SCIM with OneLogin: Setup Guide

Welcome to the guide for setting up SSO and SCIM with OneLogin (SAML or OIDC based) for your SiftHub account.

Why SSO? 

Single Sign-On (SSO) integration allows your team to access SiftHub using their existing OneLogin credentials, eliminating the need for separate logins while ensuring secure access. This provides centralized authentication and enhanced security for your organization.

Why SCIM? 

SCIM (System for Cross-domain Identity Management) automates user provisioning and management in SiftHub directly from your OneLogin dashboard. This means when you add, deactivate or update users in OneLogin, their SiftHub access is automatically managed, saving significant IT administration time.

Are both necessary? 

While you can implement SSO without SCIM, we recommend using both for complete user lifecycle management. Here's what happens with SSO alone:

  • Users can log in to SiftHub using OneLogin credentials
  • BUT new users still need to be manually created in SiftHub as well as provisioned to access SiftHub in OneLogin
  • When employees leave, their SiftHub accounts need manual deactivation

Using both SSO and SCIM automates the entire user lifecycle, from creation through updation to deletion, making it the recommended setup for enterprises.

This guide will walk through step by step instructions of how to set up SSO/SCIM using OneLogin for your SiftHub account.

Prerequisites 

Before starting the setup, ensure you have:

  • Administrator access to your OneLogin account
  • Access to the "Security" > "Authentication" section in the "Settings" panel of the SiftHub Account. 

(This is usually visible to users having the 'Account Owner' and 'Security Admin' roles in SiftHub. If the Account Owner has administrator access in OneLogin, they are equipped with the requisite permissions to complete the process. Otherwise, add the OneLogin administrator of your organization as a user in SiftHub with the Security Admin role. This user can be removed from SiftHub subsequently if you prefer so as to not consume an account license.)

  • Valid login credentials (email and password) for SiftHub. (These will be deprecated once SSO with OneLogin is set up)

This guide will walk through step-by-step instructions of how to set up SSO/SCIM using OneLogin for your SiftHub account.

Step 1: Set Up SSO with OneLogin

SSO connects SiftHub to OneLogin for seamless, secure logins. Follow these steps:

  1. Log In to OneLogin
     Open the OneLogin Admin Portal at yourcompany.onelogin.com (replace "yourcompany" with your organization’s subdomain) and sign in as an admin.

    Locate Applications

  2. Add SiftHub as an App
    • Go to Applications > Applications.
    • Click Add App in the top-right corner.
    • Search for “SAML” and select SAML Custom Connector (Advanced).

      Select SAML Custom Connector from drop down (GIF)

  3. Name Your App
    • In the Info tab, enter a name like “SiftHub SSO” in the Name field.
    • (Optional: Add a description or logo under Visible in portal if you want it to show in the user portal.)
    • Click Save.
      Click on Save

  4. Get SiftHub Details
    • Log in to SiftHub as an Account Owner or Security Admin.
    • Go to Settings > Security > Authentication, then click Set up SSO.
    • Copy the Service Provider Details (e.g., ACS URL and Entity ID) displayed on this page.

      Copy ACS (Consumer) URL on SSO Configuration Portal

  5. Configure SAML in OneLogin
    • Back in OneLogin, go to the Configuration tab of your new app.
    • Paste the ACS URL from SiftHub into SAML Consumer URL.
    • Paste the Entity ID from SiftHub into SAML Audience.
    • Leave other fields as default unless specified by your team.
    • Click Save.

      Paste it in Recipient, ACS URL Validator, and ACS(Consumer) URL fields on OneLogin Admin Portal

  6. Set Up User Attributes
    • Go to the Parameters tab.
    • Click + to add custom attributes and configure:
      • Name: email | Value: Email
      • Name: firstName | Value: First Name
      • Name: lastName | Value: Last Name
    • Check Include in SAML assertion for each, then click Save.

      Locate Parameters tab

  7. Download OneLogin Metadata
    • Go to the SSO tab.
    • Under SAML 2.0 Endpoint (HTTP), copy the Issuer URL (e.g., https://yourcompany.onelogin.com/saml/metadata/123456).
    • Alternatively, click More Actions > SAML Metadata to download the XML file.

      Copy Issuer URL on OneLogin Admin Portal

  8. Finish SSO in SiftHub
    • Return to SiftHub’s Settings > Security > Set up SSO.
    • Under Identity Provider Configuration, select Configure using Metadata URL.
    • Paste the Issuer URL from OneLogin or upload the downloaded XML file.
    • Click Update.

      Paste Issuer URL on SSO Configuration Portal

  9. Assign Users
    • In OneLogin, go to the Applications > Applications page and select your SiftHub app.
    • Click the Access tab.
    • Assign a role (e.g., “SiftHub Users”) and add team members who need access.
    • Click Save.

      Select user to assign

      Save user assignment to application

      Test SSO Configuration

Step 2: Set Up SCIM with OneLogin

SCIM keeps your SiftHub user list in sync with OneLogin. Here’s how to set it up:

  1. Start in SiftHub
    • Log in as an Account Owner or Security Admin.
    • Go to Settings > Security > Authentication, then click Set up SCIM.
    • Under Directory Details, copy the Endpoint URL and Bearer Token.

      OneLogin directory sync setup: Endpoint URL and one-time visible bearer token provided

  2. Add SCIM App in OneLogin
    • In the OneLogin Admin Portal, go to Applications > Applications.
    • Click Add App, search for “SCIM”, and select SCIM Provisioner with SAML (SCIM v2.0).
    • Name it “SiftHub SCIM” and click Save.




  3. Configure SCIM in OneLogin
    • Go to the Configuration tab of your SCIM app.
    • Paste the Endpoint URL from SiftHub into SCIM Base URL.
    • Paste the Bearer Token into SCIM Bearer Token.
    • Click Enable under API Status, then Save.

      Configuring the portal settings for the application in OneLogin, including display name and icon options.

  4. Set Provisioning Options
    • Go to the Provisioning tab.
    • Check Enable provisioning.
    • Enable these options:
      • Create Users
      • Update User Attributes
      • Deactivate Users
    • Click Save.

      Setting up provisioning workflow for SCIM Provisioner with SAML in OneLogin, including options for user creation, deletion, and suspension actions.

  5. Map Attributes
    • Go to the Parameters tab.
    • Ensure these mappings exist (add them if missing):
      • email → Email
      • firstName → First Name
      • lastName → Last Name
    • Save your changes.

      Configuring a new mapping for group assignment in the Hero SaaS App using OneLogin.

  6. Assign Users and Groups
    • Go to the Access tab of your SCIM app.
    • Assign the “SiftHub Users” role (or create one) and add team members.
    • To sync groups:
      • Go to Users > Groups, create a group (e.g., “SiftHub Group”), assign it to the SCIM app, and add users.
      • In the Provisioning tab, approve any pending actions to push the group.

        Configuring field groups in OneLogin for SCIM provisioning, including SAML assertion and user provisioning options.

  7. Verify Sync
    • In SiftHub’s Admin Portal, check that users and groups from OneLogin are synced correctly.

      Directory sync status for Your Organization, showing linked groups and user count in OneLogin.

All Done!

Your team can now log in to SiftHub with their OneLogin credentials, and user updates will sync automatically. Need assistance? Contact SiftHub support!