OneLogin SAML integration

Log into the Acceptto Dashboard with an administrative account and go to Applications.

Create a new application by selecting the Create New Application.

In the New Application form, enter the following values under the General tab.

Under the SAML Service Provider Configuration tab, enter the following values:

Click on the Add New Attribute Assertion button and create the three attributes as shown in the table below. These are mandatory if you want to enable the Just-in-time provisioning feature on OneLogin.

Click Save to create the Application.

Download your SAML IdP X509 certificate. Go to https://sso.acceptto.com/[organization identifier]/saml/download/cert to download the cert.pem file containing your certificate.

Download your SAML metadata file. Go to https://sso.acceptto.com/[organization identifier]/saml/download/metadata to download your metadata file.

Go to Authentication > Trusted IdPs and select New Trust.

Click on the gray area under the Trusted IdPs and provide a name for the Trusted IdP configuration.

Scroll down and paste the content of the Acceptto certificate you downloaded earlier in the Trusted IdP Certificate section.

Scroll up and check Enable Trusted IDP in the Enable/Disable field.

If you wish to represent this Trusted IdP as an authentication option on the tenant’s login page via an icon, go to Login Options and check the Show in Login panel. Provide a URL to a suitable icon.

In the Configurations section, enter the EntityID of your Acceptto tenant (find it in the metadata file you downloaded earlier) in the Issuer field.

The Email Domains field is used to automatically invoke this Trusted IdP when a user enters their email address at login time.

Check Sign users into OneLogin. This allows inbound identities from the Acceptto to be matched to local user accounts within the OneLogin tenant, via responses to the /access/idp endpoint.

In the User Attribute section, select Email for the User Attribute Mapping.

In the Protocol section, select SAML.

In the SAML Configurations section, enter the SingleSignOnService URL of your Acceptto tenant in the IdP Login URL field and the SingleLogoutService URL of your Acceptto tenant in the IdP Logout URL field (find them in the metadata file you downloaded earlier).

The SP Entity ID is a dynamically-generated, read-only value that must be registered at Acceptto for use as the Issuer or Entity ID.

If you want to create/update user accounts seamlessly at the time of login, based on attributes received from Acceptto, go to the JIT tab.

In the Just-in-time provisioning section, check the Enable box. If you want the user record to reflect the Trusted IdP that was used in account creation, check the box to Set User TIDP after user creation.

In the Attribute mappings section, create mappings as the image below based on the attribute assertions you created earlier in the previous section. Make sure to use the {tidp.value} format. Click the checkbox for Required if you want to require that attribute. Click the checkbox for Updateable if you want to update the user record with new information when it comes in from Acceptto.

Click Save.

You can make Acceptto the default IdP through the “Set as default Trusted IdP” option in your newly created Trusted IP section.

Go to your OneLogin URL through a browser and enter your username.

You will be redirected to the Acceptto SSO page.

After successful authentication, you’ll see the Acceptto MFA options. Select your desired method. Next, approve the authentication request on your It'sMe mobile app.

Finally, you will be redirected to your OneLogin portal.