ComplianceScout.ai
Sign InFree Trial

OneLogin SSO

Sign in to ComplianceScout with OneLogin over SAML 2.0.

SAML 2.0

Values to give OneLogin

Copy these from ComplianceScout → Settings → SSO when you create the connection. The exact, per-connection values are shown there.

SP Entity ID (Identifier / Audience)urn:guardstream:sp:<tenant_id>

Included in the SP metadata below. Most IdPs can import the metadata URL instead of typing this.

ACS URL (Reply URL / Assertion Consumer Service)https://<your-app-host>/sso/saml/callback/<connectionId>
SP metadata URLhttps://<your-app-host>/sso/saml/metadata/<connectionId>

Contains the SP entity ID, ACS URL, and SP certificate. Import this into your IdP when it supports metadata import — it is the least error-prone path.

Required NameID formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Configure your IdP to send the user's email address as the NameID. ComplianceScout rejects any other NameID format.

Configure OneLogin

Steps verified against the vendor documentation linked at the bottom of this page. Labels can change — that link is the source of truth.

  1. Sign in to the OneLogin Administration portal.

  2. Go to Applications → Applications → Add App.

  3. Search for SAML Custom Connector (Advanced) and select it. Set a Display Name and click Save.

  4. Open the Configuration tab. Set Audience (EntityID) = urn:guardstream:sp:<tenant_id>.

  5. Set Recipient, ACS (Consumer) URL, and ACS (Consumer) URL Validator to the ACS URL shown in ComplianceScout. The Validator is a regular expression — anchor it (e.g. ^https://…/<connectionId>$) and escape the dots.

  6. Set the SAML signature element to Assertion (ComplianceScout always requires the assertion signed); choose Both if your connection also requires the response signed.

  7. Set the SAML nameID format to Email so OneLogin sends the user's email as the NameID.

  8. Open the SSO tab to collect the IdP values: Issuer URL (IdP Entity ID), SAML 2.0 Endpoint (HTTP) (IdP SSO URL), and the X.509 Certificate (View Details → download the PEM).

  9. Assign users to the app and Save.

Values to enter in ComplianceScout

Back in Settings → SSO, paste these into the connection and save.

IdP Entity ID (Issuer URL)<issuer-url>
IdP SSO URL (SAML 2.0 Endpoint (HTTP))<sso-endpoint>
IdP signing certificate (X.509 Certificate)PEM downloaded from View Details

Role mapping (optional)

On the Parameters tab, add a parameter named groups (or roles), check Include in SAML assertion, and bind it to your OneLogin Roles/Groups attribute. Set ComplianceScout's role-mapping attribute to match.

MFA pass-through (optional)

OneLogin enforces MFA via policy. Whether it stamps a MultiFactor AuthnContextClassRef into the assertion is policy-dependent — verify against a real assertion before relying on "Trust IdP for MFA".

Things to watch for

  • ComplianceScout always requires the assertion to be signed (this is not optional). You can additionally require the SAML response to be signed and/or the assertion to be encrypted to the SP certificate — toggle those per connection in Settings → SSO.
  • Three fields take the ACS URL (Recipient, ACS URL, ACS URL Validator) — fill all three; the Validator is a regex.
  • Save the app once before the SSO tab's Issuer/Endpoint/Certificate values are populated.

Vendor documentation

Ready to turn on OneLogin SSO?

Configure the connection in Settings → SSO, then test sign-in before rolling it out to your team.

Open SSO settingsAll SSO guides →