Sapling - OneLogin Integration Guide

Simplify User Sign-On

• Users can log directly into Sapling using OneLogin SSO, or they can launch Sapling from their OneLogin dashboard
• Users will be able to log in via OneLogin SSO or their OneLogin dashboard as long as their user emails in OneLogin and Sapling match

Create Users (optional)

• When a new hire is onboarded in Sapling, they will automatically be created in OneLogin with their personal information and job details before they are invited to Sapling

• If a new hire is invited to Sapling immediately after onboarding, then the new hire will be created in OneLogin immediately (before the invite is sent out)

• If a new hire is scheduled to be invited at a later date, then the new hire will be created in OneLogin at that later date (before the invite is sent out)

• Once created in OneLogin, your IT team can proceed with their usual access provisioning processes and send user credentials to the new hire accordingly

• Check out this article for more information on onboarding new hires in Sapling

• Check out the Supported Fields section for what fields are synced from Sapling to OneLogin for user creation

Update User Attributes (optional)

• When a user profile is updated in Sapling, the corresponding user profile will immediately be updated in OneLogin

• Check out the Supported Fields section for what fields are synced from Sapling to OneLogin for user updates

Link Users

• As long as the integration is enabled, a daily (overnight) sync will link existing Sapling users to corresponding OneLogin users based on Company Email (or Personal Email if no Company Email was provided)

• Check out the Before Enabling the Integration section to get the most of the initial user linking when the integration is first enabled

Sapling will only auto-create OneLogin accounts for new hires that are onboarded after the integration is enabled. 

As such, before enabling the integration you to need manually create OneLogin accounts for all your existing Sapling users (if they don't already have one). For a speedier solution, please reach out to OneLogin Support and ask if you're able to do so via bulk upload. 

Once the integration is enabled, existing Sapling users will be linked to corresponding OneLogin users via an overnight sync based on Company Email or Personal Email if no Company Email was provided. Once linked, user updates in Sapling will sync to OneLogin going forward (if enabled).

Part 1: Add the Sapling app in OneLogin to enable SSO functionality

1. From your home page, click the "Administration" button
2. Under your Administration page, navigate to Applications and click "Add App"
3. Under Find Applications, search for and select "Sapling"
4. Enter any descriptive name (optional) and upload any desired icons (also optional) for your app, and click "Save"
5. Under Configuration, enter your Sapling subdomain and click "Save"
6. Under SSO, copy the issuer URL and SAML 2.0 endpoint URL for Part 3 of the setup
7. Under X.509 Certificate, click "View Details" and copy the X.509 certificate for Part 3 of the setup

Part 2: Create API credentials in OneLogin to enable user provisioning and update functionalities (optional)

1. Under Developers, navigate to API Credentials
2. Under API Access, click "New Credential"
3. Enter any descriptive name for your integration and select "Manage Users"
4. Once completed, click "Save"
5. Copy the Client ID and Client Secret for Part 3 of the setup

Part 3: Enable the OneLogin integration and allow for SSO sign-ins in Sapling

1. Under Administration Tools, navigate to Integrations
2. Scroll down to find the OneLogin integration and enable the integration slider
3. Paste your OneLogin SAML 2.0 endpoint URL (Identity Provider SSO URL), X.509 certificate (SAML Certificate), issuer URL (SAML Metadata Endpoint), client secret, and client ID
4. Select your Region (EU or US)
5. If you'd like for new hires to be created and/or user attributes to be updated in OneLogin, enable the appropriate sliders below
6. Once completed, click "Next" and "Activate"
7. Under Administration Tools, navigate to Platform Settings
8. Under the SSO tab, allow for users to sign in using "Password and SSO" or "SSO only" and click "Save"

Part 4: Assign the Sapling app to users in OneLogin

1. Under Users, navigate to Users to assign the app individually or navigate to Roles to assign the app in bulk
2. Search for your desired users/roles and assign the app

Kallidus is continually expanding the number of fields that sync between Sapling and OneLogin.

• Supported fields for this integration

Please note that is not possible to exclude or custom map any of the supported fields above, or map any additional fields at this time. 

FAQs

• Will changing our company domain impact the integration?
  • For SSO, users will be able to log in as long their company emails in Sapling and OneLogin match up. If company emails in OneLogin are being updated to a new domain, they'll need to be updated in Sapling as well.
  • For user provisioning in OneLogin, simply use the updated domain in Sapling when specifying company emails for new hires going forward. If Default Email Format is enabled under Sapling Platform Settings, you'll need to update the domain name.
• Can two OneLogin instances for two different companies hook up to one Sapling instance?
  • Currently, we only support integrating with a single OneLogin instance
• Will offboarded users in Sapling have their OneLogin profiles de-provisioned?
  • Currently, we do not de-provision user accounts in OneLogin

Field Name Matching

• For the fields to sync correctly, the naming conventions must match between Sapling and OneLogin for both the fields names and field values (for dropdown fields)

SSO Only Logins

• If you configure your Sapling environment to use SSO logins only, please note that you'll need to ensure new hires have access to their OneLogin accounts prior to their start date - so they can use OneLogin to log into Sapling and complete any onboarding documents/tasks needed before starting
• Your onboarding/auto-provisioning process when using SSO logins only should be as follows:
  1. People team onboards the new hire in Sapling and schedules their Sapling invite
  2. The user is auto-provisioned in OneLogin prior to their Sapling invite being sent
  3. IT team assigns only the Sapling app to the user (for now) in OneLogin and sends their OneLogin credentials
  4. User accepts their OneLogin invite and sets up their OneLogin password
  5. User accepts their Sapling invite and sets up their Sapling password
     • This is a required but redundant step 
     • You can include a section in your Sapling invite to instruct users to wait for and set up their OneLogin accounts first
  6. User goes through their onboarding process in Sapling
     • If they log out or time out of their initial session (from the invite), they can log back in using OneLogin going forward
  7. On their start date, IT team assigns any remaining apps to the user in OneLogin
     • You can retrieve the user's start date via our Stage Started webhook (set to preboarding)

Want to build your own custom integration? Check out the publicly available resources below:

• Sapling API

• Sapling Webhooks

• OneLogin API