Sapling - Onelogin Integration Guide

Introduction‍

Onelogin allows you to provide secure identity management and single sign-on to any application, whether in the cloud, on-premises, or on a mobile device for your employees, partners, and customers with Onelogin.

With Sapling’s integration with Onelogin, you can:

• Launch Sapling from Onelogin's single sign-on (SSO) portal

• Sign into Sapling using Onelogin credentials/authentication

• Automatically provision new hire accounts in Onelogin 

• Sending user data changes from Sapling to Onelogin

*Important to note: Currently Sapling does not support a Sapling <> Onelogin data sync for existing employee attributes. We can only sync data for new employees who have been onboarded via Sapling.

To work around this:

• Setup a custom report on field changes that you care about being updated in Onelogin, and have IT check in on that report to confirm changes in Sapling took effect in Onelogin

How it Works

Setting up the Integration

This guide provides a walkthrough on how Sapling Admins can enable the Onelogin integration and is split into two sections auth services and account provisioning.

Setting up Onelogin for Auth Services Only

Step#1. Add Sapling to Onelogin

1. Login to Onelogin and go to the Apps tab. Then select Add Apps.
2. Search for Sapling and click Add.

Step#2. Configure your company’s domain

1. Confirm the display name and icon for the Sapling app. Then be sure to select the SAML2.0 connector.
2. Click Save in the top right corner.
3. Once you have successfully added the Sapling app, you will need to specify other details before the integration is complete. Go to the Configuration tab and enter your Sapling subdomain. (So, if my login URL is https://mycompany.saplingapp.io, then my subdomain would simply be "mycompany.")
4. Once you fill in your Subdomain, click Save.
5. Next, select the Parameters tab and ensure that the credentials are configured by the admin and that the mappings are as follows:

• E-Mail = Email
• First Name = First Name
• Last Name = Last Name
• Username = Email

6. Navigate to the SSO tab and copy the following information for insertion into Sapling:

• X.509 Certificate (View Details)
• SAML 2.0 Endpoint (HTTP)

Step#3. Enabled the Integration in Sapling

1. Navigate to the Sapling → Integrations → Authentication
2. Located Onlogin and click on SAML.
3. Enter the SAML information into Sapling by pasting the SSO Login URL (SAML 2.0 Endpoint (HTTP)) and the x.509 certificate information from OneLogin.

Setting up Onelogin for Auth and Provisioning Services

Step#4. Enabling Auto-Provisioning (optional)

Sapling can also provision the new hire's Onelogin account. The workflow with this is:

1. New Hire data imported into Sapling
2. People Operations starts the new hire onboarding in Sapling
3. Sapling provisions the initial account in Onelogin (sends attributes to Onelogin)
4. IT sets-up up all connected systems of new hire accounts (including GSuite, Slack, Jira/confluence, etc)
5. IT triggers email invitation to new hire for Onelogin

The new hire account is set-up by Sapling with the following attributes:

To set-up provisioning, you will need to enter the following fields into Sapling and enable provisioning.

• Client Secret
• Client ID
• Region

This information is available in Onelogin under the API Credentials.

Create a new API Key with any name (i.e. Sapling HR) and provide access to Manage Users.

You will then be granted the Client Secret and Client ID to be added to Sapling.

Step#5. Sending Employee Data changes to Onelogin (optional)

Lastly, Sapling can also keep employee data in Onelogin by sending data changes in Sapling to Onelogin. The attributes that can be kept in Sync between Sapling and Onelogin are:

Please note several customers of Sapling build custom rules in Onelogin based on Departments or Job Titles to grant access to relevant applications - only the apps that are pertinent to a specific role. For example, if an employee moved from sales to marketing, the update in Sapling would notify Onelogin that would then update the relevant applications.