Sapling - OneLogin Integration Guide

Introduction‍

The Kallidus Sapling platform helps HR and People Operations teams automate and streamline administrative tasks so they can focus on employee experience,  retention, and creating an amazing culture for the most successful teams.

With our OneLogin integration, you can:

• Launch Sapling from OneLogin's single sign-on (SSO) portal

• Sign into Sapling using OneLogin credentials/authentication

• Automatically provision new hire accounts in OneLogin 

• Sending user data changes from Sapling to OneLogin

• Link Sapling users to their existing profiles in OneLogin

How it Works

Setting Up OneLogin SSO

Step#1. Add Sapling to OneLogin

1. Login to OneLogin and go to the Apps tab. Then select Add Apps.
2. Search for Sapling and click Add.

Step#2. Configure your company’s domain

1. Confirm the display name and icon for the Sapling app. Then be sure to select the SAML2.0 connector.
2. Click Save in the top right corner.
3. Once you have successfully added the Sapling app, you will need to specify other details before the integration is complete. Go to the Configuration tab and enter your Sapling subdomain. (So, if my login URL is https://mycompany.saplingapp.io, then my subdomain would simply be "mycompany.")
4. Once you fill in your Subdomain, click Save.
5. Next, select the Parameters tab and ensure that the credentials are configured by the admin and that the mappings are as follows:
   • E-Mail = Email
   • First Name = First Name
   • Last Name = Last Name
   • Username = Email
6. Navigate to the SSO tab and copy the following information for insertion into Sapling:
   • X.509 Certificate (View Details)
   • SAML 2.0 Endpoint (HTTP)

Step#3. Enable the OneLogin integration in Sapling

1. Under Administration Tools, navigate to Integrations and enable the OneLogin integration
2. Paste your OneLogin IdP provider SSO URL (SAML 2.0 Endpoint (HTTP)) and SAML Certificate (X.509 certificate) - you can leave the SAML metadata endpoint field empty
3. Once completed, click "Next" and "Activate" to complete the OneLogin SSO integration

Setting Up OneLogin Auto-Provisioning and User Updates

Sapling can also provision Onelogin accounts for your new hires and sync subsequent use updates from Sapling to OneLogin. The workflow with this is:

1. New Hire data imported into Sapling
2. People Operations starts the new hire onboarding in Sapling
3. Sapling provisions the initial account in Onelogin (sends attributes to Onelogin)
4. IT sets-up up all connected systems of new hire accounts (including GSuite, Slack, Jira/confluence, etc)
5. IT triggers email invitation to new hire for Onelogin
6. Subsequent user updates made in Sapling will sync to OneLogin going forward
7. IT can use the subsequent user updates to drive subsequent automations in OneLogin

When auto-provisioning accounts, the following fields are synced from Sapling to OneLogin:

To set-up auto-provisioning and user updates, you will need to retrieve fields the following details from OneLogin:

• Client Secret
• Client ID
• Region

This information is available in OneLogin under Developers > API Credentials.

Create a new API Key with any name (i.e. Sapling) and provide access to manage users.

You will then be provided with your Client ID and Client Secret.

Paste your OneLogin client ID and client secret into Sapling, and specify your region. Then, enable the the sliders for auto-provisioning and user updates accordingly. 

Once completed, click "Next" and "Activate" to complete the OneLogin auto-provisioning and user updates integration.