SAML SSO with OneLogin

  • Updated on Mar 28, 2026
  • 7 minute(s) read
Prev Next

Plans supporting this feature: Enterprise

This guide will walk you through the steps to configure Single Sign-On (SSO) in Document360 using OneLogin as the Identity Provider (IdP) based on the SCIM SAML protocol. Access to a OneLogin account is required. Please note that only users with Owner or Admin as Project role can configure SSO in Document360.

PRO TIP

It is recommended to open Document360 and OneLogin in two separate tabs/browser windows, since configuring SSO in Document360 will require you to switch between Okta and Document360 multiple times.

Create SSO in Document360

To create SSO and configure SAML SCIM in Document360 with OneLogin,

  1. Go to Document360 and navigate to Settings > Users & permissions > SSO Configuration in Document360.

  2. Click the Create SSO button to create a new SSO.

SCIM parent demo interface showing SSO configuration and user permissions settings.

  1. Select OneLogin as your identity provider in the Choose your Identity Provider (IdP) page.

Select your Identity Provider for SSO configuration, highlighting OneLogin option.

Adding an Application in OneLogin

To add a SCIM with SAML provisioned app in OneLogin,

  1. Log in to your OneLogin Admin Portal using your credentials.

  2. On the top menu, select Applications.

  3. Click Add App.

OneLogin applications page showing options to add an app and download JSON.

  1. In the search bar, type SCIM and select SCIM Provisioner with SAML (SCIM v2 Enterprise, SCIM2 PATCH for Groups) from the list and click Save.

Download X.509 Certificate

To download the certificate needed to configure Document360 with OneLogin,

  • Navigate to SSO tab in OneLogin and select View Details to download the certificate.

Configuration settings for SAML2.0 with highlighted SSO and View Details options.

 NOTE

This downloaded certificate will be needed later when configuring Document360 with OneLogin IdP.

Configure the Service Provider (SP)

To configure the Service Provider in Document360,

  1. Go to Configure Service Provider (SP) page in Document360, and copy the parameters needed to configure with OneLogin.

Configuration settings for OneLogin service provider with highlighted callback paths.

  1. Go to OneLogin and navigate to Configuration tab, and enter the parameters from Document360 to OneLogin as shown below.

OneLogin

Document360

SAML Audience URL

Service provider entity id

SAML Consumer URL

Callback path

Configuration settings for SCIM Provisioner with SAML, including audience and consumer URLs.

Configure the Identity Provider

To configure Document360 with OneLogin,

  1. In OneLogin, navigate to SSO tab and copy these parameters to enter in Document360.

Configuration settings for SCIM Provisioner with SAML, including issuer and endpoint URLs.

  1. Go to Document360 and click Next to go to Configure the Identity Provider (IdP) page.

  2. In the Configure an existing connection field, you can inherit from an already created SSO configuration that has SCIM enabled in the parent project. By selecting and inheriting this connection, the current SSO configuration will be set as the child inherited SSO configuration and will automatically inherit the SCIM configuration from the parent.

 NOTE

For more information on Inheritance, go to Inherit from another application

  1. Enter the parameters from OneLogin to Document360 based on the table below.

OneLogin

Document360

Issuer URL

Entity id

SAML 2.0 Endpoint (HTTP)

Sign on URL

SAML certificate

X.509 certificate

  1. Next, attach the previously downloaded X.509 certificate in the SAML certificate field on Document360.

  2. Turn on/off the Allow IdP initiated sign in toggle as per your project requirements.

Configuration settings for Single Sign-On with highlighted URLs and options.

  1. Click Next to navigate to SCIM provisioning page.

Provision SCIM in Document360 with OneLogin

If SCIM provisioning is required,

  1. Turn on the Enable SCIM provisioning toggle.

Settings for enabling SCIM provisioning in OneLogin configuration interface.

  1. A confirmation dialog will appear outlining the terms for enabling SCIM. Review the terms, select the checkbox, and click Agree.

  2. The parameters required to complete the SCIM configuration in OneLogin will then be displayed.

Configuration settings for SCIM provisioning in OneLogin with highlighted tokens and URL.

Navigate to OneLogin to complete SCIM provisioning

  1. Go to OneLogin, and navigate to Configuration tab.

  2. Scroll down to the API Connection section, and enter the fields from Document360 to OneLogin as shown below.

    Document360

    OneLogin

    SCIM Base URL

    SCIM Base URL

    Primary secret token

    SCIM Bearer Token

Configuration settings for SCIM Provisioner with SAML in OneLogin interface.

  1. Once entered, click Enable to enable SCIM provisioning in OneLogin.

  2. Then click Save, to successfully create SAML application with SCIM enabled.

Configuration settings for SCIM Provisioner with options to enable API connection.

Enable SCIM provisioning in OneLogin

In OneLogin, go to Provisioning tab and select the Enable provisioning checkbox, and click Save.

OneLogin provisioning settings with options to enable and manage user actions.

SCIM provisioner with SAML application has been successfully created.  

 NOTE

As shown on the provisioning page, you can manage users by performing the following actions:

  • Create user

  • Delete user

  • Update user

You can also customize these actions further by using the available dropdown options.

Assign default role

To assign default role, and add User and Reader groups,

  1. Navigate back to Document360, and in the Default role field, the role is set to Contributor by default. You can change this from the dropdown if needed.

  2. In the User groups and Reader groups fields, select the groups you want to add. Multiple groups can be added, and they will inherit the default role you selected earlier.

Configuration settings for SCIM provisioning with highlighted tokens and roles.

  1. Click Next to navigate to More settings.

More Settings

In the More settings page, configure the following:

  • SSO name: Enter a name for the SSO configuration.

  • Customize login button: Enter the text for the login button displayed to users.

  • Auto assign reader group: This option is only available for existing SSO configurations. For newly created SSO configurations, the Auto assign reader group toggle will not be displayed as SCIM automatically provisions users and groups.

  • Sign out idle SSO user: Toggle on/off based on your requirements.

  • Choose whether to invite All users or Selected users only to SSO by selecting the radio buttons.

Settings for creating a new SSO with options for users and customization.

Click Create to complete the SSO configuration.

SAML SSO with SCIM has been successfully set up. You can now manage users directly from your OneLogin IdP.

Inherit from another application

When creating a new SSO configuration in Document360, you can inherit SCIM settings from an existing SSO connection. This approach simplifies the setup process, avoids repeating configuration steps, and helps administrators save time while ensuring consistency across integrations.

Child Inherited SSO configuration

On the Configure Identity Provider (IdP) page, select the Configure an existing connection field and choose the parent SSO SCIM-enabled application you want to inherit from. Selecting this option will designate the current project as the child project, inheriting all relevant properties from the parent.

Configuration settings for OneLogin SSO with selected WYSIWYG demo connection.

 NOTE

Once the SSO configuration is created, the SCIM provisioning settings will be inherited from the parent application and cannot be modified in the child application.

Parent Inherited SSO Configuration

The parent application will display a list of all projects that have inherited its configuration. Any changes made to the parent application will automatically be reflected in the child application.

SCIM provisioning settings in Okta with project details and configuration instructions displayed.

  • If SCIM is enabled in the parent project after child projects have already inherited it, the users and groups will be automatically provisioned to all child projects in the background.

  • Enabling inheritance makes it easier to manage multiple SSO configurations with SCIM enabled, as all settings are controlled from one parent application. This saves time and reduces the effort required to manage each configuration individually.

Managing Document360 with OneLogin

Once you have successfully provisioned and created the SAML application with SCIM in Document360 using OneLogin, you can manage users, readers, and groups directly from OneLogin, with all changes automatically reflected in Document360.

Add User

To add users, follow the steps below.

  1. In the top menu, expand the Users dropdown and select Users.

  2. Click New User and enter the required user details and click Save.

User management interface displaying user details and options for adding new users.

A new user is now successfully created.

Assign application to User

To assign the user to the application,

  1. After creating the user, go to Application in the left menu.

  2. Click the ‘+’ icon in the top-right corner to add an application.

  3. Select the application with SCIM provisioned SAML enabled and click Continue.

Assigning a new login to Yohan John with application selection options displayed.

  1. Enter the user’s email address in the SCIM username field, then click Save.

The user is now successfully assigned to the application.

Approve User status

To approve the user assigned to the application:

  1. In the top menu, click Applications and select Applications.

  2. Choose the SCIM-provisioned SAML application and open the Users tab.

  3. Click the user’s status which is Pending, then select Approve in the confirmation dialog.

User provisioning status for Sophia Prince and Yohan John in the application interface.

The user is now approved and successfully added to Document360.

Verify in Document360

To verify the user is added successfully to Document360 from OneLogin IdP,

Go to Document360, and navigate to Settings > Users & permissions > Readers & groups.

User management interface displaying reader accounts and their access details.

The created user is automatically added in Document360. The SSO-SCIM badge next to the user’s name depicts that the user has SCIM enabled.

 NOTE

User attributes and group mapping are not supported in OneLogin, you can only manage readers. Therefore, users and groups cannot be added from OneLogin.

Manage Users in Document360

When SCIM is enabled, editing a user's name or deleting a user directly in Document360 is disabled, as these actions must be managed through your IdP to keep both platforms in sync.

Overview of reader management settings and user access in Document360 platform.

However, you can still manage the user’s content access within Document360.

Manage content access

To manage content access for a reader,

  1. Go to Document360, navigate to Settings > Users & permissions > Readers & groups.

  2. Select the desired user and click Manage content access, and assign the Content access from the dropdown.

  3. Once assigned, click Update.

Editing reader account settings, including content access and associated groups options.

Content access is now assigned to the User successfully.

Delete User

To delete user from OneLogin,

  1. In the top menu, click Users and select the user you want to delete.

  2. Expand the More Actions dropdown and click Delete.

User management interface showing Yohan John's details and delete action option.

  1. In the confirmation dialog, click Delete again.

The user is successfully deleted and would no longer appear in OneLogin.

 NOTE

When you delete a user in OneLogin, the user will not be removed from Document360. Instead, the status of the user will change from Active to Inactive.

Related articles