---
title: "SAML SSO with OneLogin"
slug: "saml-sso-with-onelogin"
description: "Configure Single Sign-On in Document360 with OneLogin using SAML. Follow our step-by-step guide for seamless integration and enhanced security."
updated: 2026-03-28T09:30:03Z
published: 2026-03-28T09:30:03Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.document360.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SAML SSO with OneLogin

This guide will walk you through the steps to configure Single Sign-On (SSO) in Document360 using OneLogin as the Identity Provider (IdP) based on the SCIM SAML protocol. Access to a OneLogin account is required. Please note that only users with **Owner** or **Admin**as **Project role** can configure SSO in Document360.

> [!TIP]
> ** PRO TIP
> 
> It is recommended to open **Document360**and **OneLogin**in two separate tabs/browser windows, since configuring SSO in Document360 will require you to switch between Okta and Document360 multiple times.

## Create SSO in Document360

To create SSO and configure SAML SCIM in Document360 with OneLogin,

1. Go to Document360 and navigate to **Settings**>**Users & permissions**> **SSO Configuration** in Document360.
2. Click the **Create SSO** button to create a new SSO.

![SCIM parent demo interface showing SSO configuration and user permissions settings.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/create sso(1).png)

1. Select **OneLogin**as your identity provider in the **Choose your Identity Provider (IdP)** page.

![Select your Identity Provider for SSO configuration, highlighting OneLogin option.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/okta eu(3).png)

## Adding an Application in OneLogin

To add a SCIM with SAML provisioned app in OneLogin,

1. Log in to your OneLogin Admin Portal using your credentials.
2. On the top menu, select **Applications**.
3. Click **Add App**.

![OneLogin applications page showing options to add an app and download JSON.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/add app.png)

1. In the search bar, type **SCIM** and select **SCIM Provisioner with SAML (SCIM v2 Enterprise, SCIM2 PATCH for Groups)** from the list and click **Save**.

#### Download X.509 Certificate

To download the certificate needed to configure Document360 with OneLogin,

- Navigate to **SSO** tab in OneLogin and select**View Details** to download the certificate.

![Configuration settings for SAML2.0 with highlighted SSO and View Details options.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/view details(1).png)

> [!NOTE]
> ******NOTE
> 
> This downloaded certificate will be needed later when configuring Document360 with OneLogin IdP.

### Configure the Service Provider (SP)

To configure the Service Provider in Document360,

1. Go to**Configure Service Provider (SP)** page in Document360, and copy the parameters needed to configure with OneLogin.

![Configuration settings for OneLogin service provider with highlighted callback paths.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/sp(3).png)

1. Go to OneLogin and navigate to **Configuration**tab, and enter the parameters from Document360 to OneLogin as shown below.

| OneLogin | Document360 |
| --- | --- |
| SAML Audience URL | Service provider entity id |
| SAML Consumer URL | Callback path |

![Configuration settings for SCIM Provisioner with SAML, including audience and consumer URLs.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/configuration(1).png)

### Configure the Identity Provider

To configure Document360 with OneLogin,

1. In OneLogin, navigate to **SSO**tab and copy these parameters to enter in Document360.

![Configuration settings for SCIM Provisioner with SAML, including issuer and endpoint URLs.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/configure idp(1).png)

1. Go to Document360 and click **Next**to go to **Configure the Identity Provider (IdP)** page.
2. In****the**Configure an existing connection** field, you can inherit from an already created SSO configuration that has SCIM enabled in the parent project. By selecting and inheriting this connection, the current SSO configuration will be set as the child inherited SSO configuration and will automatically inherit the SCIM configuration from the parent.

> [!NOTE]
> ******NOTE
> 
> For more information on Inheritance, go to[Inherit from another application](/help/docs/saml-sso-with-onelogin#inherit-from-another-application)

1. Enter the parameters from OneLogin to Document360 based on the table below.

| OneLogin | Document360 |
| --- | --- |
| Issuer URL | Entity id |
| SAML 2.0 Endpoint (HTTP) | Sign on URL |
| SAML certificate | X.509 certificate |

1. Next, attach the previously downloaded **X.509** certificate in the **SAML certificate**field on Document360.
2. Turn on/off the **Allow IdP initiated sign in** toggle as per your project requirements.

![Configuration settings for Single Sign-On with highlighted URLs and options.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/attach cert(2).png)

1. Click Next to navigate to**SCIM provisioning**page.

### Provision SCIM in Document360 with OneLogin

If SCIM provisioning is required,

1. Turn on the **Enable SCIM provisioning** toggle.

![Settings for enabling SCIM provisioning in OneLogin configuration interface.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/turn on SCIM.png)

1. A confirmation dialog will appear outlining the terms for enabling SCIM. Review the terms, select the checkbox, and click **Agree**.
2. The parameters required to complete the SCIM configuration in OneLogin will then be displayed.

![Configuration settings for SCIM provisioning in OneLogin with highlighted tokens and URL.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/scim base url.png)

#### Navigate to OneLogin to complete SCIM provisioning

1. Go to OneLogin, and navigate to **Configuration**tab.
2. Scroll down to the **API Connection**section, and enter the fields from Document360 to OneLogin as shown below.

| Document360 | OneLogin |
| --- | --- |
| SCIM Base URL | SCIM Base URL |
| Primary secret token | SCIM Bearer Token |

![Configuration settings for SCIM Provisioner with SAML in OneLogin interface.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/token.png)

1. Once entered, click **Enable**to enable SCIM provisioning in OneLogin.
2. Then click **Save**, to successfully create SAML application with SCIM enabled.

![Configuration settings for SCIM Provisioner with options to enable API connection.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/enable.png)

#### Enable SCIM provisioning in OneLogin

In OneLogin, go to **Provisioning**tab and select the**Enable provisioning** checkbox, and click **Save**.

![OneLogin provisioning settings with options to enable and manage user actions.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/enable workflow.png)

SCIM provisioner with SAML application has been successfully created.

> [!NOTE]
> ******NOTE
> 
> As shown on the provisioning page, you can manage users by performing the following actions:
> 
> - Create user
> - Delete user
> - Update user
> 
> You can also customize these actions further by using the available dropdown options.

#### Assign default role

To assign default role, and add User and Reader groups,

1. Navigate back to Document360, and in the **Default role** field, the role is set to **Contributor**by default. You can change this from the dropdown if needed.
2. In the **User groups** and**Reader groups** fields, select the groups you want to add. Multiple groups can be added, and they will inherit the default role you selected earlier.

![Configuration settings for SCIM provisioning with highlighted tokens and roles.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/enable group sync(4).png)

1. Click **Next**to navigate to **More settings.**

### More Settings

In the **More settings** page, configure the following:

- **SSO name**: Enter a name for the SSO configuration.
- **Customize login button**: Enter the text for the login button displayed to users.
- **Auto assign reader group**: This option is only available for existing SSO configurations. For newly created SSO configurations, the Auto assign reader group toggle will not be displayed as SCIM automatically provisions users and groups.
- **Sign out idle SSO user**: Toggle on/off based on your requirements.
- Choose whether to invite**All users** or **Selected users only** to SSO by selecting the radio buttons.

![Settings for creating a new SSO with options for users and customization.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/more settings(2).png)

Click **Create** to complete the SSO configuration.

SAML SSO with SCIM has been successfully set up. You can now manage users directly from your OneLogin IdP.

---

## Inherit from another application

When creating a new SSO configuration in Document360, you can inherit SCIM settings from an existing SSO connection. This approach simplifies the setup process, avoids repeating configuration steps, and helps administrators save time while ensuring consistency across integrations.

### Child Inherited SSO configuration

On the **Configure Identity Provider (IdP)** page, select the **Configure an existing connection** field and choose the parent SSO SCIM-enabled application you want to inherit from. Selecting this option will designate the current project as the child project, inheriting all relevant properties from the parent.

![Configuration settings for OneLogin SSO with selected WYSIWYG demo connection.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/inherit(3).png)

> [!NOTE]
> **** NOTE**
> 
> Once the SSO configuration is created, the SCIM provisioning settings will be inherited from the parent application and cannot be modified in the child application.

### Parent Inherited SSO Configuration

The parent application will display a list of all projects that have inherited its configuration. Any changes made to the parent application will automatically be reflected in the child application.

![SCIM provisioning settings in Okta with project details and configuration instructions displayed.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/parent.png)

- If SCIM is enabled in the parent project after child projects have already inherited it, the users and groups will be automatically provisioned to all child projects in the background.
- Enabling inheritance makes it easier to manage multiple SSO configurations with SCIM enabled, as all settings are controlled from one parent application. This saves time and reduces the effort required to manage each configuration individually.

---

## Managing Document360 with OneLogin

Once you have successfully provisioned and created the SAML application with SCIM in Document360 using OneLogin, you can manage users, readers, and groups directly from OneLogin, with all changes automatically reflected in Document360.

### Add User

To add users, follow the steps below.

1. In the top menu, expand the **Users**dropdown****and select **Users**.
2. Click**New User**and enter the required user details and click **Save**.

![User management interface displaying user details and options for adding new users.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/users.png)

A new user is now successfully created.

#### Assign application to User

To assign the user to the application,

1. After creating the user, go to **Application**in the left menu.
2. Click the ‘**+**’ icon in the top-right corner to add an application.
3. Select the application with SCIM provisioned SAML enabled and click **Continue**.

![Assigning a new login to Yohan John with application selection options displayed.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/add app to user.png)

1. Enter the user’s email address in the **SCIM username**field, then click **Save**.

The user is now successfully assigned to the application.

#### Approve User status

To approve the user assigned to the application:

1. In the top menu, click **Applications**and select **Applications**.
2. Choose the SCIM-provisioned SAML application and open the **Users**tab.
3. Click the user’s status which is **Pending**, then select **Approve**in the confirmation dialog.

![User provisioning status for Sophia Prince and Yohan John in the application interface.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/pending.png)

The user is now approved and successfully added to Document360.

### Verify in Document360

To verify the user is added successfully to Document360 from OneLogin IdP,

Go to Document360, and navigate to **Settings**> **Users & permissions**>**Readers & groups**.

![User management interface displaying reader accounts and their access details.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/readers and groups(1).png)

The created user is automatically added in Document360. The**SSO-SCIM** badge next to the user’s name depicts that the user has SCIM enabled.

> [!NOTE]
> ******NOTE
> 
> User attributes and group mapping are not supported in OneLogin, you can only manage readers. Therefore, users and groups cannot be added from OneLogin.

### Manage Users in Document360

When SCIM is enabled, editing a user's name or deleting a user directly in Document360 is disabled, as these actions must be managed through your IdP to keep both platforms in sync.

![Overview of reader management settings and user access in Document360 platform.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/badge(2).png)

However, you can still manage the user’s content access within Document360.

#### Manage content access

To manage content access for a reader,

1. Go to Document360, navigate to **Settings**> **Users & permissions** >**Readers & groups**.
2. Select the desired user and click**Manage content access**, and assign the **Content access**from the dropdown.
3. Once assigned, click **Update**.

![Editing reader account settings, including content access and associated groups options.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/manage content access.png)

Content access is now assigned to the User successfully.

### Delete User

To delete user from OneLogin,

1. In the top menu, click **Users**and select the user you want to delete.
2. Expand the**More Actions** dropdown and click **Delete**.

![User management interface showing Yohan John's details and delete action option.](https://cdn.document360.io/860f9f88-412e-4570-8222-d5bf2f4b7dd1/Images/Documentation/delete(2).png)

1. In the confirmation dialog, click **Delete**again.

The user is successfully deleted and would no longer appear in OneLogin.

> [!NOTE]
> ******NOTE
> 
> When you delete a user in OneLogin, the user will not be removed from Document360. Instead, the status of the user will change from Active to Inactive.