# OneLogin Configuration

FSProtect can be integrated with the OneLogin system to simplify authentication. The following configurations must be completed for integration:

## SAML Connection Configuration

The OneLogin administrator dashboard must be accessed. Under **Applications → Applications**, the **Add App** option must be selected.

<figure><img src="/files/sLulsL8kVbsfEtwZQCn6" alt="New Application Page"><figcaption><p>New Application Page</p></figcaption></figure>

In the **Find applications** box, *SAML Custom Connector (Advanced)* must be searched and selected. A display name must be provided, and the configuration saved.

After saving, the **Configuration** tab of the new app must be opened. A SAML connection must be configured in OneLogin with the following parameters:

* **ACS URL**: Copied from FSProtect after SSO settings are saved. The value must exactly match FSProtect’s ACS URL.
* **ACS (Consumer) URL Validator**: The same value as the ACS URL.

<figure><img src="/files/NsZjz8u2hccdndm7F9hT" alt="Application Configuration Page"><figcaption><p>Application Configuration Page</p></figcaption></figure>

In the top-right **More Actions** dropdown, **SAML Metadata** must be selected to download the XML file. The file must be saved and uploaded to FSProtect, where it will be parsed to pull in OneLogin’s endpoints and certificates.

## Role and Username Mapping Settings:

In OneLogin’s **Parameters** tab, the following assertion attributes must be added so FSProtect can read them:

**Username Attribute Key**

* Name: `username`
* SAML Field Name: Exactly the value entered in FSProtect’s Username Attribute Key field (e.g., `username`)
* Include in SAML Assertion: Checked

<figure><img src="/files/RWpD94NfPaVvc1sGZlzL" alt="Username Attribute Configuration Page"><figcaption><p>Username Attribute Configuration Page</p></figcaption></figure>

**Role Attribute Key**

* Name: `role`
* SAML Field Name: Exactly the value entered in FSProtect’s Role Attribute Key field (e.g., `role`)
* Include in SAML Assertion: Checked

<figure><img src="/files/nh42RGQtVBFE7G7eKDDG" alt="Role Attribute Configuration Page"><figcaption><p>Role Attribute Configuration Page</p></figcaption></figure>

Once the OneLogin app configuration has been saved:

1. The IdP Metadata XML must be downloaded from the **OneLogin SSO → View Details** panel.
2. In FSProtect’s **New Provider** screen, the XML must be uploaded via the **XML Upload Field**.
3. The configuration must be saved in FSProtect.
4. OneLogin users or groups must then be assigned to the app.

After these steps, FSProtect SSO Login will function with correct username and role mappings.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/settings/sso/onelogin-configuration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.