> ## Documentation Index
> Fetch the complete documentation index at: https://docs.firebolt.io/llms.txt
> Use this file to discover all available pages before exploring further.

<AgentInstructions>

## Submitting Feedback

If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:

POST https://docs.firebolt.io/feedback

```json
{
  "path": "/guides/security/sso/onelogin",
  "feedback": "Description of the issue"
}
```

Only submit feedback when you have something specific and actionable to report.

</AgentInstructions>

> Learn how to configure OneLogin as your identity provider to work with SSO authentication for Firebolt.

# OneLogin

OneLogin is a cloud-based identity and access management platform that simplifies secure access to applications through single sign-on (SSO). Integrating OneLogin with Firebolt enhances security and streamlines user authentication for your team.

To integrate OneLogin with Firebolt's platform, you need to configure both a [OneLogin application for Firebolt](#configure-onelogin-application) and [Firebolt's SSO for OneLogin](#configure-firebolt-for-onelogin). Detailed instructions can be found in the following sections:

## Configure OneLogin application

1. In OneLogin, open to the dashboard and select **Applications** and **Add App**.
2. Search for **SAML**, and select **SAML Test Connector (IdP w/attr)**.
3. Change the Display Name of the app and select **Save**. This will be the name of the app that will appear in your OneLogin portal.
4. Open the **SSO** tab and copy the value for the **SAML 2.0 Endpoint (HTTP)**. This value will later be used in the Firebolt Configuration step. Note that logout endpoint is not used at this time.
5. Select the **View Details** link at the X.509 Certificate field and copy/download the certificate.
6. Navigate to the **Configuration** tab and fill in the following values:
   * **Audience** - a URI in the following format: `urn:auth0:<tenant_name>:<org_name>-<provider>`, where `<tenant_name>` is app-firebolt-v2, `<org_name>` is the name of organization, and `<provider>` is the provider value set in Firebolt configuration step. **Example:** `urn:auth0:app-firebolt-v2:vsko2-onelogin`
   * **ACS (Consumer) URL Validator** - a valid regular expression. This field is used to ensure OneLogin posts the response to the correct URL, and it validates the ACS URL field.
   * **ACS (Consumer) URL** - the post-back URL for your organization. This is the URL in the following format: `https://idp.app.firebolt.io/login/callback?connection=<organization_name>-<provider>&organization=<organization_identifier>`. The organization\_identifier is needed to select the correct organization during redirects. The authentication flow will fail if this is incorrectly provided or left blank. **Example:** `https://idp.app.firebolt.io/login/callback?connection=vsko2-onelogin&organization=org_82u3nzTNQPA8RyoM`
     > **`<organization_name>`** represents the Organizational name used to create your Firebolt Account. The org name is referenced in your vanity URL.\
     > **`<provider>`** represents the provider we're configuring as our IdP.
     > **`<organization_identifier>`** is the unique identifier for your Organization. To retrieve your **`<organization_identifier>`**, you can navigate to **Configure > SSO** in the Firebolt UI, and **Click Copy organization SSO identifier**.

## Configure Firebolt for OneLogin

Once your OneLogin application is configured, you can now configure Firebolt to integrate with OneLogin. This can be done using the Firebolt UI, or with SQL.

### Integrate with OneLogin using the UI

1. To configure the Firebolt SSO integration with OneLogin using the UI, Navigate to **Configure > SSO** in Firebolt.

2. Enter the following information:

   * `signOnUrl`: The sign-on URL, provided by the SAML identity provider, to which Firebolt sends the SAML requests. The URL is IdP-specific and is determined by the identity provider during configuration. In Onelogin, this is the **SAML 2.0 Endpoint (HTTP)** value we copied in step 4.
   * `signoutUrl(optional)`: The sign-out URL, provided by the application owner, to be used when the user signs out of the application.\`\`\`
   * `issuer`: A unique value generated by the SAML identity provider specifying the issuer value.
   * `provider`: The provider's name - for example: `OneLogin`.
   * `label`: The label to use for the SSO login button. If not provided, the Provider field value is used.
   * `certificate`: The certificate to verify the communication between the identity provider and Firebolt. The certificate needs to be in PEM or CER format, and can be uploaded from your computer by choosing **Import certificate** or entered in the text box.
   * `field mapping`: Mapping to your identity provider's first and last name in key-value pairs. If additional fields are required, choose **Add another key-value pair**. Mapping is           required for Firebolt to fill in the login’s given and last names the first time the user logs in using SSO.

   Here’s an example of how to set up **Field mapping**:

   ```json theme={"theme":{"light":"github-light","dark":"github-dark"}}
   {
      "given_name": "name",
      "family_name": "surname"
   }
   ```

   In the previous example:

   * given\_name (first name) is mapped to the `name` field from the IdP.
   * family\_name (last name) is mapped to the `surname` field from the IdP.

3. Select **Update changes**.

### Integrate with IdP using SQL

To create your SSO connection in Firebolt, you can use the following SQL as an example:

```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
ALTER ORGANIZATION vsko SET SSO = '{
  "signOnUrl": "https://vsko-test.onelogin.com/trust/saml2/http-post/sso/aa",
  "issuer": "onelogin",
  "provider": "onelogin",
  "label": "OneLogin Company App",
  "fieldMapping": {
    "given_name": "name",
    "family_name": "surname"
  },
  "certificate": "<certificate>"
}';
```

where

* `organization_name` is the name of the organization in Firebolt,
* `signOnUrl` is the SAML 2.0 Endpoint (HTTP) value copied during OneLogin setup,
* `issuer` is the name of the issuer, 'onelogin' in this case,
* `provider` is the IdP name, ‘onelogin’ in this case,
* `label` is text that will appear on the **Sign in** form (this defaults to `<organization_name>-<provider>` if a value is not provided, for instance ‘acme-onelogin\`)
* `certificate` is the X.509 Certificate copied during OneLogin setup, and
* `field_mapping` includes additional fields to be mapped from the SAML assertion, based on what was configured during OneLogin setup. For exaxmple:

```json theme={"theme":{"light":"github-light","dark":"github-dark"}}
{
  "given_name": "name",
  "family_name": "surname"
}
```

This corresponds to the following setup in OneLogin, where name/surname in OneLogin corresponds to values in JSON:

<img src="https://mintcdn.com/firebolt/Hc-k8wiP5Rcc9bZ2/assets/images/onelogexample1.png?fit=max&auto=format&n=Hc-k8wiP5Rcc9bZ2&q=85&s=f1dca04991f2f6eddd92f86e89fe5700" alt="Edit first name" style={{"width": "500px"}} width="562" height="403" data-path="assets/images/onelogexample1.png" />