Onelogin allows you to provide secure identity management and single sign-on to any application, whether in the cloud, on-premises or on a mobile device for your employees, partners and customers with Onelogin.

With Sapling’s integration with Onelogin, you can:

  • Launch Sapling from Onelogin's single sign-on (SSO) portal
  • Sign into Sapling using Onelogin credentials / authentication
  • Automatically provision new hire accounts in Onelogin 

This guide provides a walkthrough on how Sapling Admins can enable the Onelogin integration and is split into two sections:

Setting up Onelogin for Auth Services Only (steps #1 - #3) and setting up Onelogin for Auth + Provisioning Services (step #4).

#1. Add Sapling to Onelogin

Login to Onelogin and go to the "Apps" tab. Then select "Add App."

Search for "Sapling" and click "Add."

#2. Configure your company’s domain

Confirm the display name and icon for the Sapling app. Then be sure to select the "SAML2.0" connector. Then click "Save" in the top right corner.

Once you have successfully added the Sapling app, you will need to specify other details before the integration is complete. Go to the "Configuration" tab and enter your Sapling subdomain.*

The Subdomain is the first part of your Sapling URL. So, if my login URL is "", then my subdomain would simply be "mycompany."

Once you fill in your Subdomain, click "Save."

Next, select the "Parameters" tab and ensure that the credentials are configured by the admin and that the mappings are as follows:

  • E-Mail = Email
  • First Name = First Name
  • Last Name = Last Name
  • Username = Email

Navigate to the "SSO" tab and copy the following information for insertion into Sapling:

  • X.509 Certificate (View Details)
  • SAML 2.0 Endpoint (HTTP)

#3. Completing the set-up in Sapling

In a separate window, login to Sapling. Navigate to Admin>Integrations and click on "SAML".

Enter the SAML information into Sapling by pasting the SSO Login URL (SAML 2.0 Endpoint (HTTP)) and the x.509 Certificate information from OneLogin.

#4. Enabling Auto-Provisioning (optional)

Sapling can also provision the new hires Onelogin account.

The workflow with this is:

  1. New Hire data imported into Sapling
  2. People Operations starts the new hire onboarding in Sapling
  3. Sapling provisions the initial account in Onelogin (sends attributes to Onelogin)
  4. IT sets-up up all connected systems of new hire accounts (including gsuite, slack, jira/confluence, etc)
  5. IT triggers email invitation to new hire for Onelogin

The new hire account is set-up by Sapling with the following attributes:

  • First Name
  • Last Name
  • Personal Email
  • Company Email
  • Department
  • Location
  • Manager

To set-up provisioning, you will need to enter the following fields into Sapling and enable provisioning.

  • Client Secret
  • Client ID
  • Region

This information is available in Onelogin under the API Credentials.


Create a new API Key with the any name (i.e. Sapling HR) and provide access to Manage Users.

You will then be granted the Client Secret and Client ID to be added to Sapling.

#5. Sending Employee Data changes to Onelogin (optional)

Lastly, Sapling can also keep employee data in Onelogin with sending data changes in Sapling to Onelogin.

The attributes that can be kept in Sync between Sapling + Onelogin are:

  1. First Name
  2. Last Name
  3. Start Date
  4. Mobile Phone
  5. Personal Email
  6. Company Email
  7. Employee Type
  8. Title
  9. Manager Name
  10. Department
  11. Location

Several customers of Sapling build custom rules in Onelogin based on Departments or Job Titles to grant access to relevant application - only the apps that are pertinent to a specific role. For example, if an employee moved from sales to marketing, the update in Sapling would notify Onelogin that would then update the relevant applications.

Did this answer your question?