OneLogin SAML SSO

Learn how to create a OneLogin SAML 2.0 application for Doppler SSO.

Requirements

  • Workplace domain verified (Settings page).
  • OneLogin Developer Account.

1. Initial Doppler SAML SSO Configuration

Go to the Doppler dashboard and from the menu click Team, then select the Roles tab from the top menu. Choose the Default Roles for users who login via SSO.

📘

The Workplace Role controls the initial permissions a user will receive when their account is created. We recommend keeping it at Collaborator access to follow the principle of least privilege. The Project Role is the role granted to a user when they're added to a project, so set this to the role most commonly used. Users with the Owner role can adjust these after the user has logged in once. If you scroll down further on the Roles page, you'll see a breakdown of what permissions each Role has.

1201

After setting the Default Roles, we need to enable SAML SSO in Doppler to get access to the URLs needed to configure the third party SAML SSO application.

Select the SSO tab from the top menu and scroll down to the SAML Single Sign-On section. Click the Add SAML button.

Next, choose a verified domain from the dropdown menu and click Save.

The domain you selected should show up now in the Inactive state. Click on the three dot menu and choose the Edit option.

Copy the ACS URL and Entity ID URLs in the edit drawer that appears for use when configuring the third party SAML SSO application.

2. Create OneLogin Application

Click Applications from the top navigation menu, then click Add App.

910

Search for SAML Custom Connector (Advanced) then click on the selected app to begin the creation process.

904

Name the application Doppler and click Save.

905

Once the page reloads, click Configuration from the left menu and use the URLs from Step 1 above to make the the following changes:

  • Copy the Entity ID from Doppler into the Audience (EntityID) field in OneLogin.
  • Copy the ACS URL from Doppler into the Recipient field in OneLogin.
  • Copy the ACS URL from Doppler into the ACS (Consumer) URL field in OneLogin.
1035

Once the URLs have been populated (it's ok to leave the ACS (Consumer) URL Validator field blank), click Save and you'll be returned to the Info tab of the application.

Once the page reloads, click Configuration from the left menu and download the SAML metadata by clicking More Actions, then SAML Metadata.

905

Open the downloaded XML file and copy its contents which you'll use in the next step.

3. Update Doppler SAML SSO Configuration

Navigate to the Doppler Team page and click on the SSO tab.

Scroll down to the SAML Single Sign-On section, click on the three dot menu, and choose the Edit option. Paste in the IDP XML metadata, check the Enabled field, then click the Save button.

4. OneLogin Application Logos

To set the logo for the new Doppler application in OneLogin, browse back to the Info tab of the application. Update the application logos using the images below, then click Save.

989

5. OneLogin Application Parameters

Now let's configure the parameters sent to Doppler during the sign-in process by clicking on Parameters, then the (+) button to add a new field.

986

Set the Field name to name, check Include in SAML assertion and click Save.

989

Select - Macro - for the Value field and enter {firstname} {lastname} as the macro value. Ensure Include in SAML assertion is still checked and click Save.

986

Then click Save to apply the addition of the name field.

987

6. Testing

As a OneLogin administrator, it's presumed you'll know how to sufficiently test a new SAML application, but here is a general guide.

📘

Test sign-in flow using incognito window

Be sure to stay signed in to the Doppler dashboard until you've verified the SAML sign-in flow from an incognito window.

This will enable you to update or disable SAML SSO in the event of misconfiguration.

To quickly test provisioning is working, create or use a test user account, then from the Users section, manually add them to the Doppler application.

987 985 988

Now test the Doppler SAML sign-in flow by opening an incognito window and sign-in using the assigned user from the previous step.

Click on the Doppler application to initiate the sign-in process.

1966

You should then be redirected to the Doppler dashboard for the assigned user.

Once you've verified the sign-in process is working correctly, you can apply your standard organization policies for user application assignment.

Troubleshooting

Here are some general troubleshooting tips:

  • Double-check that the Audience (EntityID) and Audience URI values match exactly what is displayed in the Doppler SAML section.
  • Ensure that the name parameter has been added to the Parameters section.
  • Check that the SAML metadata in Doppler is the same as provided by your application.

If you're still running into issues, the error page should present you with a requestId value that can be used by our support team for further diagnosis.

👍

Awesome Work!

Your OneLogin SAML application is now ready to go!