OneLogin

Last Updated: April 07, 2026

An identity provider (IdP) uses an authentication token to vouch for a person's identity. Vasion Automate uses IdPs for several tasks, including logging in to the Admin Console and portals, deploying printers, releasing print jobs, and more.

If you use an IdP, the Control Panel Application (CPA) supports only badge and PIN authentication.

Configure Connection

To add and configure app properties for the Vasion Print connection, do the following:

  1. Create the OneLogin App.
  2. Add the IdP Settings Template.
  3. Configure Single Sign-On (SSO).
  4. Add the X-509 Certificate.
  5. Complete IdP Settings.
  6. Configure Provisioning.
  7. Add Vasion Print Admins.

1. Create the OneLogin App

  1. In your preferred browser, log in to your OneLogin portal. You can add your domain name to the following URL to access your portal.

    https://<your domain>.onelogin.com/login

  2. Hold the pointer over Applications in the top menu, and then select Applications.

    OneLogin portal showing expanded Applications menu and Applications option.

  3. Select Add App in the upper-right corner of the Applications screen.
  4. Search for and select the PrinterLogic app.
  5. Give your app a unique name and description.
  6. Select Save.

    7. OneLogin portal showing Configuration tab and PrinterLogic Subdomain field.

  7. Leave the current browser open on the new app screen for the following steps.

2. Add the IdP Settings Template

If the IdP Settings modal does not look like the image below, you may not be using the latest version and should contact Product Support to upgrade your IdP settings.

When configuring this IdP through Vasion Print, select the Custom option from the IdP Template dropdown menu.

  1. Open your Vasion Print Admin Console in a new browser tab, and log in.
  2. Select Tools then Settings then General, and scroll down to the Identity Provider Settings section.
  3. Select IdP, and then select Add.
  4. Select the IdP that you want to configure from the IdP Template dropdown menu.
  5. Select SAML2 in the Authentication Protocol section.

  6. In the Provisioning section, if you are using Systems for Cross-domain Identity Management (SCIM), leave the JIT option deselected.

    By default, the Admin Console assumes that you are using SCIM for provisioning. Only select JIT if you are not using SCIM.

  7. In the Name field, enter the name that you want to appear on the login button for users. For example, My Company, Login, or Acme Corp.
  8. Scroll down, and select the desired settings:
    • Enable for End User Login: Allows end users to log in using this IdP. (Self-service Portal)
    • Enable for Admin Login: Allows admins to log in using this IdP. (Admin Console)
    • You can select both checkboxes when you are using a single IdP or the admin and end users use the same IdP to log in.

Keep the IdP Settings modal open so that the Service Provider Information section at the bottom is available for the following steps.

IdP Settings showing multiple fields and Service Provider Information section.

3. Configure Single Sign-On (SSO)

  1. In the Vasion Print Admin Console, go to the IdP Settings modal and copy the IdP Identifier in the Service Provider Information section.
  2. In the OneLogin app, select Configuration from the left-side menu.
  3. Paste the IdP Identifier in the OneLogin PrinterLogic IdP ID field.
  4. In the PrinterLogic Region field, select the region that your instance resides in.

  5. In the PrinterLogic Subdomain field, enter the subdomain of your instance.

    Make sure that you only enter the subdomain. For example, if your instance is https://acmecorp.printercloud.com/admin, only enter "acmecorp."

  6. Select Save in the upper-right corner.
  7. In the OneLogin app, select SSO from the left-side menu.

  8. Copy the OneLogin Issuer URL, and paste it in the Admin Console Issuer URL field.

    Leave the Admin Console Issuer ID field blank.

  9. Copy the OneLogin SAML 2.0 Endpoint (HTTP), and paste it in the Admin Console SSO URL field.

OneLogin app showing SSO tab with SAML 2.0 Endpoint (HTTP) field.

4. Add the X-509 Certificate

  1. In the SSO tab, go to the X.509 Certificate section, right-click View Details, and select Open in new tab.

    OneLogin app showing SSO tab, X.509 Certificate section, and View Details button.

    You do not need to open the link in a new tab. After completing this section, navigate back to the app, hold the pointer over Applications in the top menu, select Applications, and then select your app from the Applications screen.

  2. Scroll down to the X.509 Certificate section, and copy the certificate body, including the Begin / End Certificate headers.

    OneLogin app showing X-509 certificate and Begin / End Certificate headers.

  3. Paste the certificate in the Admin Console X-509 Certificate field.
  4. Select Apply in the Admin Console.
  5. Select Save in the upper-right corner of the General settings.

IdP Settings showing X-509 Certificate and other fields configured.

5. Complete IdP Settings

  1. In the General settings of the Vasion Print Admin Console, navigate to the Identity Provider Settings section.

  2. To have Vasion Print prompt users to authenticate through the IdP when performing any function that requires authorization, such as installing a printer, select the Automatically Open Browser to Login on Desktop Client option.

    If you do not select this option, users must manually navigate to the IdP login screen to log in.

  3. We recommend enabling the Use Loopback with Saml 2.0 (recommended) option. The IdP needs to provide an authentication token to the desktop Client whenever authentication happens. This option allows the Client to handle the token and automatically log in without interaction from end users.

    General settings showing Identity Provider Settings section with IdP option and other options selected.

  4. The option Use Domain User (Windows only) automatically authorizes domain-joined Windows users and does not require log in via the configured IdPs.
  5. Select Save in the upper-right corner of the General settings.

6. Configure Provisioning

The provisioning steps vary depending on whether you are using Systems for Cross-domain Identity Management (SCIM) or JIT provisioning. Choose the appropriate option below to view the corresponding steps.

SCIM Provisioning

SCIM Provisioning

  1. In the OneLogin app, select Provisioning from the left-side menu.
  2. Select Enable Provision. Configure other user management options as desired.
  3. Select Save.
  4. Select Configuration from the left-side menu.

OneLogin app showing Provisioning tab and enabled settings.

Generate & Apply a SCIM Token

  1. In the Vasion Print General settings, select the SCIM option in the Identity Provider Settings section.
  2. Select your IdP configuration from the dropdown menu.

  3. Select Generate SCIM Token.

    Identity Provider Settings section showing SCIM option with IdP selected from dropdown menu and Generate SCIM Token button to right.

    Generating a SCIM token invalidates any previous tokens for that IdP.

  4. Copy the token, close the modal, and select Save in the upper-right corner of the General settings.
  5. In the OneLogin Configuration tab, paste the token in the SCIM Bearer Token field.
  6. Select the Enable button for API Status.
  7. Select Save in the OneLogin app.

OneLogin app showing Configuration tab, SCIM Bearer Token field, and Enable button.

Add Users & Groups

Follow the steps below to add individual users to the app. If you are using OneLogin Roles for group provisioning, skip to Add Groups.

Add Users
  1. In the OneLogin app, hold the pointer over Users in the top menu and then select Users.
  2. Search for and select the desired user.
  3. Select Applications from the left-side menu.
  4. Select the + (plus) button on the right.
  5. In the Select application dropdown menu, select your app.
  6. Select Continue.
  7. Review the user information, and select Save.
  8. With the user now displayed on the Applications tab, check their status.
  9. If the status is pending, select Pending.
  10. In the Create modal, select Approve.
  11. Select Save User in the upper-right corner.

Users begin provisioning after they are approved.

OneLogin app showing "Assign new login to" section and "Select application" menu.

Add Groups

You can use OneLogin Roles to provision groups. The steps below guide you through setting parameters and creating and assigning a new role.

1. Create and Assign Roles
  1. In the OneLogin app, hold the pointer over Users in the top menu and then select Roles.
  2. Select New Role in the upper-right corner.
  3. In the upper-left field, enter the role name and select the checkmark.
  4. In the Select Apps to Add field, select your app.
  5. Select Save.
  6. Select your role from the list, and then select Users from the left-side menu.
  7. In the Check existing or add new users to this role section, search for the user.
  8. Select the user, and then select Check.
  9. Select Add To Role.
  10. Repeat as needed for each user.
  11. Select Save when you finish.

OneLogin app showing Users tab and "Check existing or add new users to this role" section.

2. Set Parameters
  1. In the OneLogin app, select Parameters from the left-side menu.
  2. In the Value column, select Groups.
  3. In the Edit Field Groups modal, select Include in User Provisioning.
  4. Select Save.

OneLogin app showing Edit Field Groups modal and "Include in User Provisioning" checkbox.

3. Create Rules
  1. In the OneLogin app, select Rules from the left-side menu.
  2. Select Add Rule.
  3. In the New mapping modal, enter a name.
  4. In the Actions section, select Set Groups in <Application Name>.
  5. Select Map from OneLogin.
  6. Set the For each field to Role.
  7. Set the with value that matches field to the role name you previously created.
  8. Select Save in the modal.
  9. Select Save in the Rules tab.

OneLogin app showing "New mapping" modal and Actions section.

4. Approve Pending Users
  1. In the OneLogin app, select Users from the left-side menu.
  2. In the Provisioning State column, select the Pending option.
  3. In the Create modal, select Approve or the approve bulk logins option.

Users begin provisioning after they are approved.

OneLogin app showing Provisioning State column.

JIT Provisioning

JIT does not support the provisioning of group membership associations, so you cannot apply Role-Based Access Control (RBAC) roles, printer deployments, or portal security roles to groups. You must create assignments individually for each user.

When using JIT provisioning, the app creates users during the first login attempt:

  1. Access your Vasion instance, and select Sign In With <IdP Name>.
  2. Attempt to log in with your IdP credentials.

  3. This login attempt fails and returns you to the login screen.

    This behavior is expected. With JIT, this action triggers user creation in the Vasion instance.

  4. The second login attempt with valid credentials initiates a typical login sequence.

For admins who need access to the Admin Console, you still need to add them to the Users page located in Tools then Users.

7. Add Vasion Print Admins

For steps on assigning users and roles to the Vasion Print and Vasion Automate Admin Console, refer to Admin Console Users.