OneLogin

Last Updated: April 07, 2026

An identity provider (IdP) uses an authentication token to vouch for a person's identity. Vasion Automate uses IdPs for several tasks, including logging in to the Admin Console and portals, deploying printers, releasing print jobs, and more.

If you use an IdP, the Control Panel Application (CPA) supports only badge and PIN authentication.

Just-in-Time (JIT) provisioning is the only option available when using OneLogin with Virtual Appliance.

Configure Connection

To add and configure app properties for the Virtual Appliance connection, do the following:

  1. Create the OneLogin App.
  2. Add the IdP Settings Template.
  3. Configure Single Sign-On (SSO).
    1. Configure Parameters.
  4. Add the X-509 Certificate.
  5. Complete IdP Settings.
  6. Assign Access.
  7. Just-in-Time (JIT) Provisioning.
  8. Add Virtual Appliance Admins.

1. Create the OneLogin App

  1. In your preferred browser, log in to your OneLogin portal. You can add your domain name to the following URL to access your portal.

    https://<your domain>.onelogin.com/login

  2. Hold the pointer over Applications in the top menu, and then select Applications.

    OneLogin portal showing expanded Applications menu and Applications option.

  3. Select Add App in the upper-right corner of the Applications screen.
  4. Search for and select the SAML Custom Connector (Advanced) app.
  5. Give your app a unique name and description.
  6. Select Save.

    7. OneLogin portal showing Add SAML Custom Connector (Advanced) tab, Display Name field, "Visible in Portal" option enabled, and Save button.

  7. Leave the current browser open on the new app screen for the following steps.

2. Add the IdP Settings Template

If the IdP Settings modal does not look like the image below, you may not be using the latest version and should contact Product Support to upgrade your IdP settings.

When configuring this IdP through Virtual Appliance, select the Custom option from the IdP Template dropdown menu.

  1. Open your Virtual Appliance Admin Console in a new browser tab, and log in.
  2. Select Tools then Settings then General, and scroll down to the Identity Provider Settings section.
  3. Select IdP, and then select Add.
  4. Select the IdP that you want to configure from the IdP Template dropdown menu.
  5. Select SAML2 in the Authentication Protocol section.

  6. In the Provisioning section, the Admin Console assumes that you are using Just-in-Time (JIT) for Virtual Appliance apps. Select the JIT checkbox.

    When you consider how to set up your IdP configuration, be aware that Systems for Cross-domain Identity Management (SCIM) provisioning requires an open connection from the IdP to the Virtual Appliance instance gateway container. We recommend JIT provisioning when setting up your IdP connection.

  7. In the Name field, enter the name that you want to appear on the login button for users. For example, My Company, Login, or Acme Corp.
  8. Scroll down, and select the desired settings:
    • Enable for End User Login: Allows end users to log in using this IdP. (Self-service Portal)
    • Enable for Admin Login: Allows admins to log in using this IdP. (Admin Console)
    • You can select both checkboxes when you are using a single IdP or the admin and end users use the same IdP to log in.

Keep the IdP Settings modal open so that the Service Provider Information section at the bottom is available for the following steps.

IdP Settings showing multiple fields and Service Provider Information section.

3. Configure Single Sign-On (SSO)

  1. In the Virtual Appliance Admin Console, copy the Relay State in the Service Provider Information section of the IdP Settings modal.
  2. In the OneLogin app, select Configuration from the left-side menu.
  3. Paste the Relay State in the OneLogin RelayState field.
  4. Copy the Admin Console Identifier (Entity ID), and paste it in the OneLogin Audience (Entity ID) field.
  5. Copy the Admin Console Reply Url (ACS), and paste it in both the OneLogin ACS (Consumer) URL Validator and ACS (Consumer) URL fields.
  6. Configure any other fields as desired, but you can leave them with the default values.
  7. Select Save.
  8. In the OneLogin app, select SSO from the left-side menu.

  9. Copy the OneLogin Issuer URL, and paste it in the Admin Console Issuer URL field.

    Leave the Admin Console Issuer ID field blank.

  10. Copy the OneLogin SAML 2.0 Endpoint (HTTP), and paste it in the Admin Console SSO URL field.
  11. Select Save.

OneLogin app showing Configuration tab with ACS (Consumer) URL Validator and ACS Consumer URL fields.

Configure Parameters

  1. In the OneLogin app, select Parameters from the left-side menu.

  2. Select the + (plus) button.

    OneLogin app showing Parameters tab and + (plus) button next to SAML Custom Connector (Advanced) Field.

  3. In the Field name, enter FirstName.

  4. Select the Include in SAML assertion checkbox, and then select Save.

    OneLogin app showing New Field modal with "Include in SAML assertion" option in Flags section.

  5. In the Edit Field modal, enter the following:
    1. Field Name: Email, Value: Email.
    2. Field Name: FirstName, Value: First Name.
    3. Field Name: LastName, Value: Last Name.
    4. Field Name: Username, Value: Username.
  6. Select Save.

OneLogin app showing Parameters tab, SAML Custom Connector (Advanced) Field section, and Save button.

4. Add the X-509 Certificate

  1. In the OneLogin app, select SSO from the left-side menu.

  2. In the SSO tab, go to the X.509 Certificate section, right-click View Details, and select Open in new tab.

    OneLogin app showing SSO tab, X.509 Certificate section, and View Details button.

    You do not need to open the link in a new tab. After completing this section, navigate back to the app, hold the pointer over Applications in the top menu, select Applications, and then select your app from the Applications screen.

  3. Scroll down to the X.509 Certificate section, and copy the certificate body, including the Begin / End Certificate headers.

    OneLogin app showing X-509 certificate and Begin / End Certificate headers.

  4. Paste the certificate in the Admin Console X-509 Certificate field.
  5. Select Apply in the Admin Console.
  6. Select Save in the upper-right corner of the General settings.

IdP Settings showing X-509 Certificate and other fields configured.

5. Complete IdP Settings

  1. In the General settings of the Virtual Appliance Admin Console, navigate to the Identity Provider Settings section.

  2. To have Virtual Appliance prompt users to authenticate through the IdP when performing any function that requires authorization, such as installing a printer, select the Automatically Open Browser to Login on Desktop Client option.

    If you do not select this option, users must manually navigate to the IdP login screen to log in.

  3. We recommend enabling the Use Loopback with Saml 2.0 (recommended) option. The IdP needs to provide an authentication token to the desktop Client whenever authentication happens. This option allows the Client to handle the token and automatically log in without interaction from end users.

    General settings showing Identity Provider Settings section with IdP option and other options selected.

  4. The option Use Domain User (Windows only) automatically authorizes domain-joined Windows users and does not require log in via the configured IdPs.
  5. Select Save in the upper-right corner of the General settings.

6. Assign Access

  1. In the OneLogin app, select Access from the left-side menu.
  2. Select the groups of users that should have access to the Virtual Appliance app, and select Save.
  3. Select Users from the left-side menu, and verify that the appropriate users are assigned to the app.

OneLogin app showing SAML Custom Connector (Advanced) tab, Roles section, and Save button.

7. Just-in-Time (JIT) Provisioning

JIT does not support the provisioning of group membership associations, so you cannot apply Role-Based Access Control (RBAC) roles, printer deployments, or portal security roles to groups. You must create assignments individually for each user.

When using JIT provisioning, the app creates users during the first login attempt:

  1. Access your Vasion instance, and select Sign In With <IdP Name>.
  2. Attempt to log in with your IdP credentials.

  3. This login attempt fails and returns you to the login screen.

    This behavior is expected. With JIT, this action triggers user creation in the Vasion instance.

  4. The second login attempt with valid credentials initiates a typical login sequence.

For admins who need access to the Admin Console, you still need to add them to the Users page located in Tools then Users.

8. Add Virtual Appliance Admins

For steps on assigning users and roles to the Virtual Appliance and Vasion Automate Admin Console, refer to Admin Console Users.