Safeguard.sh Documentation Center
SSO AuthenticationSAML 2.0

OneLogin

Configure OneLogin as a SAML 2.0 identity provider for Safeguard.

OneLogin

  1. In OneLogin, go to Applications → Add App, search for "SAML Custom Connector," and add it.
  2. Under Configuration, set:
    • ACS (Consumer) URL: the ACS URL Safeguard shows after Save
    • Audience: the SP Entity ID Safeguard shows after Save
  3. Under Parameters, add a custom parameter named email mapped to the Email field — separate from the NameID policy OneLogin applies by default.
  4. Under SSO, copy the SAML 2.0 Endpoint (HTTP), Issuer URL, and the X.509 Certificate.
  5. In Safeguard, click Add Provider → SAML 2.0 → OneLogin, and enter those three values.
  6. In OneLogin, assign users under the app's Users tab.
  7. Click Test in Safeguard to confirm.

Common errors: an "Invalid Login" error at OneLogin usually means the Audience field doesn't match what Safeguard expects, or the app isn't assigned to the signed-in user under Users.

On this page