Configuring SAML Authentication with OneLogin
To use SAML 2.0 Authentication with OneLogin, add a new SAML 2.0 Application. In this example, we used a SAML Test Connector (IdP w/ attr w/ sign response) application. Once the application is created, go to the Configuration tab.
RelayState should be empty
Audience is something you can make up. The URI doesn't need to exist, but it *must* be copy-pasted into your Team auth settings. On the Team Auth Settings page (/admin/auth-settings), this will be used as the "Audience Restriction".
ACS (Consumer) URL Validator and ACS (Consumer) URL can be set to the same value. This is the Assertion Consumer Service URL of your Team, which can be found on https://stackoverflow.com/c/yourteam/admin/auth-settings, on the right sidebar
Now go to the Parameters tab. You must have at least one parameter for the user display name and one for the user email. Both must be included in the SAML assertions, so when adding the custom parameters, make sure you check the Include in SAML assertion checkbox.
These are the custom parameters we have configured for this example. The Email parameter was already configured, so we just added a new one that we called Name:
We must now setup our Team for using this OneLogin connector. Click on the SSO tab and open the Team Auth Settings page on a separate tab: https://stackoverflow.com/c/yourteam/admin/auth-settings
You'll need to fill the following fields according to what you got on OneLogin:
Single Sign-On Service Url: that's the SAML 2.0 Endpoint seen above
Single Sign-On Service Protocol Binding: do not change, leave as POST
Issuer: that's the Issuer URL seen above
Audience Restriction: should match Audience you set on the OneLogin Configuration tab
Display Name Assertion: should match the SAML Test Connector (IdP) Field, on the Parameters tab, for the user display name. In our example, that was the "Name" parameter.
Email Address Assertion: should match the SAML Test Connector (IdP) Field, on the Parameters tab, for the user email
Leave all checkboxes unchecked
Identity Provider Certificates: copy and paste the certificate for your OneLogin setup. This can be found clicking on View Details for the certificate generated by OneLogin in the screenshot above.
This is how you should setup your Team for the settings above: