Admins Configure access & security

Configure SAML 2.0 single sign-on (SSO) in OneLogin

New feature: content organization, collaboration and filtering

This article describes a new feature that may not be available to all users. If you don't see this feature and want to learn more, please contact your Tethr admin.
Section only

As a Tethr Admin user you can configure SAML 2.0 single sign-on (SSO) using OneLogin identity provider.

What we'll cover:

  1. Configuring OneLogin IdP for SAML 2.0 SSO

    1. Add Tethr as a new SAML 2.0 Web application
    2. Create a SAML integration
    3. Provide the IdP metadata to Tethr
  2. Tethr account activation and sign-in experience

  3. Configure SAML SSO for a specific IdP

Getting started: In the SAML SSO configuration example in this article, Tethr is the service provider and OneLogin is the identity provider (IdP). The majority of SAML 2.0 compliant identity providers require the same information about the service provider for setup.

Before you begin:

Before you can configure SAML 2.0 SSO in OneLogin, you'll need:

  • to be an Administrator of your organization’s Tethr users so you can activate users and test the integration.
  • a OneLogin account with Superuser or Account owner privileges.

Configuring OneLogin IdP for SAML 2.0 SSO

This section shows you how to configure the identity provider, OneLogin, to enable SAML single sign-on in Tethr.
Within OneLogin you’ll first add Tethr as a new SAML 2.0 Web application. Finally, you’ll set up a SAML integration and provide the IdP metadata to Tethr.

Add Tethr as a new SAML 2.0 Web application

To begin, you’ll need to sign in to your existing OneLogin identity provider account using your administrative rights.

  1. Select Applications from the main menu.

  2. On the Applications page, select the Add Application button.

  3. Under Find Applications, enter “SAML test connector” in the search bar and select the option SAML Test Connector (Advanced) from the list of options.


  4. Within the Portal configuration page, you’ll give your App a name and description and upload an optional logo.

    a) For the App name, use Tethr.
    b) Optional: Tethr logos can be found at https:/ to use for your icons.
    c) Optional: You can enter a description to differentiate the Tethr application from other providers’ applications. Then select Save.


Create a SAML integration

Required: OneLogin’s default encryption signature algorithm strength is set at SHA-1, which doesn’t meet Tethr’s encryption strength requirements. You must set the SAML Signature Algorithm to SHA-512 to meet Tethr’s encryption strength requirements.
  1. Choose the SSO tab in the lefthand navigation under Enable SAML2.0.

  2. In the SAML Signature Algorithm dropdown menu choose SHA-512 to increase the strength of the encryption signature algorithm. Then select Save.


    Required: While OneLogin only requires you to enter a value for two of the fields below, Tethr requires you enter all three of the following values including the Audience (EntityID), the ACS (Consumer) URL Validator and the ACS (Consumer) URL.
  3. Next, on the Configuration tab, enter as your Audience (EntityID).

  4. In the ACS (Consumer) URL Validator field, enter an asterisk.

  5. Then enter in the ACS (Consumer) URL field as your single sign-on URL.


  6. Under the Parameters tab select the “+” button to add a new field parameter. In the new field pop-up:

    a) Enter as the Field Name.
    b) Check the box to “Include in SAML assertion” and Save your entries.


    c) On the pop-up’s next screen, search for and add the Field Value: Email and Save your entry.


  7. In the More Actions menu, select the SAML Metadata option which downloads an XML file of your SAML metadata. You will provide this XML file to your Tethr Integrations Specialist.


Provide the IdP metadata to Tethr

To complete OneLogin SAML SSO configuration for your organization, you'll need to provide Tethr the identity provider (IdP) SAML metadata file you created above. This file helps Tethr understand how to communicate with OneLogin and how to request user authentication.

Tethr account activation and sign-in experience for OneLogin

When a Tethr user needs to be activated and they’re using SSO, they should utilize the Sign in with OneLogin button rather than selecting the Activate account button, as shown below:


If you’ve enabled SSO in your organization, your users’ login page will include a Sign-in with OneLogin option as shown below:


Configure SAML SSO for a specific IdP