OneLogin SSO Setup

Updated by Amy Thomas

Parameters Needed

Criteria Provided Parameters:
  1. Entity ID (Audience URI)
    1. urn:amazon:cognito:sp:us-east-1_tkdHRnjPD 
  2. Assertion Consumer Service URL
  3. First-Time Sign-On URL/BookMark
    1. Once Soft-Enabled, Criteria CSM to provide customer with following link to include their unique company account ID. Customer must login via this link and not through their service provider):  
  4. Our Required SAML Attributes
    1. First Name
    2. Last Name
    3. Email Address
  5. Optional Recommended SAML Attribute
    1. Job Title
    2. Idp Immutable Global Unique Identifier (Varies by Idp) 
Customer Provided Parameters:
  1. Federation Metadata Document endpoint URL (Can also be an XML Document but URL preferred)

Step-By-Step Customer Side:

Create a OneLogin SAML application
  1. On the OneLogin portal page (, choose Administration.
  2. At the top of the Administration page click on Applications and then click on Add App at the top left.
  3. In the search bar under Find Applications, enter saml, and then choose OneLogin SAML Test (IdP) to open the Add OneLogin SAML Test (IdP) page.
  4. For Display Name enter HireSelect.
  5. Choose Save.
Edit your OneLogin application configuration
  1. Choose Configuration. 
  2. On the Configuration page, do the following: 
    1. For Audience, enter urn:amazon:cognito:sp:us-east-1_tkdHRnjPD
    2. Leave Recipient blank.
    3. For ACS (Consumer) URL Validator, enter
    4. For ACS (Consumer) URL, enter
    5. Leave Single Logout URL blank.
Edit your OneLogin application's parameter
  1. Choose Parameters(Note: One parameter (NameID (fka Email)) is already listed—this is expected.)
Choose Add parameter to create a new, custom parameter.
  1. In the New Field dialog, for Field name, enter
  2. For Flags, select the Include in SAML assertion check box.
  3. Choose Save.
  4. For Value, choose UUID from the list.
  5. Choose Save.
  6. Do the same for the following and make sure to select Include in SAML assertion like above:
    1. with value Email
    2. with value First Name
    3. with value Last Name
  7. The parameters should look like the image below:
  8. Copy the IdP metadata for your OneLogin application
    1. Choose SSO
    2. Under Issuer URL, copy the URL and send to our Support Team.
    3. Choose Save to save all your changes to your OneLogin application.

Next Steps

Our team will update your Criteria account and advise once we are ready to begin testing the integration. For next steps, please continue to our SSO How-to Guide.

PLEASE NOTE: The terminology for the attributes for your company may not be an identical match to the attribute names in the SSO setup page. In that case, you can input the most closely related attribute on your end. For example, If the attribute on the SSO setup page lists “givenname” you can input the user’s first name.  

How did we do?