Authentication > Integrate Okta SSO
Integrate OneLogin SSO
OneLogin SAML/SSO integration
Section titled “OneLogin SAML/SSO integration”Let your team sign into Tallyfy with their OneLogin credentials using SAML-based Single Sign-On (SSO). The setup takes about 30 minutes.
Requirements
Section titled “Requirements”- OneLogin administrator account
- A Tallyfy administrator account on any paid plan
- The Tallyfy SP values from the SSO wizard (shown when you pick OneLogin)
What you’ll do
Section titled “What you’ll do”- Create a OneLogin SAML application connector
- Configure SAML settings in both systems
- Paste the OneLogin metadata into the Tallyfy wizard, test, and enable
SAML integration flow
Section titled “SAML integration flow”This diagram shows the OneLogin-Tallyfy SAML setup and authentication flow.
Key points
Section titled “Key points”- You configure both OneLogin and Tallyfy yourself, no support hand-off
- After setup, users access Tallyfy through a special SSO URL
- New users from a verified domain are provisioned on first login when auto-join is on
Phase 1: Create OneLogin SAML application
Section titled “Phase 1: Create OneLogin SAML application”Step 1: Access application management
Section titled “Step 1: Access application management”-
Sign in to your OneLogin portal
-
Open the Administration menu
-
Go to Applications > Applications
-
Click Add App

Step 2: Select and configure the connector
Section titled “Step 2: Select and configure the connector”-
Search for “SAML Custom Connector” (or “SAML Test Connector” in older OneLogin versions)
-
Select SAML Custom Connector (Advanced)
-
Set the Display Name to “Tallyfy”
-
Click Save

Phase 2: Configure SAML settings
Section titled “Phase 2: Configure SAML settings”Step 1: Get Tallyfy SAML values
Section titled “Step 1: Get Tallyfy SAML values”You’ll need Tallyfy’s SAML values to configure OneLogin:
-
In Tallyfy, go to Settings > Organization > Security > SSO
-
Start a new connection and pick OneLogin as the provider
-
Copy the SP ACS URL and SP Entity ID shown on the first step of the wizard


Step 2: Configure the OneLogin connector
Section titled “Step 2: Configure the OneLogin connector”-
Go to the Configuration tab in your OneLogin application connector
-
Enter the Tallyfy SP ACS URL into the ACS (Consumer) URL field
-
Enter the same URL into the Recipient field
-
Enter the Tallyfy SP Entity ID into the Audience (EntityID) field
-
Enter the ACS URL again into the ACS (Consumer) URL Validator field
-
Click Save

Step 3: Configure user attributes
Section titled “Step 3: Configure user attributes”- Go to the Parameters tab in your OneLogin application
- Add the three parameters below
Add these three parameters and check Include in SAML assertion for each:
| Parameter Name | Value |
|---|---|
| FirstName | First Name |
| LastName | Last Name |

To add each parameter:
-
Click the + button in the top-right corner of the parameters table
-
Enter the parameter name (e.g., “Email”) and map it to the matching user attribute
-
Check Include in SAML assertion
-
Click Save


Step 4: Assign users
Section titled “Step 4: Assign users”-
Go to the Access tab in your OneLogin application
-
Select the appropriate roles or users
-
In this example, we’re using the Default role
-
Click Save

Phase 3: Configure Tallyfy with OneLogin info
Section titled “Phase 3: Configure Tallyfy with OneLogin info”Step 1: Get OneLogin SAML information
Section titled “Step 1: Get OneLogin SAML information”OneLogin can hand you a metadata link, which is the easiest thing to paste into Tallyfy.
-
Go to the SSO tab in your OneLogin application

-
Copy the Issuer URL value. OneLogin’s metadata URL is usually the issuer with
/metadataon the end. -
If you’d rather enter values by hand, note the SAML 2.0 Endpoint (HTTP), the Issuer URL, and the X.509 Certificate.
Step 2: Paste the metadata into Tallyfy and test
Section titled “Step 2: Paste the metadata into Tallyfy and test”Back in the Tallyfy SSO wizard (Settings > Organization > Security > SSO), move to the Enter IdP details step:
-
Metadata URL - paste OneLogin’s metadata link. Tallyfy fetches and parses it. Easiest option.
-
Manual entry - enter the SAML 2.0 Endpoint (HTTP), the Issuer URL, and the X.509 Certificate instead.
-
Run the Test connection step and fix anything it flags.
-
Once the test passes, enable the connection.

User provisioning and access
Section titled “User provisioning and access”After completing the setup:
-
Get your org’s SSO login URL from the SSO wizard (it’s shown next to the connection)
-
Share this URL with team members who have access to the OneLogin application

When users access Tallyfy through this URL:
- Existing Tallyfy users sign in automatically
- New users from a verified domain get provisioned on first login when auto-join is on. Verify your domain under the Domains tab first. See Domain verification.
Troubleshooting
Section titled “Troubleshooting”Running into auth issues? Check these common culprits:
- The user hasn’t been assigned to the OneLogin application
- Parameter mappings don’t match exact names - even a tiny typo breaks things
- The Include in SAML assertion flag isn’t checked
- Users are going to the regular Tallyfy login page instead of the SSO URL
- Still stuck? Contact Tallyfy Support
Set up SCIM provisioning (optional)
Section titled “Set up SCIM provisioning (optional)”SAML signs people in. SCIM keeps your roster in sync. With OneLogin provisioning on, OneLogin pushes user adds and removals to Tallyfy automatically, so accounts track your directory and you stop paying for people who’ve left.
- In Tallyfy, go to Settings > Organization > Security > SCIM and turn SCIM on
- Copy the Base URL and the bearer token (the token shows once, so store it safely)
- In OneLogin, open your Tallyfy app and go to the Configuration tab
- Paste the Tallyfy Base URL into the SCIM Base URL field and the bearer token into SCIM Bearer Token, then enable the API connection
- On the Provisioning tab, turn provisioning on and enable create, update, and delete actions
To map OneLogin roles to Tallyfy roles, provision groups whose names match Tallyfy’s reserved group names (for example tallyfy-admins). Full details are in SCIM provisioning.
Related articles
Section titled “Related articles”Integrations > Authentication and SSO
Authentication > Integrate Microsoft Entra ID SSO
Authentication > Integrate JumpCloud SSO
Was this helpful?
- 2026 Tallyfy, Inc.
- Privacy Policy
- Terms of Use
- Report Issue
- Trademarks