Skip to content

Integrate OneLogin SSO

Administrators only

Let your team sign into Tallyfy with their OneLogin credentials using SAML-based Single Sign-On (SSO). The setup takes about 30 minutes.

  • OneLogin administrator account
  • A Tallyfy administrator account on any paid plan
  • The Tallyfy SP values from the SSO wizard (shown when you pick OneLogin)
  1. Create a OneLogin SAML application connector
  2. Configure SAML settings in both systems
  3. Paste the OneLogin metadata into the Tallyfy wizard, test, and enable

This diagram shows the OneLogin-Tallyfy SAML setup and authentication flow.

SAML integration flow
  • You configure both OneLogin and Tallyfy yourself, no support hand-off
  • After setup, users access Tallyfy through a special SSO URL
  • New users from a verified domain are provisioned on first login when auto-join is on
  1. Sign in to your OneLogin portal

  2. Open the Administration menu

  3. Go to Applications > Applications

  4. Click Add App

    OneLogin setup workflow configuration screen

Step 2: Select and configure the connector

Section titled “Step 2: Select and configure the connector”
  1. Search for “SAML Custom Connector” (or “SAML Test Connector” in older OneLogin versions)

  2. Select SAML Custom Connector (Advanced)

  3. Set the Display Name to “Tallyfy”

  4. Click Save

    OneLogin setup workflow configuration screen

You’ll need Tallyfy’s SAML values to configure OneLogin:

  1. In Tallyfy, go to Settings > Organization > Security > SSO

  2. Start a new connection and pick OneLogin as the provider

  3. Copy the SP ACS URL and SP Entity ID shown on the first step of the wizard

    OneLogin setup workflow configuration screen OneLogin setup workflow configuration screen

  1. Go to the Configuration tab in your OneLogin application connector

  2. Enter the Tallyfy SP ACS URL into the ACS (Consumer) URL field

  3. Enter the same URL into the Recipient field

  4. Enter the Tallyfy SP Entity ID into the Audience (EntityID) field

  5. Enter the ACS URL again into the ACS (Consumer) URL Validator field

  6. Click Save

    OneLogin setup workflow configuration screen

  1. Go to the Parameters tab in your OneLogin application
  2. Add the three parameters below

Add these three parameters and check Include in SAML assertion for each:

Parameter NameValue
EmailEmail
FirstNameFirst Name
LastNameLast Name
OneLogin setup workflow configuration screen

To add each parameter:

  1. Click the + button in the top-right corner of the parameters table

  2. Enter the parameter name (e.g., “Email”) and map it to the matching user attribute

  3. Check Include in SAML assertion

  4. Click Save

    OneLogin setup workflow configuration screen OneLogin setup workflow configuration screen

  1. Go to the Access tab in your OneLogin application

  2. Select the appropriate roles or users

  3. In this example, we’re using the Default role

  4. Click Save

    OneLogin setup workflow configuration screen

Phase 3: Configure Tallyfy with OneLogin info

Section titled “Phase 3: Configure Tallyfy with OneLogin info”

OneLogin can hand you a metadata link, which is the easiest thing to paste into Tallyfy.

  1. Go to the SSO tab in your OneLogin application

    OneLogin setup workflow configuration screen

  2. Copy the Issuer URL value. OneLogin’s metadata URL is usually the issuer with /metadata on the end.

  3. If you’d rather enter values by hand, note the SAML 2.0 Endpoint (HTTP), the Issuer URL, and the X.509 Certificate.

Step 2: Paste the metadata into Tallyfy and test

Section titled “Step 2: Paste the metadata into Tallyfy and test”

Back in the Tallyfy SSO wizard (Settings > Organization > Security > SSO), move to the Enter IdP details step:

  1. Metadata URL - paste OneLogin’s metadata link. Tallyfy fetches and parses it. Easiest option.

  2. Manual entry - enter the SAML 2.0 Endpoint (HTTP), the Issuer URL, and the X.509 Certificate instead.

  3. Run the Test connection step and fix anything it flags.

  4. Once the test passes, enable the connection.

    OneLogin setup workflow configuration screen

After completing the setup:

  1. Get your org’s SSO login URL from the SSO wizard (it’s shown next to the connection)

  2. Share this URL with team members who have access to the OneLogin application

    OneLogin setup workflow configuration screen

When users access Tallyfy through this URL:

  • Existing Tallyfy users sign in automatically
  • New users from a verified domain get provisioned on first login when auto-join is on. Verify your domain under the Domains tab first. See Domain verification.

Running into auth issues? Check these common culprits:

  • The user hasn’t been assigned to the OneLogin application
  • Parameter mappings don’t match exact names - even a tiny typo breaks things
  • The Include in SAML assertion flag isn’t checked
  • Users are going to the regular Tallyfy login page instead of the SSO URL
  • Still stuck? Contact Tallyfy Support

SAML signs people in. SCIM keeps your roster in sync. With OneLogin provisioning on, OneLogin pushes user adds and removals to Tallyfy automatically, so accounts track your directory and you stop paying for people who’ve left.

  1. In Tallyfy, go to Settings > Organization > Security > SCIM and turn SCIM on
  2. Copy the Base URL and the bearer token (the token shows once, so store it safely)
  3. In OneLogin, open your Tallyfy app and go to the Configuration tab
  4. Paste the Tallyfy Base URL into the SCIM Base URL field and the bearer token into SCIM Bearer Token, then enable the API connection
  5. On the Provisioning tab, turn provisioning on and enable create, update, and delete actions

To map OneLogin roles to Tallyfy roles, provision groups whose names match Tallyfy’s reserved group names (for example tallyfy-admins). Full details are in SCIM provisioning.