See saml Menu

Best Practices & FAQs

Best Practices

Single sign-on (SSO) is not just about convenience, it’s also about security. An enterprise owns its employees identities in the cloud apps it uses and the enterprise should be able to effectively manage those identities.

For example, when an employee leaves a company, the company should be able to prevent that employee from accessing all of its cloud apps. You can help the enterprise achieve this by providing a few key SSO settings in your application.

  • Disallow username/password login

    When customers use your SSO protocol, they usually want to disable an employee’s ability to sign in using a password. You should provide a setting for this.

  • Disallow password resets

    Prevent a user from changing or resetting his password via email.

  • Disallow email address change

    Companies usually want a user to use her work email address only, as this is the email address that the company controls. Don’t let the user change it to a personal email address.

  • Enforce session timeouts

    Don’t let a user be signed on indefinitely: expire idle user sessions. Use the session timeout value from the SAML response or have a setting per account. When a user clicks a link in the app after the session has expired, your app should send a SAML request to the identity provider to see if the user is still authorized to sign in to your app.

  • Force sign-in

    If the application receives a sign-on request, but the user’s browser already has an active session, replace that with a session for the new user. This reduces the risk of a user inadvertently seeing someone else’s data. It is also helpful to people who use SSO portals to sign in to different accounts in the same application.


  • How can I test my SAML implementation?

    You can test your application’s SAML implementation by using the generic OneLogin SAML Test app. To add it to your account, go to Apps > Add App > Find Applications.

    For information about how to use it, see How to Use the OneLogin SAML Test Connector.

  • Where can I find some sample SAML requests and responses?

    See the Examples on this site.

  • Do the SAML Toolkits work with Active Directory Federation Sesrvices?

    Yes, the OneLogin SAML toolkits work with AD FS. Ensure that you select SHA1 instead of SHA256 as the hashing algorithm in AD FS.

  • What is the difference between SAML, OpenID, and OAuth?

    Although there is some overlap, here is a simple way of distinguishing between the three protocols:

    • SAML: Single sign-on for enterprise users

    • OpenID: Single sign-on for consumers

    • OAuth: API authorization between applications

  • Should I use OpenID or SAML as my SSO protocol?

    With Google choosing OpenID as the SSO protocol for their Apps Marketplace, OpenID may seem like the obvious choice. Also, SAML is often criticized for its complexity and OpenID is often praised for its simplicity. But before making a decision, let’s take a high-level look at the differences between the protocols:

Feature OpenID SAML

Service provider-initiated SSO



Identity provider-initiated SSO



Identity provider discovery

Configured per user

Configured per account

Just-in-time provisioning

Via back-channel SReg request

Directly, in the same user SSO request







?tags=onelogin+saml” target=”_blank”>StackOverflow.

Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.