See saml Menu

Best Practices & FAQs

Best Practices

Single sign-on (SSO) is not just about convenience, it’s also about security. An enterprise owns its employees identities in the cloud apps it uses and the enterprise should be able to effectively manage those identities.

For example, when an employee leaves a company, the company should be able to prevent that employee from accessing all of its cloud apps. You can help the enterprise achieve this by providing a few key SSO settings in your application.

  • Disallow username/password login

    When customers use your SSO protocol, they usually want to disable an employee’s ability to sign in using a password. You should provide a setting for this.

  • Disallow password resets

    Prevent a user from changing or resetting his password via email.

  • Disallow email address change

    Companies usually want a user to use her work email address only, as this is the email address that the company controls. Don’t let the user change it to a personal email address.

  • Enforce session timeouts

    Don’t let a user be signed on indefinitely: expire idle user sessions. Use the session timeout value from the SAML response or have a setting per account. When a user clicks a link in the app after the session has expired, your app should send a SAML request to the identity provider to see if the user is still authorized to sign in to your app.

  • Force sign-in

    If the application receives a sign-on request, but the user’s browser already has an active session, replace that with a session for the new user. This reduces the risk of a user inadvertently seeing someone else’s data. It is also helpful to people who use SSO portals to sign in to different accounts in the same application.


  • How can I test my SAML implementation?

    You can test your application’s SAML implementation by using the generic OneLogin SAML Test app. To add it to your account, go to Apps > Add App > Find Applications.

    For information about how to use it, see How to Use the OneLogin SAML Test Connector.

  • Where can I find some sample SAML requests and responses?

    See the Examples on this site.

  • Do the SAML Toolkits work with Active Directory Federation Sesrvices?

    Yes, the OneLogin SAML toolkits work with AD FS. Ensure that you select SHA1 instead of SHA256 as the hashing algorithm in AD FS.

  • What is the difference between SAML, OpenID, and OAuth?

    Although there is some overlap, here is a simple way of distinguishing between the three protocols:

    • SAML: Single sign-on for enterprise users

    • OpenID: Single sign-on for consumers

    • OAuth: API authorization between applications

  • Should I use OpenID or SAML as my SSO protocol?

    With Google choosing OpenID as the SSO protocol for their Apps Marketplace, OpenID may seem like the obvious choice. Also, SAML is often criticized for its complexity and OpenID is often praised for its simplicity. But before making a decision, let’s take a high-level look at the differences between the protocols:

Feature OpenID SAML

Service provider-initiated SSO



Identity provider-initiated SSO



Identity provider discovery

Configured per user

Configured per account

Just-in-time provisioning

Via back-channel SReg request

Directly, in the same user SSO request







Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.

StackOverflow discussions about "onelogin saml"

  • 137

    A: SAML/ADFS node.js implementation guide?

    Answered Apr 27 2016

    I recently went through the same thought process: having never heard of SAML, I needed to enable a web application to authenticate via SAML with OneLogin as the identity provider (instead of Active Directory … What I came to realize was that the confusion was three-fold: (1) how SAML works, (2) how the passport-saml library works in Node, and (3) how to configure the identity provider (OneLogin, Active …

  • 62

    Q: CAS vs. SAML vs. OAuth2

    Asked Mar 14 2015

    Trying to do some research on how to go about doing this, I read about CAS, SAML and OAuth2. … seem to be saying very similar stuff: and …

  • 20

    A: SAML 2.0 SSO for Ruby on Rails?

    Answered Nov 20 2010

    I played with this one once: It might be what you're looking for. …

  • 14

    A: Python library for implementing SAML2 based service provider and identity provider?

    Answered Oct 06 2014

    You can also take a look on Is also open source and the toolkit contains 2 demos: A django application and a Flask application. … Right now only works on Python 2.X Edited 13/05/2015: There is a python 3.X version (beta, I'm still testing it): (thanks bgaifullin for contributing it) Edited …

  • 13

    Q: SSO with Laravel Passport

    Asked Mar 05 2017

    Things I've tried: simpleSAMLphp - SAML is an option which does these things for me. … But it is not as mature as OneLogin and I'm not thinking to go in SaaS model at this stage unless it is necessity. Laravel Passport - oAuth 2.0 seems tempting. …