Ithura with OneLogin: SSO and SCIM

Connect Ithura to OneLogin so your team signs in with OneLogin, and, on the Enterprise plan, so joiners and leavers sync through SCIM. You add a SAML connector, exchange values with Ithura, and assign your users. This guide focuses on the OneLogin console; the generic SAML guide covers the concepts.

You need workspace admin access (role 20) in Ithura at /{workspace}/settings/sso, and a OneLogin admin who can add apps. Single sign-on is on the Pro plan; SCIM provisioning requires Enterprise.

Keep the Ithura SSO settings page open in a second tab.

The values you will exchange

From Ithura's SSO settings page:

  • ACS URL: https://<api-host>/sso/{workspace}/saml/acs
  • Entity ID (Audience): https://<api-host>/sso/{workspace}/saml/metadata

On Ithura Cloud the API host is api.ithura.com.

1. Add a SAML connector

  1. In the OneLogin admin portal, go to Applications -> Applications and click Add App.
  2. Search for SAML Custom Connector (Advanced) and select it.
  3. Set the display name (for example Ithura), optionally add an icon, and Save.

2. Configure SAML

  1. Open the app's Configuration tab and fill:

    • Audience (EntityID): paste Ithura's Entity ID.
    • ACS (Consumer) URL: paste Ithura's ACS URL.
    • ACS (Consumer) URL Validator: a regex that matches the ACS URL, for example ^https:\/\/api\.ithura\.com\/sso\/{workspace}\/saml\/acs$ (escape the dots and slashes; substitute your host and slug).
    • SAML nameID format: Email.
    • Save.
  2. Open the Parameters tab. Set the NameID value to the user's Email, then add custom parameters with these exact field names (each flagged to include in the SAML assertion):

    Field nameOneLogin value
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressEmail
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameFirst Name
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameLast Name

    Ithura keys on the email and reads givenname + surname for the name.

  3. Save.

3. Hand OneLogin's metadata to Ithura

  1. On the app's SSO tab, find the Issuer URL (IdP Entity ID), the SAML 2.0 Endpoint (HTTP) (IdP SSO URL), and the X.509 Certificate. OneLogin also publishes an Issuer/metadata URL you can hand over whole.
  2. In Ithura at /{workspace}/settings/sso, select SAML 2.0 and paste the OneLogin metadata into the IdP Metadata XML box, or fill IdP Entity ID, IdP SSO URL, and IdP Signing Certificate from the three values above. Save.
  3. Set the Default role for auto-join and leave Enforce SSO off until a test sign-in works.

4. Assign users and test

  1. In OneLogin, open the app's Users (or assign via roles) and add the people who should sign in. Only assigned users can authenticate.
  2. Test a sign-in: go to https://ithura.com/sign-in, click Sign in with SSO, enter your workspace slug, and complete the OneLogin prompt. Assigned users also see the app on their OneLogin portal (IdP-initiated).
  3. When it works, tick Enforce SSO in Ithura if you want to require it. See Enforcing SSO.

5. SCIM provisioning (Enterprise)

OneLogin can provision users and groups into Ithura through SCIM. This requires the Ithura Enterprise plan and an existing SAML configuration.

  1. In Ithura's SSO settings, open SCIM 2.0 Provisioning, note the SCIM Base URL https://<api-host>/scim/v2/, click Generate token, and copy the bearer token shown once.
  2. In the OneLogin app's Configuration tab, set the SCIM fields:
    • SCIM Base URL: https://<api-host>/scim/v2/
    • SCIM Bearer Token: the Ithura SCIM token.
    • Enable the API Connection / provisioning for the connector and Save.
  3. On the Provisioning tab, enable provisioning and choose whether creates, deactivations, and deletes are applied automatically or after admin approval.
  4. Assign users (and groups, for group push) to provision them.

Provisioning behavior: creating a user adds a workspace membership at the default role (creating the account if needed); a deactivation (active = false) deactivates the membership; a delete removes the membership but keeps the underlying account. Group membership syncs Ithura groups but does not set the workspace role, which comes from the default-role setting. See the Enterprise guide for the full attribute and behavior reference.

Troubleshooting

Sign-in fails with an audience or recipient error. The Audience or ACS URL in OneLogin does not match Ithura's SP values, or the ACS URL Validator regex does not match the real ACS URL. Recopy the values and confirm the validator regex.

The user signs in but has no name. Confirm the givenname and surname parameters are present on the Parameters tab and flagged into the assertion.

SCIM connection fails. The token is wrong, was rotated, or the plan is not Enterprise. Regenerate the token in Ithura and re-paste it.

Certificate rotation. If you roll the OneLogin certificate, re-import the metadata (or re-paste the certificate) in Ithura.