Skip to content
Contact Support
  • There are no suggestions because the search field is empty.

Setting Up Single Sign-On with OneLogin 🔑

By using OneLogin SSO, your users will no longer need to remember an extra password to sign into Haystack, and you can quickly remove their access to Haystack from a centralized control panel.

Because SSO configuration is a technical process, we recommend that your IT team assist with the setup. 

Step 1: Create a New SAML Application in OneLogin

Let's get started in your OneLogin Administration panel!

  1. Navigate to the Applications tab.

  2. Click Add App in the page header.

  3. Search for "SAML Custom Connector" and select the one titled SAML Custom Connector (Advanced).

  4. In the App Info section, give your app a name (we suggest Haystack) and upload an app logo if you'd like.

  5. If you're still in the implementation phase, you can turn OFF the toggle for Visible in Portal to keep your intranet hidden until launch day. You'll want to turn this on later!

  6. Next, click on the Configuration tab. Here, you'll fill in a bunch of specific details. Just be sure to replace "subdomain" with your company's Haystack subdomain in each of the URLs. If you have any questions, your Haystack CSM or our support team is happy to help!

    Configuration Details

    • Audience (EntityID): https://subdomain.haystack.so/api/saml/metadata

    • Recipient: https://subdomain.haystack.so/api/saml/acs

    • ACS (Consumer) URL Validator: ^https:\/\/subdomain.haystack.so\/api\/saml\/acs$

    • ACS (Consumer) URL: https://subdomain.haystack.so/api/saml/acs

    • Login URL: https://subdomain.haystack.so/login

    • SAML not valid before: 3

    • SAML not valid after: 3

    • SAML Initiator: OneLogin

    • SAML nameID format: Email

    • SAML issuer type: Specific

    • SAML signature element: Both

    • SAML encryption method: AES-256-CBC

    • SAML sessionNotOnOrAfter: 1440

    For any fields not listed, you can leave them blank!

  7. After that, head to the SSO tab and fill in these last details:

    • X.509 Certificate: Standard Strength Certificate (2048-bit)

    • SAML Signature Algorithm: SHA-256

Step 2: Copy the Issuer URL

This is the key that links everything together! While still on the SSO tab, look for the Issuer URL field and copy the text. Keep this text copied to your clipboard—you'll need it in the next step.

Step 3: Complete SSO Setup in Haystack

You're in the home stretch!

Only users with Workspace Admin and Access Control Admin permissions can configure SSO within your workspace. If you're unsure about your permissions, reach out to your platform admins or our team at support@haystackteam.com.

    • Click the account dropdown in the top right corner and select Admin Console.

    • In the left-hand navigation menu, click User Provision & Login.

    • Toggle on Login with SAML.

    • Paste the Issuer URL you copied into the IDP metadata URL box.

    • If you need to, you can also set your session timeout days.

    • Click Save User Login Options at the bottom of the page.

You're all set! Go enjoy that centralized control. 🙌

Keywords: OneLogin, SSO, single sign-on, SAML, IT, admin, guide, instructions, login, authentication