This topic describes how to configure OneLogin to provide SSO for Kindling using SAML. In addition to SSO, Kindling supports "just-in-time" provisioning from OneLogin: any time a OneLogin user without a Kindling account logs into Kindling, a new account will be created in Kindling.
You perform initial setup in OneLogin and then provide SAML connection details to Kindling support so that they can complete the SSO configuration from their end.
- Go to to Apps > Add Apps.
- Search for Kindling App and select it.
On the Add App page - Configuration tab, you can change the Display Name and app icons.
Click Save to add the app and display additional configuration tabs.
On the Configuration tab, enter your Kindling account information.
- Under Location (domain), select the suffix of the URL you use to access your Kindling app (
Enter the Subdomain portion of the the URL you use to access your Kindling app.
For example, if you access your Kindling app using
https://theonelogin.kindlingapp.com, enter theonelogin.
- Click Save.
On the Parameters tab, map your Kindling user attributes to OneLogin attributes.
The default mappings are as follows:
Kindling App Field OneLogin Value Department -No default- Email Address First Name First Name Last Name Last Name Group Affiliations -No default- Location -No default- NameID (Subject) UID
Click the parameter row to open an editor that lets you select alternate values. Note that -No default- means that OneLogin does not pass a value to the app in the SAML assertion: the user attribute is supplied by the app.
Kindling has a feature called Smart Group that enables you to turn groups that are passed with a user's SAML assertion into Kindling Groups. If you want to use this feature, set Group Affiliations on this tab to MemberOf. OneLogin will pass the user's AD or LDAP groups to Kindling. Smart Groups require Kindling administrative configuration. For more information, see the Kindling App documentation. For information about passing OneLogin values to Location and Department attributes, contact Kindling support.
- On the Access tab, assign the OneLogin roles that should have access to the Kindling App and provide any app security policy that you want to apply to the Kindling App.
On the SSO tab, copy the following SAML connection details so that you can provide them to Kindling support to enable the SAML integration.
- X.509 Certificate: To copy the certificate, click View Details and click the Copy icon above the certificate. You can change the certificate by clicking Change.
- SAML Issuer URL: this is the SAML metadata URL.
- SAML2.0 Endpoint (HTTP): this is the SAML login endpoint.
- SLO Endpoint (HTTP): this is the SAML logout endpoint. If you use this endpoint, the user is logged out of both the Kindling app and OneLogin. If instead you want the user to stay logged into OneLogin and return to the Kindling login page, you do not need to provide this endpoint. To return the user to the OneLogin portal (App Home) when they log out of the Kindling app, replace this endpoint with the URL
Contact Kindling support at firstname.lastname@example.org and provide them with the information that you copied in the previous step.
Once Kindling support has completed the SAML integration from their end, OneLogin and Kindling should be connected through SAML.