Configuring SAML with One Login

1. Create a SAML app in OneLogin

1. Go to https://mycompany.onelogin.com/apps/find (replace "mycompany" with your company's OneLogin ID).
2. Type "saml" in the search field and select SAML Custom Connector (Advanced), which uses the SAML 2.0 version. Click "Save".
3. Under the "Configuration" tab, set the following properties (replacing https://sourcegraph.example.com with your Sourcegraph URL):
   • Audience: https://sourcegraph.example.com/.auth/saml/metadata
   • Recipient: https://sourcegraph.example.com/.auth/saml/acs
   • ACS (Consumer) URL Validator: https://sourcegraph\\.example\\.com\\/\\.auth\\/saml\\/acs
     (This is regular expression that matches the URL https://sourcegraph.example.com/.auth/saml/acs)
   • ACS (Consumer) URL: https://sourcegraph.example.com/.auth/saml/acs
4. Under the "Parameters" tab, ensure the following parameters exist:
   
   • Email (NameID): Email
   • DisplayName: First Name Include in SAML Assertion: ✓
   • login: AD user name Include in SAML Assertion: ✓
5. Save the app in OneLogin.
6. Find the Issuer URL in the OneLogin app configuration page, under the "SSO" tab, under "Issuer URL". It should look something like https://mycompany.onelogin.com/saml/metadata/123456 or https://app.onelogin.com/saml/metadata/123456. Record this for the next section.

2. Add the SAML auth provider to Sourcegraph site config

Add a SAML auth provider with identityProviderMetadataURL set to the Issuer URL recorded from the previous section. Here is an example:

{
 // ...
 "externalURL": "https://sourcegraph.example.com",
 "auth.providers": [
   {
     "type": "saml",
     "configID": "onelogin",
     "identityProviderMetadataURL": "<issuer URL>"
   }
 ]
}