Skip to main content

Celonis Product Documentation

OneLogin: Setting up SSO via SAML

This article describes how you can set up SSO to EMS via SAML with OneLogin.

Setup with OneLogin App for Celonis

Also useful

Celonis now offers a dedicated app in the OneLogin App directory which enables admins to configure a SAML setup with their Celonis EMS team with just a few clicks.

Alternatively, if admins don't wish to use the preconfigured app from OneLogin, the approach described in the sections below can be followed.

20873525.png
  1. As a OneLogin admin, got to https://{tenant}.onelogin.com/apps/find search for "Celonis".

  2. Choose the Celonis App for SAML 2.0.

    20873526.png
  3. You will be able to modify the appearance of the application and add an optional description.

  4. Save.

    20873527.png
  5. In the configuration:

    1. Define your tenant: This corresponds to your team domain. E.g. if your team URL is https://customer1.eu-1.celonis.cloud, the value you have to enter here is "customer1".

    2. Define your realm: In the example above the realm of your team is "eu-1"

    3. Click Save.

    4. Download the IdP MetaData file (available under "More Actions") and upload this in the settings of your team.

How to configure SAML without using the OneLogin App provided for Celonis
  1. Log in to OneLogin and open the Administration page.

  2. Go to "Apps" > "Add Apps".

  3. Search for "saml" and pick "SAML Test Connector (IdP w/attr)".

  4. Make initial configuration (name/icon) and save it.

  5. Go to the "Configuration" tab of a new app and set the following params:

    1. Audience = [customer].[realm].celonis.cloud → e.g. customer1.eu-1.celonis.cloud

    2. Recipient = https://[customer].[realm].celonis.cloud/api/auth-handler/saml/callback?client_name=SAML2Client → e.g. https://customer1.eu-1.celonis.cloud/api/auth-handler/saml/callback?client_name=SAML2Client

    3. ACS (Consumer) URL Validator = .*

    4. ACS (Consumer) URL = https://[customer].[realm].celonis.cloud/api/auth-handler/saml/callback?client_name=SAML2Client → e.g. https://customer1.eu-1.celonis.cloud/api/auth-handler/saml/callback?client_name=SAML2Client

  6. Save changes.

  7. Go to the "Parameters" tab and expose the "email" assertion (see the section below).

  8. Go to Users > All Users.

  9. Find a user you want to be able to log in via the newly created app and open this user.

  10. Go to the Applications tab and add the newly created app.

  11. Save changes.

  12. Go back to the app settings and download a metadata file from More Actions > SAML Metadata.

  13. This file must be uploaded to the team settings and by this, the configuration is done.

How to expose user's email for SSO via SAML on OneLogin
  1. Login to OneLogin and go to Administration section.

    17924166.png
  2. Go to Apps > Company Apps.

    17924165.png
  3. Select an App from the list

    17924164.png
  4. Go to the Parameters tab and press Add parameter.

  5. In the pop-up dialog, set the name to "email" and check "Include in SAML assertion" option. Then press Save.

    17924162.png
  6. In the next dialog, select Email as value and click Save.

    17924161.png
  7. This is it, now the user email is transmitted to the Celonis EMS.