OneLogin SAML SSO Example
Security / OneLogin SAML SSO Example

The following example shows a successful SAML login and logout (using SLO) to the dashboard test1.statusdashboard.com when using the OneLogin IdP.  The HTTP and SAML details are shown for each step in the process.

LOGIN

1.  Initial request to https://test1.statusdashboard.com results in a redirect to the IDP login page: 

HTTP

GET https://statusdashboard.onelogin.com/trust/saml2/http-post/sso/600933?SAMLRequest=fVNNj9owEL3vr0C5Qz7ZggWRKPQDiUIE2R56qYxtFkuJnXomu%2FTf13ag0NWWHBJ5PO%2FNmzeTCdC6asisxaPail%2BtAHzo2edUVwqIv5wGrVFEU5BAFK0FEGRkN%2Fu2IskgIo3RqJmugjew%2BygKIAxKrTrYcjENNutPq82X5fpnMuKjdM%2FTdJiNxqM4YklGeTrO7CkbHxI%2B%2FDDc80NGO%2Bh3YcDyTANL20UKo18kF2Ztq06DHVJsYUHhuNfU8C7l%2BloCtGKpAKlCyxHFj%2F047kejMklJNiRR8qNDLKwxUlH0pY6IDZAwBM%2FNL9wDrUSln6UaMF2HaFrA0FmRhA7Qb7Q7gw4fo2icpn%2FFevs%2BSsWler7v2r5LAvK1LIt%2BsdmVHcns4uZcK2hrYXbCvEgmnrarq1i0HcSDt5KdUsogyD3RxMkl3hOT%2FxcwCW%2FTrsCGOMuXi0JXkv32cfd81qameL8zF5G8f%2FCppFXQCCYPUpzn5ZusKv06N4Kinao1VwS98J%2Fi5%2FUV3C%2BztQLFCXtzXTfUSHBzEyfK8Nzqtd3b9HllN3MrDvnd5WWEuTwbLuznVRvuxiiYrV0aasVrg2eT3iXvVId3ZOcPl%2BvbPzP%2FAw%3D%3D&Signature=BHbpVX1aRxVZyac6Gm2gycUfxiCGROsaQrGMb3OgUv8nEw9N7cEp7P7TIiyMsu2IJPY3Bms%2Bzs3aSRyp5dcomJQxrf0U0T23OY6jsgmV4myLA58SK9sZTRB%2FI7mzXrNo0gYgveYRdj1Od0GHxZq%2FqWtYdpujy8F%2BSU%2BPVPQR0c5rkXS2kATbAFgaI8AGybU6O5TvQ4DVvFE0DeuxM48yOQLHfgDMbILyw0eOPTl4po6xMFu1KryxwnYpwsqq8neFGTInIP82yi7r47we2%2BCIb7m5pwkEHVBqp4hKcVFySLe9mEAZZxTNz9lzX6%2BInDvzlgBPzfzz%2FCQljcWuF%2FoRvw%3D%3D&RelayState=https%3A%2F%2Ftest1.statusdashboard.com&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1 HTTP/1.1
Host: statusdashboard.onelogin.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://statusdashboard.onelogin.com/login

SAML

<samlp:authnrequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" id="ONELOGIN_28d83bd335489810c24ad39448949f2d575bdf4a" version="2.0" providername="StatusDashboard" issueinstant="2016-11-08T23:45:02Z" destination="https://statusdashboard.onelogin.com/trust/saml2/http-post/sso/600933" protocolbinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" assertionconsumerserviceurl="https://test1.statusdashboard.com/acs">
    <saml:issuer>test1.statusdashboard.com</saml:issuer>
    <samlp:nameidpolicy format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" allowcreate="true"></samlp:nameidpolicy>
    <samlp:requestedauthncontext comparison="exact">
    <saml:authncontextclassref>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:authncontextclassref>
    </samlp:requestedauthncontext>
</samlp:authnrequest>

2.  Once login credentials are entered, the browser POSTs to the assertion consumer service on the dashboard page:

HTTP

POST https://test1.statusdashboard.com/acs HTTP/1.1
Host: test1.statusdashboard.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://statusdashboard.onelogin.com/trust/saml2/http-post/sso/600933?SAMLRequest=fVNNj9owEL3vr0C5Q76AZS2IRKEfSBQiSHvopTLOZLGU2Klnssv%2B%2B9oJFLpq8SFRxvPevHkzmSKvyprNGzqqHfxqAOmhZ8%2BpKhWy9nLmNUYxzVEiU7wCZCTYfv51zaJBwGqjSQtdeu9g91EcEQxJrTrYajnztpuP6%2B3n1eZndBBFfhjmcc7DCDhMxuIpGD2G49FwFHIIJmJYRBMRdtDvYNDyzDxL20VSo19kDmZjq868PXFqcMnxeNDc5F3K9bFCbGClkLgiyxGE434Y9oNJFsVs9Mji6EeHWFpjpOLUljoS1ch8H1vu%2FMI90ApK%2FSzVQOjKJ9Mg%2Bc6KyHeAfq3dN2p%2FHARPcfxHbGvfB6lyqZ7vu3bokpB9ybK0n273WUcyv7i50AqbCswezIsU8G23vool20E4eC%2FZKeUCvaQlmjq5rPXEJP8FTP3btCuwZs7y1TLVpRRvbdydT9pUnO535iIy7xdtKmsU1iBkIeE8r7bJstSvCwOc7FStueD1%2FL%2BKn9cX8naZrRUEJ%2BotdFVzI9HNDU5c0LnVa7u36YvSbuYOiuTu8gomXJ4Np%2Fb1qk3uxgjC1s4Mt%2BK1obNJ%2FyTvVPt3ZCcPl%2BvbPzP5DQ%3D%3D&Signature=QGv5Mp8WixtqetevHloEVkS5eRwhcefqVETJIYUmMYdsmRaitJ%2BrQ%2FsVjpLIZJ2EeKwiGshaoJlUssNqFHv2m713FQvTfJSYwNP3Yw7NPj4d8%2BTL7t9KEjo6kjeFMM52ZG2zrbjMPGvfWSVZhsib0NOGRYP9olQPZjo33slqdrYPOi3kIxYvZkSpNl2CUpTuQHGNUa%2Br1hPquyn7ymqWcmSiSosJevs%2F%2FEVHkkSw7NpeqFu7WP%2F5I%2BXNXC%2BaEHnsCKOFTGhuM%2BlIs2kJNqG0qmVg7FoPFJdEyBIckBxINRnwM32jbwnaDfWlNFDJHgxvREQLK3%2FjlYXB60caC9QP1w%3D%3D&RelayState=https%3A%2F%2Ftest1.statusdashboard.com&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
Cookie: csrftoken=hlNQ6qRpqJcUjZEmiTksNprl7xz2kFbC
DNT: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 6546

SAML

<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                ID="pfx803b378a-a0b2-d052-72c1-249f58fb15bc"
                Version="2.0"
                IssueInstant="2016-11-08T23:57:47Z"
                Destination="https://test1.statusdashboard.com/acs"
                InResponseTo="ONELOGIN_2bcfdb4d3da12eae86c9057165451ae08c4f28c1"
                >
    <saml:Issuer>https://app.onelogin.com/saml/metadata/600933</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#pfx803b378a-a0b2-d052-72c1-249f58fb15bc">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>8rTqYNaAahbZ1mRs1uk9poyy0pU=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>kUalChuUgODIK30RroSoeM+pRGJgTGlojPRR4YNpo4uCuXVQAtvD+zaKDAK07z1B47amdrK3EWPk/mTaZda28j+MpqFtVZzbhFlY74NwbvcWUhFfkTQkeNeJq90xF7akHxTyMv9M7QDYPIjUydGhz2RP1PYYYxyZZFZCCyHUc+s=</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIDJzCCApCgAwIBAgIUOTh1OT5Kz0CZRIg4lKDfNA0SgDQwDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD1N0YXR1c0Rhc2hib2FyZDEVMBMGA1UECwwMT25lTG9naW4gSWRQMR8wHQYDVQQDDBZPbmVMb2dpbiBBY2NvdW50IDY1Mjk1MB4XDTE1MDYxNzIzMTM1MVoXDTIwMDYxODIzMTM1MVowXzELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD1N0YXR1c0Rhc2hib2FyZDEVMBMGA1UECwwMT25lTG9naW4gSWRQMR8wHQYDVQQDDBZPbmVMb2dpbiBBY2NvdW50IDY1Mjk1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIqspYxb5Ut6GQOnBsJGz1+9q+C1RSEczEx/rc9emV0KUbF89gpTQjRXgQjR8ECXRuXOiym2WcFTy0Z9pbKTOqJtj1M8Q1vL0kqGJWOkyRNb0ZW4WlAAm3yfmaw4ppp/aHcl7t8FZ5DA+bzz104+wcwC45K0DXWIWNL8jNPwcOZwIDAQABo4HfMIHcMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFMosLRvb4BMpPBgLrFyaRPUBCoOZMIGcBgNVHSMEgZQwgZGAFMosLRvb4BMpPBgLrFyaRPUBCoOZoWOkYTBfMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPU3RhdHVzRGFzaGJvYXJkMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxHzAdBgNVBAMMFk9uZUxvZ2luIEFjY291bnQgNjUyOTWCFDk4dTk+Ss9AmUSIOJSg3zQNEoA0MA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOBgQAoi9abo+dA5OAwjtEe7a/ASMp55LAp5Z83QTsIK0p3L7r0upluhxTxSj2vEFAtEdMvvQN7wSzqDP8UQMWRNcwdMdNzRz0KRo2/iwkdhdB1FO9NwjBeTpysnvwwkv4QQxrKc80cZLO9OdDFzYoQmrfEFy+bpqLV+PFx8N071YnXIA==</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    Version="2.0"
                    ID="A412268cdcbb06ec7301c13a88471b36c8ff81ac6"
                    IssueInstant="2016-11-08T23:57:47Z"
                    >
        <saml:Issuer>https://app.onelogin.com/saml/metadata/600933</saml:Issuer>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">jon@statusdashboard.com</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2016-11-09T00:00:47Z"
                                              Recipient="https://test1.statusdashboard.com/acs"
                                              InResponseTo="ONELOGIN_2bcfdb4d3da12eae86c9057165451ae08c4f28c1"
                                              />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2016-11-08T23:54:47Z"
                         NotOnOrAfter="2016-11-09T00:00:47Z"
                         >
            <saml:AudienceRestriction>
                <saml:Audience>test1.statusdashboard.com</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2016-11-08T23:57:46Z"
                             SessionNotOnOrAfter="2016-11-09T23:57:47Z"
                             SessionIndex="_120d48b0-883d-0134-5a90-0a0d62b551dd"
                             >
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            Name="fName"
                            >
                <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >Jon</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            Name="lName"
                            >
                <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xsi:type="xs:string"
                                     >Miglioretti</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

3.  Finally, the browser is redirected to the dashboard home page as an authenticated user.

LOGOUT

1.  Initial request to https://test1.statusdashboard.com/logout results in a redirect to the IDP single logout endpoint: 

HTTP


GET https://statusdashboard.onelogin.com/trust/saml2/http-redirect/slo/600933?SAMLRequest=fZJRT4MwFIXf%2FRUL70ALdGzNIJpMDcnc1BkffFkK7TYSaLG3JPv5FqZuErc%2B3nvOd09vOwNWVw1dqJ1qzav4bAWYm9H3OdSVBNorEqfVkioGJVDJagHUFHR997SggYdoo5VRhaqcf6zXnQxAaFMqebJm88RZLe8Xq8dsuYmjOA4JiVEQML7NJyIYRzgWURyKkBRBmDOCOCbFyf4uNFhe4lj8GRSgFZkEw6SxLYTHLsYumr4hRAmiGH%2BctHO7g1Iy01P2xjRAfd86TQucwT5XTHNPSVGpXSm9QtW%2B0S0Yv7tt4HcGVwtealHYWqX8MULTMHTS3wGzTkn7SDo1dhr2hnhLnfnnsoF5aTeZzUcPStfMXF9xVym5u%2B2ltJXQiKLcloI7o%2FVzx3lpWdUVdOJcDOOkRtW3l1Me8wxSNnQtoHuMTHJxSDc4QDya5MidTELuIhxGLmFT5CKG%2BDjICcGcH3kDZ4%2F96fz5q%2BkX&Signature=LUB%2Bg%2Bg7fI%2Fgo%2BhSJHpo6z%2BjW56%2FAsxwOwNLcTlJYizED5WRHPQAnf4Ri5WN8564vVv7n9L1H3cT9IyVPZkdQkiayjYe488xVFaTcDZdMvUmsCxEEHMMvtmr4AUYvkjDyoT%2BlDK656UM%2F6QfriDMF4pDSUkodYi7LrVVbFRMlDfSeLP9AD%2BPExXXkW%2FxRMGGTXBESVeqQYl8BgzltjBu1KgGfCRb7Sye1hIsWgIdAXyJCkDh0IKHJ7D8ZmrcPRWL7Ii5QPUQcv3OMS9b3Mqy%2FbMfDz0bZS78CG5nXwWgI0kREACZ%2F377QlDVRPZFU%2FyiYbJaDjFHrnJLr29czrzbFQ%3D%3D&RelayState=https%3A%2F%2Ftest1.statusdashboard.com%2Flogout&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1 HTTP/1.1
Host: statusdashboard.onelogin.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://test1.statusdashboard.com/

SAML

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                     ID="ONELOGIN_74773557022adfb8e26417e473e35c23ba50d15c"
                     Version="2.0"
                     IssueInstant="2016-11-09T00:50:11Z"
                     Destination="https://statusdashboard.onelogin.com/trust/saml2/http-redirect/slo/600933"
                     >
    <saml:Issuer>test1.statusdashboard.com</saml:Issuer>
    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"
                 SPNameQualifier="test1.statusdashboard.com"
                 >jon@statusdashboard.com</saml:NameID>
    <samlp:SessionIndex>_120d48b0-883d-0134-5a90-0a0d62b551dd</samlp:SessionIndex>
</samlp:LogoutRequest>

2.  The IdP redirects to the SLO endpoint on the dashboard page and the session is terminated.  

HTTP

GET https://test1.statusdashboard.com/sls?SAMLResponse=fVJLb4MwDP4rueVECY8AjQrStE0TUh%2FSWvWwS5UGw5AgQThM279f2m5Tu0Nv%0AtvO9rHiBsu8GsTSNmewr4GA0Ain1b7kzOd2sn5ebl3J9SOM0jThPWRjKqj5m%0AECZxkEKcRhBxFUZHyVkVcEXJHkZsjc5pOGOUlE85PUioJHDOvCyLY48FUewp%0AntUeC1UGtcriNAwcFHGCUqOV2jo2CxIvCDw23zEmeCiC5I2Sz77TKM7BczqN%0AWhiJLQote0Bhldg%2BrJbCGYthNNYo09FicUKLs%2Fh4xb9Pl4gwWrcGLd6tHVD4%0AvhyGmdHQmabVM2V6%2F6Ti92BlJa30E8bmUbTwr9wu1oPYWmknvO0eTQVkL7sJ%0A7gfBM1psJ6UAkfq3Kis3kw0UP8%2F11HVfxCVsoCLuU0k9mp64TT5aBeSS7T%2F1%0AdvrX3l5F8Q0%3D%0A&RelayState=https%3A%2F%2Ftest1.statusdashboard.com%2Flogout HTTP/1.1
Host: test1.statusdashboard.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://test1.statusdashboard.com/

SAML

<samlp:LogoutResponse InResponseTo="ONELOGIN_74773557022adfb8e26417e473e35c23ba50d15c"
                      Version="2.0"
                      ID="_aedae550-8844-0134-c58f-02c8efc84721"
                      IssueInstant="2016-11-09T00:52:16Z"
                      xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                      >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://app.onelogin.com/saml/metadata/600933</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
        <samlp:StatusMessage>Successfully logged out from service </samlp:StatusMessage>
    </samlp:Status>
</samlp:LogoutResponse>

Still have questions?  Contact our support team.  We're always happy to help with any questions you might have.