Skip to main content

Set up Single Sign-On with OneLogin

Step-by-step guide on how to set up the Single sign-on integration with OneLogin.

Updated over 10 months ago

Skip to:

This is a step-by-step guide on how to set up the Single sign-on integration with OneLogin. Integrating with OneLogin takes the following four steps:

  • Add PandaDoc as an application in OneLogin

  • Configure OneLogin data in PandaDoc

Note: To learn more about SSO in PandaDoc, click here.

Adding PandaDoc as an application in OneLogin

Sign into your OneLogin domain at <yourorganization>.onelogin.com, select 'Applications' > 'Applications' and then choose ‘Add apps’ at the top right. Select "SAML Test Connector (Advanced)" application. Set application name, e.g. “PandaDoc” and select “Save” to proceed to profile settings.

Configuring OneLogin in PandaDoc

You'll be prompted to the application settings. From here:

  1. Switch to the Configuration tab

  2. Fill out the following fields:
    - ACS (Consumer) URL Validator: .*
    - ACS (Consumer) URL: https://app.pandadoc.com/sso-acs/

  3. Click Save

  4. Go to the Parameters tab and select the plus button at the top right to add a parameter. By default, the first parameter is NameID with its value set to Email.

  5. Add a parameter named FirstName, select the Include in SAML assertion checkbox, and click Save.

  6. Next, we will assign a value for the created field. Click on the Value dropdown, select First Name, and click on Save

  7. Similarly, we’ll add three more attributes. Add LastName and select Last Name as the value, add email, and select Email as the value. Finally, add a Workspace attribute and select Macro with "Default" as the value. Your attribute list will look as follows:

  8. Finally, Save.

Using Rules to Provision Users to Roles and Groups

To dynamically provision OneLogin users to specific workspaces in your PandaDoc account or assign them to specific roles based on their user groups or roles in OneLogin, follow these steps:

  1. Create Workspace attribute: Define a Workspace attribute and set it to Macro with the default workspace to which users should be assigned.

  2. Create Role attribute: Set the Role attribute to Member.

  3. Use Provisioning Rules: Implement provisioning rules to assign specific sets of OneLogin users to the Administrator or Manager roles based on their attributes.

You can define rules to provision subsets of your OneLogin users into PandaDoc roles and groups. For example, you can define a subset of users by filtering on a specific OneLogin user attribute value and then define an action that provisions the subset of users to a specific PandaDoc role or workspace.

  1. Go to the Rules tab

  2. Click Add rule to open the New Mapping dialog, where you can set the conditions and actions that determine which users will be provisioned from OneLogin to a specific PandaDoc role or workspace

  3. Give your rule a name

  4. In the Conditions area, click + to add a condition. Use the fields to define a condition that defines a subset of users to be acted upon by the rule. Conditions are based on OneLogin user attribute values

  5. In the Actions area, click + to add an action. Use the fields to define the action that will be performed on users by the rule.

  6. Click Save

  7. To add another provisioning rule, click Add rule

  8. The order in which rules are applied matters and can impact provisioning results. Drag and drop the rule rows to put them in the order that produces the correct results

  9. Click Show Affected Users to see which users will be affected by the provisioning rule as configured. Review the list to ensure that only intended users are listed

  10. Click Save

  11. Go to the More Actions menu and click Reapply Provisioning Mappings to apply the new rule.

Warning: You must reapply mappings any time you create or update rules!

Assigning PandaDoc Application to Users in OneLogin

After completing the configurations for PandaDoc, you need to ensure that users are assigned to the PandaDoc application. OneLogin provides various ways to assign users, for testing purposes we can assign a single user under Users > All Users > [click on user name] > Applications tab. Click the '+' sign to assign your testing user to the PandaDoc application. Additional information about assigning users to applications in OneLogin can be found in Assigning Apps to Users.

Testing SSO in PandaDoc

  • Log out of PandaDoc (click on avatar picture and choose “Log out”)

  • Open your PandaDoc URL in the browser - https://app.pandadoc.com/sso-login/

  • Log in with your PandaDoc account domain email.

Try out Just-in-time provisioning

Users can log in with the domain email that is not associated with a PandaDoc account through Just-in-Time provisioning. In this case, the user will be added to your PandaDoc workspace under the domain email.

Did this answer your question?