The OneLogin integration enables biometric passwordless authentication to OneLogin accounts via SAML 2.0 using the 1Kosmos mobile app.
Integration type
Auth/IDP
Overview
1Kosmos integrates with OneLogin as a SAML 2.0 identity provider, allowing users to log into their OneLogin account with passwordless authentication via the 1Kosmos mobile app. Biometric options include Touch ID, Face ID, and liveness-checked LiveID.
What we solve
OneLogin deployments that rely on passwords remain vulnerable to phishing and credential reuse, and traditional MFA can still be bypassed through social engineering. This integration enables passwordless biometric sign-in to OneLogin via 1Kosmos SAML federation, increasing assurance while reducing user friction.
This configuration establishes 1Kosmos as a Trusted IdP within OneLogin, with SAML assertions passed from 1Kosmos upon successful biometric verification.
Once configured, users see the 1Kosmos login option on the OneLogin login screen and are redirected to AdminX for biometric authentication before being returned to OneLogin as an authenticated session.
Prerequisites
Active 1Kosmos tenant: Community or tenant administrator access to the AdminX portal. Contact 1kosmos.com/contact if your tenant is not yet provisioned.
OneLogin administrator access: Admin rights to the OneLogin portal, including access to Authentication → Trusted IdPs.
1Kosmos mobile app installed: Users must have the 1Kosmos mobile app installed on iOS or Android and have completed biometric enrollment before testing.
Configuration values
Values to collect from AdminX (IdP) before configuring OneLogin:
|
|
|
|
|
|
|
|
|
|
Values to collect from OneLogin (SP) after creating the Trusted IdP:
|
|
|
|
|
|
|
|
Integration steps
Step 1: Collect IdP values from AdminX Log in to the 1Kosmos AdminX portal as a tenant or community administrator. Navigate to Settings → IdP Configuration. Note the IdP Name. Click View Certificate and copy the Signing Certificate public key. Download the Encryption Certificate. Copy both the Single SignOn Service URL and Single Logout Service URL from the Service URL End Points section.
Step 2: Create a Trusted IdP in OneLogin In the OneLogin portal, navigate to Authentication → Trusted IdPs and click New Trust. Enter a name and click the green checkmark to save. Scroll to Trusted IdP Certificate and paste the Signing Certificate public key copied from AdminX.
Step 3: Configure the Trusted IdP settings Return to the top of the Trusted IdP page and configure the following:
Enable/Disable: select Enable Trusted IDP.
Login Options: select Show in Login panel and enter an icon URL (e.g., https://www.1kosmos.com/favicon.ico).
Configurations: enter the IdP Name from AdminX as the Issuer, select Sign users into OneLogin, and select Sign users into additional applications.
User Attribute: set User Attribute Mapping to Email.
SAML Configurations: enter the Single SignOn Service URL as the IdP Login URL and the Single Logout Service URL as the IdP Logout URL. Copy the SP Entity ID and SP Logout URL for use in AdminX. Under X.509 Certificate, select Standard Strength Certificate (2048-bit), click View Details, and download the certificate.
Click Save.
Step 4: Add OneLogin as a SAML application in AdminX Return to the AdminX portal and navigate to Applications → Add Application. Scroll to the Custom App section, locate SAML 2.0 Generic, and click Add integration. Click Add application to continue.
Step 5: Basic settings Enter an application name (e.g., "OneLogin"), set the instance to Production, and enter your OneLogin access URL as the Application Access URL (e.g., https://.onelogin.com/portal). Click Next.
Step 6: SAML settings Configure the Assertion Statement (NameID) with Format set to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified and Value set to email. Add the following claims mappings:
Attribute | Format |
|---|---|
|
|
|
|
|
|
Click Next.
Step 7: Advanced options Enter the SP Entity ID copied from OneLogin. In the Assertion Consumer Service section, set Method to POST and enter the ACS URL (https://.onelogin.com/access/idp). Enable the Assertion signing option. Upload the X.509 certificate downloaded from OneLogin and set the Signing Algorithm to RSA-SHA256. Click Save.
Step 8: Test the integration Log out of the OneLogin portal completely. Navigate to your OneLogin tenant login page. The 1Kosmos icon should appear as a login option. Click it to be redirected to the AdminX portal. Authenticate with 1Kosmos and confirm you are returned to OneLogin as an authenticated user.
Attribute mappings
Source (1Kosmos) | Target (OneLogin) | Description |
|---|---|---|
|
| Primary SSO identifier |
|
| User first name |
|
| User last name |
Integration notes
OneLogin's Trusted IdP configuration requires the Signing Certificate to be pasted as a raw PEM public key, not the full certificate file. If the Trusted IdP does not appear on the login screen after configuration, confirm that Show in Login panel is enabled and that an accessible icon URL has been entered in the Login Options section. For organizations also using OneLogin to federate access to downstream applications, the Sign users into additional applications option ensures that a 1Kosmos-authenticated session propagates to those applications without a second login prompt.
