How to configure SSO for multiple subdomains of a SP Initiated login flow with Onelogin?

0
votes

I have multiple sub-domains listed in a SaaS app. The app provides options to configure SSO with Onelogin, however it provides the option to Enter only one SAML Endpoint(to which users will be redirected) and One certificate.

In this specific case with Onelogin, the certificate with One login is same across different apps that are setup at Onelogin, however each app has a different SAML endpoint. This makes it impossible to configure SSO with multiple sub-domains of the SAML app.

Tried using SAML Connectors (Advanced) in Onelogin, however when multiple connectors are setup each still has a different SAML endpoint.

Any help in configuring an app in Onelogin using same SAML Endpoint would be very helpful.

2
onelogin

2 Answers

0
votes

You're at the mercy of your SP here. If it only supports one IdP, then there's nothing you can put in place in Onelogin to mitigate that. To extend @todaynowork's answer above, the RelayState parameter might be of use to you but your SP will need to support it. The RelayState parameter allows the SAML request to include the resource your user was initially requesting. When the SAML response is verified at the ACS URL, you can then use the RelayState parameter to redirect the user to their requested resource across any of the subdomains. Assuming your SP side sessions are consistent across all subdomains, that could work for you.

0
votes

Suggest you use the SP initial SSO. That support deep link. Deep link means you could pass the return url while you do auth request. After success login, it will return to 'return url' you passed.