Set up single sign-on

Set up single sign-on with SAML

After you've enabled SAML (by building a SAML server yourself or by using one of the SAML services), all authentication is handled outside of your MRI OnLocation. This can be paired with our Active Directory Sync feature to automatically add/change/delete users in your OnLocation account.

The only user data that is stored in OnLocation is the user name and email address. However, you can also choose to sync the following user data: phone, location, given name, surname, and role. You do this by adding these attributes to your SAML assertion code.

How SAML for OnLocation works

SAML for OnLocation works the way SAML does with all other service providers. The typical use case is that your users belong to a corporation and all user authentication is managed by your corporate authentication system (for example, Active Directory or LDAP), which is referred to generically as an identity provider (IdP).

The service provider (SP) establishes a trust relationship with IdP and allows that external IdP to authenticate users and then seamlessly log them into OnLocation. In other words, a user logs in at work and then has automatic access to the many other corporate applications such as email, your CRM, and so on without having to log in separately to those services. Aside from the convenience, this provides to users, all user authentication is handled internally by a system that you have complete control over.

After you've enabled SAML as the type of single sign-on (SSO) for your OnLocation, users who visit your OnLocation and attempt to log in are redirected to your SAML server for authentication. Your users' identities can be stored either on the SAML server or can be validated by an identity directory such as Microsoft Active Directory or LDAP. Once authenticated, users are redirected back to your OnLocation and automatically logged in.

Configuring your SAML implementation

You have several options when considering a SAML service, including building a SAML server in-house (for example, OpenAM) or choosing a SAML service such as Okta, OneLogin, and PingIdentity.

To set up SAML in your OnLocation, you'll need the following:

  • A SAML server with provisioned users or connected to an identity repository such as Microsoft Active Directory or LDAP
  • The Remote Login URL for your SAML server (sometimes called SAML SSO URL)
  • The SHA1 fingerprint of the SAML certificate from your SAML server

After you have your SAML server properly configured, you use the remote login URL and the SHA1 fingerprint to configure SAML within your OnLocation.

Enabling SAML SSO in OnLocation

With your SAML server configured and the information you need for setting up SAML in OnLocation ready, log in to OnLocation. You will need the IT Support or Account Owner user role to access these settings:

  1. Go to Tools > Account.
  2. Select Employee Access from the left-side menu.
  3. In the Employee Access tab, next Single sign-on with SAML, select Yes.
  4. To enable SAML, fill out the following options:


This is the URL that OnLocation will invoke to redirect users to your Identity Provider.

Remote logout URL

This is the URL that OnLocation will return your users to after they log out.

Certificate Fingerprint

The SHA1 fingerprint of the SAML certificate, obtain from your Identity Provider.