SSO setup — OneLogin (SAML 2.0)
5 min read · Updated 12 May 2026
Step by step
In OneLogin admin: Applications → Applications → Add App. Search for SAML Custom Connector (Advanced), pick it. Name it WBSync. Save.
Paste:
- Audience (EntityID): WBSync's ACS URL
- Recipient: WBSync's ACS URL
- ACS (Consumer) URL Validator:
^https://app\.wbsync\.com/accounts/sso/saml/acs/\d+/$(escape the dots; adjust the host if you're on a custom domain) - ACS (Consumer) URL: WBSync's ACS URL
On the Parameters tab, add:
email→ Emailfirst_name→ First Namelast_name→ Last Name
Make sure all three are flagged Include in SAML assertion.
Open the SSO tab in OneLogin. Copy:
- SAML 2.0 Endpoint (HTTP) → WBSync's IdP SSO URL
- Issuer URL → WBSync's IdP Entity ID
- X.509 Certificate → WBSync's IdP X.509 signing certificate (open View Details, copy the long PEM block)
Set the Email domain in WBSync to your company's domain. Save.
In OneLogin, Users → Assign at least yourself. Then in WBSync click Test connection. Green badge means you're done.
Frequently asked
Can the Owner still sign in if SSO breaks?
Yes. The Owner always retains password fallback at /accounts/login/, even with 'Require SSO for everyone except the Owner' switched on. This is the lockout escape — your IdP can go down and you still get back in to fix it.
What happens to existing users?
Their accounts are preserved. On their first SSO sign-in WBSync binds their IdP subject to the existing user row, so audit history, role and assignments carry over. If 'Require SSO for everyone except the Owner' is on (recommended), existing non-Owner users must be bound deliberately — see the JIT section.
What about new users? Do I have to invite them first?
No. JIT provisioning is on by default: the first time someone with your email domain signs in via the IdP, WBSync creates their account automatically with the role you picked on the SSO settings page (default: Foreman). You can change their role afterwards in the directory.
Is the OIDC client secret stored safely?
Yes — secrets are encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA256), using the same key-rotation ceremony as our third-party clock-in integrations. The plain secret is never displayed back to you; paste a new one to rotate.
What does 'Test connection' actually do?
It runs a real round-trip with your IdP, but instead of signing you in it just records the outcome on the settings page. So you can sit in WBSync as the Owner, click the button, and watch the result land — without giving up your current session.