How to configure OneLogin SAML SSO

SAML SSO offers you increased control over how users access Calendly. With SAML SSO, you can require that users log in to Calendly with their OneLogin credentials.

SAML SSO is only available on the Enterprise plan. To learn more about Enterprise, contact your Account Executive or Calendly Sales.

 

Supported features

  • Service Provider Initiated SSO (SP-initiated) : Users can log in to calendly.com, and OneLogin will authenticate the user.

  • Identity Provider Initiated SSO (IdP-initiated): Users can log in to OneLogin and select the Calendly app.

Non-supported features

  • Just-in-Time (JIT) provisioning is not supported. You can provision users via SCIM. 

 

Before you begin…

  • To configure SSO, you must be a Calendly owner or admin.

  • You must use the same email address in Calendly and OneLogin.

  • In OneLogin, you need admin access to create a SAML application.

  • For easier setup, use separate browser windows: one for Calendly and one for OneLogin.

 

1. Navigate to the Calendly SSO Configuration Page

  1. In Calendly, go to Account, Organization Settings, then Single sign-on.

 

2. Add Calendly as an application in OneLogin

  1. Open OneLogin in a separate browser window.

  2. In OneLogin, go to Applications, then Applications.

  3. Select Add App.

  4. Search for Calendly, and select the result with the SAML 2.0 provisioning label. 

  5. Select save.

find_apps.png

 

3. Configure in OneLogin

  1. In OneLogin, select Configuration in the lefthand sidebar.

  2. In the SCIM Base URL field, enter "https://api.calendly.com". You’ll change this value later. This temporary value is necessary to prevent an error when configuring SSO.

  3. Select Save.

 

4. Add identity provider details to Calendly

  1. In OneLogin, select SSO in the lefthand sidebar. You’re going to copy values from the SSO section and add them to Calendly, under Step 1: Enter your identity provider information.

  2. In OneLogin, copy the Issuer URL by selecting the Copy to Clipboard icon. In Calendly, paste the value in Entity ID.

    Copy to Clipboard OneLogin
  3. In OneLogin, copy the SAML 2.0 Endpoint (HTTP), by selecting the Copy to Clipboard icon. In Calendly, paste the value in Identity provider’s SAML HTTP Request URL.

  4. In OneLogin, under X.509 Certificate, right click View Details and select Open link in new tab.

  5. In OneLogin, select Copy to Clipboard to copy the X.509 Certificate value into X.509 certificate for SAML authentication in Calendly. Note: You can include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- in your selection.

  6. Close the OneLogin certificate tab, and return to the OneLogin SSO tab.

  7. In OneLogin, change the SAML Signature Algorithm from SHA-1 to SHA-256. Select Save.

  8. In Calendly, select your preferred Session Duration.

  9. Select Save & continue.

OneLogin value Calendly field
Issuer URL Entity ID
SAML 2.0 Endpoint (HTTP) Identity provider's SAML HTTP Request URL
X.509 certificate (in view details) X.509 certificate for SAML authentication

 

5. Add details to OneLogin

  1. In OneLogin, select Configuration in the lefthand sidebar.

  2. In Calendly, select Copy Audience URL, and paste the value in OneLogin in SAML Audience URL.

  3. In Calendly, select Copy ACS URL, and paste the value in OneLogin in SAML Consumer URL.

  4. In Calendly, select Default Relay State, and paste the value in OneLogin in RelayState.

  5. Select Save.

Calendly value OneLogin field
Audience URL SAML Audience URL
ACS URL SAML Consumer URL

 

6. Add parameters in OneLogin

  1. In OneLogin, select Parameters in the lefthand sidebar.

  2. Select the SAML NameID (Subject) row.

  3. Set Value to Email.

  4. Select save.

 

7. Assign the Calendly app to a test user

  1. In OneLogin, select Users.

  2. Select the user with an email that matches the Calendly account you’re logged into.

  3. Select Applications on the left.

  4. Select the + button and select Calendly.

  5. Select Continue.

 

8. Test the connection

In Calendly, select Test Connection. If successful, you’ll see a confirmation message, and can proceed to enforce SAML SSO for all members. If unsuccessful, you’ll see an error page on Okta or receive an error notification in Calendly.

 

9. Enforce SSO for your organization

  1. In OneLogin, assign Calendly to all users. Make sure users have matching email addresses for Calendly and OneLogin.

  2. In Calendly, select Enforce SAML SSO for my organization.

When you enforce SAML SSO, all users are logged out of their accounts. When they next sign in to Calendly, they will be required to use SSO to log in.

Note: the organization owner can choose to log in using their original login method, by selecting Log in using another method on the login page.

 

 

 

Was this article helpful?
0 out of 1 found this helpful