How to set up SAML SSO with OneLogin

SAML single sign-on (SSO) lets your team sign in to Calendly using OneLogin. It gives your organization more control over how users access Calendly.

For example, you can:

• Let users sign in at calendly.com and get verified through OneLogin.
• Let users log in to OneLogin first, then select the Calendly app.

Note: Just-in-Time (JIT) provisioning isn’t supported. To create users automatically, use SCIM.

Before you begin

• Your Calendly and OneLogin accounts must use the same email.
• You need admin access in OneLogin.
• Open Calendly and OneLogin in two separate browser windows.

Add Calendly to OneLogin

1. In OneLogin, go to Applications > Applications.
2. Select Add App.
3. Search for Calendly and choose the result labeled SAML 2.0.
4. Select Save.

Add a temporary SCIM URL

1. In OneLogin, go to Configuration.
2. In SCIM Base URL, enter https://api.calendly.com (you’ll update this later).
3. Select Save.

Add identity provider (IdP) details in Calendly

1. In OneLogin, go to SSO.
2. Copy these fields into Calendly:
   • Issuer URL → Entity ID
   • SAML 2.0 Endpoint (HTTP) → SAML HTTP Request URL
3. For the X.509 Certificate:
   • Select View Details > Open in new tab.
   • Copy the certificate and paste it into X.509 certificate for SAML authentication in Calendly.
4. Change SAML Signature Algorithm to SHA-256 in OneLogin.
5. In Calendly, choose your Session Duration and select Save & continue.

Add Calendly details in OneLogin

1. In Calendly, copy each of the following and paste it into OneLogin:
   • Audience URL → SAML Audience URL
   • ACS URL → SAML Consumer URL
   • Default Relay State → RelayState
2. Select Save.

Add parameters in OneLogin

1. Go to Parameters.
2. Select SAML NameID (Subject).
3. Set Value to Email.
4. Select Save.

Assign Calendly to a test user

1. In OneLogin, go to Users and choose a test user with the same email as in Calendly.
2. Select Applications > + > Calendly.
3. Select Continue.

Test your connection

1. In Calendly, select Test Connection.
   • If the test works, you’ll see a success message.
   • If it fails, you’ll see an error in Calendly or in Okta.

Enforce SAML SSO for your team

1. In OneLogin, assign Calendly to all users. Make sure emails match.
2. In Calendly, select Enforce SAML SSO for my organization.

Once enforced, users will be signed out. Next time they log in, they must use SSO.

The organization owner can still choose Log in using another method on the login page.