How to configure Single-Sign-On between Mosaic and OneLogin

Last updated: April 28, 2026

In this article you will find the necessary steps to configure a connection between OneLogin and Mosaic's authentication platform to establish a Single-Sign-On experience for your enterprise users using Mosaic.

If at any time there are questions or issues with the connection, please reach out to support@mosaic.pe for assistance.

OneLogin Configuration

  1. On the OneLogin Administration page, hover on Apps, and then choose Add apps.

  2. In the search bar under Find Applications, enter saml, and then choose SAML Test Connector (IdP). The Add SAML Test Connector (IdP) page.

  3. For Display Name, enter Mosaic

  4. For Icons, upload thumbnail icons following the specifications on the page using this logo.

  5. Choose Save.

  6. On the OneLogin portal page, choose Configuration.

  7. On the Configuration page, complete the following steps:
    For RelayState, enter https://app.mosaic.pe
    For Audience, enter urn:amazon:cognito:sp:us-east-1_snwpaAR4h.
    For Recipient, enter https://auth.mosaic.pe/saml2/idpresponse.
    For ACS (Consumer) URL Validator, enter https://auth.mosaic.pe/saml2/idpresponse.
    For ACS (Consumer) URL, enter https://auth.mosaic.pe/saml2/idpresponse.
    For Single Logout URL, leave the field blank.

  8. On the OneLogin portal page, choose Parameters.

  9. To create a new, custom parameter, choose Add parameter.

  10. Add the following parameters.  For Flags, select the Include in SAML assertion check box:
    Field Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    Value: Email
    Check Include in SAML

    Field Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
    Value: First Name
    Check Include in SAML

    Field Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
    Value: Last Name
    Check Include in SAML

  11. Choose Save.

  12. On the OneLogin portal page, choose SSO.

  13. Under Issuer URL, copy the URL.

  14. Please email support@mosaic.pe with the Issuer URL from Step 13, as well as a list of all possible domains that might be authenticating via your OneLogin instance.  For example: yourdomain.com, yourdomain.net, etc.  Once received, we will complete the integration and advise when it is ready to test.

Note: If you are utilizing the directory listing, you will need to create a separate bookmark link to https://app.mosaic.pe/login/<your primary domain> and hide the authorization entry from the directory. Otherwise, users attempting to log in via the directory listing may receive and Invalid samlResponse or relayState from identity provider.