OneLogin’s SAML Service Provider feature enables it to act as a SAML service provider, which means that it can integrate with third party identity providers, such as Active Directory Federation Services, Shibboleth, CA SiteMinder and PingFederate.

The service provider interface allows other identity providers to using SAML to:

sign users into OneLogin
sign users into applications that are already federated with OneLogin using SAML
The ability to integrate with other identity providers is key in projects where the existing identity provider infrastructure is being phased out or enhanced to work with cloud-based applications.

Establishing Trust Between Onelogin And Another Identity Provider
Other identity providers federate with OneLogin the same way they would any cloud application; by uploading their X.509 certificate to OneLogin. This enables OneLogin to verify that SAML assertions come from a trusted party.

Signing Users Into Onelogin Using Saml
The most basic way of using OneLogin as a SAML service provider is let users get signed into OneLogin by another identity provider. For example, users could be signed into OneLogin by AD-FS when they click on a link in a SharePoint site or some other application that federates with AD-SF. The identity provider simply posts a SAML response to the URL below with the user’s user name or email address in the NameID attribute.

https://app.onelogin.com/session/saml
This method requires the user to already exist in OneLogin.

SAML Chaining
A more advanced way of using OneLogin’s as a SAML service provider is treating OneLogin as a proxy. This is also sometimes called SAML chaining and can in principle be any number of times.