- OneLogin account with admin permissions.
- Super-admin user role within Hudu.
- All users are provisioned in OneLogin with the same exact email address. We don't create new user accounts with SSO.
- Ensure that the users have already been created in Hudu before starting this process.
Guides
How to Enable SSO
- Login to Hudu and click the Admin tab on the top toolbar.
- Click Security.
- Click Configure SAML/SSO.
- Turn Single Sign-On to On to enable.
- Enter SAML details. See the relevant section below on how to fill this information out.
- Click Save.
Configuring OneLogin
- In OneLogin, as an administrator:
- Navigate to Applications >> Applications in the header.
- Click Add App:
- Search for the SAML test and click the SAML Custom Connector (Advanced)
- Give it a name (and - optionally - icons and a description). Hit the Save button.
- Now, navigate to the Configuration tab, and set the following values for each field (we use docs.mywebsite.com as the example, but it would be the subdomain and Hudu URL you are using):
- Audience (EntityID) - e.g. https://docs.mywebsite.com
- Recipient - e.g. https://docs.mywebsite.com/saml/consume
- ACS (Consumer) URL Validator - e.g. https://docs.mywebsite.com/saml/consume
- ACS (Consumer) URL - e.g. https://docs.mywebsite.com/saml/consume
- Single Logout URL - e.g. https://docs.mywebsite.com
- Login URL - e.g. https://docs.mywebsite.com
- All other values will stay as default.
- Now, navigate to the SSO tab:
- Set the SAML Signature Algorithm to SHA-256
- Save the App.
Configuring Hudu
- In Hudu, with a user role of Admin or Super Admin:
- Navigate to your Hudu admin area >> General >> SAML/SSO Configure.
- Provide Identity Provider (IdP) information:
- SAML Issuer URL: This is what OneLogin calls their "Issuer URL." Copy this exactly into Hudu.
- SAML Login URL: This is what OneLogin calls their "SAML 2.0 Endpoint (HTTP)." Copy this exactly into Hudu.
- SAML Logout URL: This is what OneLogin calls their "SLO Endpoint (HTTP)." Copy this exactly into Hudu.
-
SAML Fingerprint:
- To ensure that you are obtaining the correct fingerprint (thumbprint) for your algorithm:
- Copy the certificate.
- Paste the certificate into a tool such as https://developers.onelogin.com/saml/online-tools/x509-certs/calculate-fingerprint
- Choose either SHA-1 or SHA-256 as the algorithm.
- If choosing SHA-256, you will also need to ensure that the 'Use SHA-256' option is checked (in the Hudu SAML setup area).
- Copy either the non-formatted or formatted fingerprints provided and paste into Hudu SAML Fingerprint.
- To ensure that you are obtaining the correct fingerprint (thumbprint) for your algorithm:
-
SAML Certificate: This is provided by OneLogin, and should be the same certificate used to configure the fingerprint; copy this exactly.
- -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- should be included.
- Copy the X.509 Certificate field and paste it into the SAML Certificate field. Make sure there is no extra space trailing at the end!
-
SAML ARN: This signifies the Authentication Context that Hudu will provide to the IdP. AuthnContext is the method by which a user tries to log in (i.e. via password, passwordless, etc.).
- If you specify Do not pass RequestedAuthnContext in your request, the URN is used by the IdP to say "I don't want to tell you how I identified the user".
- Requested Authentication Context may be required for your IdP, but it is typically optional.
- If you have users that use Passwordless login to your IdP; do not pass RequestedAuthnContext must be selected.
- If you specify Password in your request, the IDP knows it has to authenticate the user through login/password.
- If you specify PasswordProtectedTransport in your request, the IDP knows it has to authenticate the user through login/password, protected by SSL/TLS.
- If you specify Do not pass RequestedAuthnContext in your request, the URN is used by the IdP to say "I don't want to tell you how I identified the user".
- Click Enable Single Sign-On.
- Hit Update SAML Details and SAML should now be activated.
Testing SAML
Exempt Groups from SSO
You have the option to select groups to exempt from SSO. Admins and portal members are always exempt.
Just-in-Time (JIT) Provisioning
Hudu supports Just-in-Time (JIT) provisioning for users signing in through SSO. When a user logs in for the first time via your identity provider, their account will be automatically created based on the attributes and group memberships passed during authentication.
Adding User Attributes to SAML Assertion
- Go to the SSO application and open the Parameters section.
-
Add First Name:
Click the ( + ) button to add a new parameter.
Set the parameter name to First Name.
Use
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameas the field name.Check Include in SAML assertion.
Click Save.
On the next screen, search for First Name and click Save again.
-
Add Last Name:
Click the ( + ) button to add a new parameter.
Set the parameter name to Last Name.
Use
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameas the field name.Check Include in SAML assertion.
Click Save.
On the next screen, search for Last Name and click Save again.
On the next screen, search for Last Name and click Save again.
-
Assigning Roles via hudu_user_role
Go to the SAML/SSO application and open the Parameters section.
Click the ( + ) button to add a new parameter.
Set the parameter name to hudu_user_role.
Leave the value field blank (it will be set via rules).
Click Create or Save.
Navigate to the Rules section.
Click Create New Rule.
-
Build rules based on user groups to assign the correct role:
Example: If a user is in Group A, set
hudu_user_roleto editor.Repeat this process for all groups you want to map to different roles.
Click Save for each rule created.
ℹ️ Need more details on enabling JIT Provisioning in Hudu?
🔗 Visit our full guide for more information.