SAML SSO with OneLogin

Here's a guide to get started with SAML SSO with OneLogin for your Whimsical workspace.

  • SAML SSO is only available on our Org plan.
  • You must be an admin to enable SAML SSO.

In OneLogin:

  1. In OneLogin go to Applications, and click Add app.
  2. Search for "SAML Custom Connector (Advanced)".
  3. Enter the display name "Whimsical" and ensure that "Visible in portal" is checked.
  4. Optionally, upload this icon to more easily identify your Whimsical app in OneLogin.
  5. Hit Save, then go to the Configuration tab on the left.
  6. Open the "More actions" dropdown in the top right corner and select "SAML metadata". This will download an XML metadata file to your computer.

In Whimsical:

  1. In your Workplace settings, enable SAML SSO.
  2. Once SAML SSO is enabled:
    • Select OneLogin from the “Identity Provider” dropdown list
    • Upload the metadata.xml file from step 2 in the “SAML Metadata XML” field
    • Click Save
  3. Copy the “ACS URL” value

In OneLogin:

  1. Paste the “ACS URL” value into the "ACS (Consumer) URL" and "Recipient" fields in the Configuration tab.
  2. Copy the Entity ID and paste it into the "Audience (EntityID)" field on the same tab.
  3. Paste this string into the "ACS (Consumer) URL Validator" field on the same tab:

[-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)

  1. Save the configuration in OneLogin, then go to the Parameters tab.
  2. Click the + button on the right to add a new parameter.
  3. Name it FirstName , check the box to "Include in SAML assertion", then click Save.
  4. Select "First Name" from the dropdown for value and save the parameter.
  5. Repeat steps 15 and 16 but name the field LastName and choose "Last Name" as the value.
  6. Click Save in the top right corner to save your parameters.
  7. You can now assign Whimsical login to your users in OneLogin.

In Whimsical:

After that’s done, you can go back to your Whimsical Workspace settings and adjust two more things:

  • Default user role: Whimsical supports JIT (Just-in-time) account provisioning. That means that Whimsical will create an account for a user authenticating via SAML if necessary. New users will be created with the role and permissions you choose:
    • Editors - paid role with full ability to create and edit content
    • Viewers - free role with read and comment-only limited permissions
  • Require SAML for login: You can enable this optional setting if you want to prevent users from accessing your workspace with other means of authentication, such as a password or via Google SSO.

There are some attributes that are the same for all identity providers:

Whimsical uses the e-mail address of the SAML user to identify them on Whimsical. This will come up with configuration options like Name ID Format or Name ID. When in doubt, try to choose the option that will return the user's e-mail.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.