Configuring SSO with Azure

This article provides a step-by-step guide to configuring SSO between OnceHub and Azure Active Directory.


To configure SSO in your account, you must be a OnceHub Administrator. However, you do not need a product license. Learn more

You must already have an account with Azure AD. The person configuring in Azure AD must be an administrator.

Step-by-step directions

Request access

SSO is intended for accounts with multiple users who take the extra security measure of signing into third-party applications using an identity provider. Please contact us to learn more. OnceHub can enable the SSO functionality in your account manually.

SAML configuration

You can access SAML configuration at OnceHub Account settings -> In the lefthand sidebar, select Security -> SSO.

OnceHub provides specific field values you can copy and configure within Azure AD:

1. In, go to Enterprise applications -> Click on + New application.

Figure 1: New application

2. On the Add an application page, select Non-gallery application.

Figure 2: Non-gallery application

3. Add the Name (for example, “OnceHub”). Click Add

Figure 3: Add name and click Add

4. In the left menu, select Single sign on. Click on the SAML option.

Figure 4: SAML option 

5. Edit the Basic SAML Configuration section. 

Figure 5: Edit the Basic SAML Configuration section

6. On the Basic SAML Configuration page, fill in the required fields and save. You can grab these values in OnceHub, on the Required by entity provider step.

In Azure ADIn OnceHub
Identifier (Entity ID)Identifier URL
Sign on URLSingle sign-on URL

These are the only required fields; the rest can be left blank.

Figure 6: Basic SAML Configuration

7. Edit the User Attributes & Claims section.

Figure 7: Edit the User Attributes & Claims section

8. Select + Add new claim.

Figure 8: Add new claim

9. On the Manage claim page, enter these values:

Name: email 
Note: Write 'email' in lower-case letters only. 

Source: Attribute

Source attribute: user.mail

Figure 9: Manage claimOnce you've defined these values, click Save

10. Access the SAML Signing Certificate by downloading the Certificate (Base64) option. 

Figure 10: Download certificate

11. Go to OnceHub. You've already taken care of the first part, Required by identity provider, within Azure AD. In the second part, Required by OnceHub, you'll need specific field values from Azure AD that you can copy and configure within OnceHub. 

This includes the Entity ID, Single sign-on URL, and the Public x509 certificate. You've already downloaded the certificate. You can grab the other values in Azure AD next to the 4.

Figure 11: Required by OnceHub step

In Azure ADIn OnceHub
Azure AD IdentifierEntity ID
Login URLIDP single sign-on URL
Certificate (Base64) - Download and copy/paste whole contentsPublic x509 certificate

12. For the certificate field, open the downloaded certificate and copy all contents. 


Include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- syntax in your selection.

Figure 12: Copy whole contents of certificate text

13. In Azure AD, go to the left menu and select Users and groups. On that page, select Add user

Figure 13: Add user

14. On the Add Assignment page, search for relevant users or groups. Select them and click Assign when ready.

Verify configuration

OnceHub will speak to your identity provider and verify that the configuration has the correct values on both sides to proceed.

Figure 14: Verify configuration

Enable SSO for all users

Once you've verified your SSO configuration, you can select the Enable SSO for all users toggle. All Users in your OnceHub account can now access their account using SSO


Before you enable the account, make sure all your Users have matching email addresses for their OnceHub User profile and their Azure profile. 

Once SSO is enabled, they will not be able to change their OnceHub email. 

If their OnceHub email does not match the email in their IDP profile, they will not be able to log in.

Figure 15: Enable SSO for all users


If existing Users were already signing into OnceHub using an email and password, they will no longer be able to do so. They will only be able to sign in using SSO.

Was this article helpful?
Thank you for your feedback!