This topic explains how to configure SAML-based Single Sign-On (SSO) with OneLogin and enable group mapping so Traceable can automatically assign roles based on OneLogin group membership.
This guide is intended for OneLogin administrators.
Before you begin
Ensure you have the following:
Admin access to your OneLogin account.
The Traceable app has already been created and assigned in OneLogin.
User groups are configured, and users are assigned to those groups.
Admin access to the Traceable UI.
Step 1: Add Group Attribute in OneLogin
Log in to your OneLogin Admin portal
Navigate to Applications → Applications
Click the Traceable app
Go to the Parameters tab
Click + to add a new field
Set:
Field name:
groupsValue: Select Macro and choose
User Rolesor another field that maps to user group membershipCheck Include in SAML assertion
Click Save
This ensures the SAML assertion sent to Traceable includes the user's group or role information.
Step 2: Test and verify the assertion
Assign users to the Traceable app in OneLogin
Use a test user to sign in via OneLogin SSO
Use SAML-tracer or a SAML debugging tool to inspect the login response
Look for:
<Attribute Name="groups"> <AttributeValue>Security Admins</AttributeValue> </Attribute>
Note the attribute name and group value for use in Traceable.
Step 3: Map Groups to Roles in Traceable
In the Traceable UI, go to Configuration > Team
Click the SAML Config tab
Enter
groupsin the Group Attribute Name fieldClick + Add Group and define mappings:
SAML Group: Enter values such as
Security AdminsorDeveloperRole: Select the appropriate Traceable role
Scope: Define whether the role applies globally or to specific apps
Click Add Role, then Save
What’s Next?
After setup:
Users signing in via OneLogin will receive the correct roles based on their group
You can update or remove mappings from the Traceable UI at any time
Return to the SAML Configuration topic to continue with the rest of the SAML configuration process.