---
title: "Set Up SAML Group Mapping with OneLogin"
slug: "set-up-saml-group-mapping-with-onelogin"
updated: 2025-04-04T09:35:46Z
published: 2025-04-04T09:35:46Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://traceabledocs.document360.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Set Up SAML Group Mapping with OneLogin

This topic explains how to configure SAML-based Single Sign-On (SSO) with OneLogin and enable group mapping so Traceable can automatically assign roles based on OneLogin group membership.

This guide is intended for OneLogin administrators.

---

## Before you begin

Ensure you have the following:

- Admin access to your OneLogin account.
- The Traceable app has already been created and assigned in OneLogin.
- User groups are configured, and users are assigned to those groups.
- Admin access to the Traceable UI.

---

## Step 1: Add Group Attribute in OneLogin

1. Log in to your OneLogin Admin portal
2. Navigate to **Applications → Applications**
3. Click the **Traceable** app
4. Go to the **Parameters** tab
5. Click **+** to add a new field
6. Set:
  - Field name: `groups`
  - Value: Select **Macro** and choose `User Roles` or another field that maps to user group membership
  - Check **Include in SAML assertion**
7. Click **Save**

This ensures the SAML assertion sent to Traceable includes the user's group or role information.

---

## Step 2: Test and verify the assertion

1. Assign users to the Traceable app in OneLogin
2. Use a test user to sign in via OneLogin SSO
3. Use **SAML-tracer** or a SAML debugging tool to inspect the login response
4. Look for:

```xml
<Attribute Name="groups">
  <AttributeValue>Security Admins</AttributeValue>
</Attribute>
```

Note the attribute name and group value for use in Traceable.

---

## Step 3: Map Groups to Roles in Traceable

1. In the Traceable UI, go to **Configuration > Team**
2. Click the **SAML Config** tab
3. Enter `groups` in the Group Attribute Name field
4. Click **+ Add Group** and define mappings:
  - SAML Group: Enter values such as `Security Admins` or `Developer`
  - Role: Select the appropriate Traceable role
  - Scope: Define whether the role applies globally or to specific apps
5. Click **Add Role**, then **Save**

---

## What’s Next?

After setup:

- Users signing in via OneLogin will receive the correct roles based on their group
- You can update or remove mappings from the Traceable UI at any time

Return to the [SAML Configuration](/docs/saml-configuration) topic to continue with the rest of the SAML configuration process.