1. In OneLogin
- OIDC (recommended)
- SAML 2.0
- In the OneLogin admin console, go to Applications → Applications → Add App.
- Search for OpenID Connect (OIDC) and select the connector.
- Set the display name to “Quippy” and save.
- On the new app’s Configuration tab, set Redirect URI’s to the OIDC Redirect URL from Quippy.
- On the SSO tab, copy:
- Client ID
- Client Secret (click “Show client secret”)
- Issuer URL — you’ll see two issuers; use the
v2variant, which looks likehttps://<subdomain>.onelogin.com/oidc/2.
- On the Users tab, assign access to the users or roles that need Quippy.
OneLogin — OIDC app → SSO tab with Issuer URL and Client ID.
2. In Quippy
- OIDC
- SAML 2.0
| Quippy field | Value from OneLogin |
|---|---|
| Issuer URL | e.g. https://<subdomain>.onelogin.com/oidc/2 |
| Client ID | SSO tab → Client ID |
| Client Secret | SSO tab → Client Secret |
3. Test connection
Click Test connection in the Quippy admin portal. OIDC returns the discovered endpoints; SAML confirms the metadata endpoint responds. Then enable SSO. Keep a backup admin until your first SSO sign-in succeeds.Common gotchas
Picked the v1 OIDC issuer
Picked the v1 OIDC issuer
OneLogin exposes both
/oidc (v1) and /oidc/2 (v2) issuers. Use the
v2 issuer — it supports PKCE and the discovery doc Quippy fetches.ACS URL Validator is too narrow
ACS URL Validator is too narrow
OneLogin’s ACS (Consumer) URL Validator is a regex. If it’s set to
the wrong pattern, OneLogin rejects the AuthnRequest. A safe default is
^https://api\.quippy-lab\.com/.* (or your custom API host).Roles not mapped to Quippy
Roles not mapped to Quippy
OneLogin can send Roles or Groups as SAML attributes / OIDC
claims. Configure Parameters (SAML) or Scopes (OIDC) so Quippy
receives the group claim you mapped under
Group → role mapping.