## Create SAML application with Onelogin

This guide outlines the steps to create and configure a SAML application in Onelogin, including setup, user assignments, and metadata submission.

### Step 1: Create SAML application

1. Click on **+** and choose adding a **SAML Application**.


![pingidentity](/assets/ping-1.3dec173870ed733d4c658e161ed01f200354f3f2bed9be12183457b0f8c01690.dba07de7.png)

1. Choose to **Manually Enter** Service Provider details.


![pingidentity](/assets/ping-2.0f968387ac6db562ec4dd33d24d0fef25e1b4a9f653d80699fed849eb38bd2f6.dba07de7.png)

1. Copy and paste the values into the relevant fields in the **SAML Configuration** section.


![pingidentity](/assets/ping-3a.1095f4120250a16b5260b80203f93a3d7a78803cddc881283b24a2241f1f2a3b.dba07de7.png)

1. Go to the **Configuration** tab and click on the pencil for editing. Scroll down and choose **emailAddress** to be passed as **NameID**.


![pingidentity](/assets/ping-3.5bbdea6f8fc05df3a76a3d18a8ddb85a530079b79db525e5252fba39607c016c.dba07de7.png)

1. Enable the application.


![pingidentity](/assets/ping-4.3fb9851f7c0e94cc4d98aaedaa14cef8bf98fb24889470c1903f162494f1c375.dba07de7.png)

### Step 2: Fill attribute statements

1. Go to **Attribute Mappings** and click on the edit sign.


![pingidentity](/assets/ping-5.f858b3c95c8ed06685f070df5cda08a3958a183886a7aca4d4615faaaf077581.dba07de7.png)

1. The **saml_subject** attribute must be mapped to an email address in order for the **NameID** being passed as email. Additional attributes are **optional**.


![pingidentity](/assets/ping-6.6d5a60452de0aa5e581089863f3264e029d04069a5f6a31b5b2a4038c7206b58.dba07de7.png)

### Step 3: Assign users

1. Switch to **Access** section and click **edit**.


![pingidentity](/assets/ping-7.0251b69eb69e44634a8de66a13566c2a7e3a048719626cbe3e964abcb6ccbd82.dba07de7.png)

1. Choose the user groups that will have access to this application.


![pingidentity](/assets/ping-8.12701c857cb1e91b0b4413bc1d6d42e964d31928a43ed928ecb525b2c4bb27c2.dba07de7.png)

### Step 4: Submit metadata

To complete the implementation of SAML SSO, you need to provide the application with your identity provider's metadata.

1. Click on the **Configuration** tab of the SAML app you just created.


![pingidentity](/assets/ping-9.51110091842d129c0fd0e659ffdbbf43e67c8d050bbd346a6fd8a442e311a4a3.dba07de7.png)

#### Automatic configuration

1. Click on **Download Metadata**.


![pingidentity](/assets/ping-10.66a9d9235539d64a83d556f63e2b3f22fb1ec13b3ba40e8da8dfeaadb4b9a07e.dba07de7.png)

1. Upload the file from the previous step.


#### Manual configuration

1. Click on **Download Signing Certificate** and choose the **X.509 Certificate**.
2. Paste the **content** of the certificate file into the **Public Certificate** section.
3. Copy the **Single Signon Service URL** and paste the value into the **SSO Endpoint** field.


![pingidentity](/assets/ping-12.5e65859535046be4b4e9dd9a3a431143d0f82ff8063159fcb57526c4057ef97b.dba07de7.png)

![pingidentity](/assets/ping-13.1203bb2aa8973345c18705896b12792db7ac919512c1dec47fe95766696dc514.dba07de7.png)

### Step 5: Proceed with domain claiming and role assignment

1. Click on **Proceed with domain claiming and role assignment** to confirm the completion the configuration of the IDP form.
2. Follow the instructions in the [Self-service SAML configuration](/ciam/guides/authentication/sso/self-service/saml#claim-domain) guide to complete this step and manage authorization.