> ## Documentation Index
> Fetch the complete documentation index at: https://docs.omni.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Configuring Rippling SAML SSO

> Integrate Omni with Rippling for user authentication via the SAML protocol.

## Requirements

To follow the steps in this guide, you'll need:

* Omni [Organization Admin permissions](/administration/users/permissions)
* Permissions in Rippling that allow you to:
  * Create custom apps
  * Assign users & groups to apps

## Setup

<Tip>
  Open Omni's SAML settings and Rippling in separate browser tabs, as you will need to copy and paste values between the two applications to complete the setup.
</Tip>

<Steps>
  <Step title="Open the Omni authentication settings">
    In your Omni instance, navigate to **Settings > Authentication** and locate the **SAML** section.
  </Step>

  <Step title="Create an Omni Rippling app">
    1. Sign into Rippling.
    2. Search for `Custom app` in the search bar.
    3. Select **Create new Custom app**.
    4. Complete the app form:

    * **Name** - `Omni`
    * **Categories** - `Analytics & BI`
    * Upload the following logo:

      ![Omni logo](https://d161ew7sqkx7j0.cloudfront.net/public/images/logos/35909_4506_omni_logo_darkgrey_pink_line_large.png)

    5. Select **Single Sign-on (SAML)**, or **SAML and SCIM app** if you intend to also configure SCIM.
    6. Complete the single sign-on setup form:
       * Leave the **Metadata URL** and **Metadata** fields empty.
       * **ACS URL (Assertion Consumer Service URL)** - Copy and paste the **Single sign-on URL** value from the Omni Authentication settings (step 1)
       * **Service Provider Entity ID** - Enter the full hostname of your Omni instance, e.g. `blobsrus.omniapp.co`. Do not include `https://`.
    7. Leave this form open, but note the following - you'll need it in the next step:
       * **Single Sign-on URL**
       * **Issuer**
       * **X509 Certificate**
  </Step>

  <Step title="Configure Omni authentication settings">
    Navigate back to the Omni Authentication settings (**Settings > Authentication**) to complete the setup:

    * **Entity ID / Issuer** - Copy and paste the **Issuer** value from Rippling

    * **Single Sign-on URL** - Copy and paste the **Single Sign-on URL** value from Rippling

    * **Certificate** - Copy and paste the contents of the **X509 Certificate** certificate. You may need to download it from Rippling.

      The certificate must include `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` values, for example:

      ```txt wrap theme={null}
      -----BEGIN CERTIFICATE-----
      [certificate contents]
      -----END CERTIFICATE-----
      ```

    * **Automatically provision new users on first login from this SAML provider** - Toggle this setting to **on** if:

      * You want to provision users only when they first access Omni **and**
      * You don't plan to set up SCIM provisioning

    * **Enable SAML for users** - Toggle this setting to **on**

    When finished, click **Save SAML changes**.
  </Step>

  <Step title="Complete the SSO configuration in Rippling">
    Navigate back to Rippling to finish configuring the custom Omni app:

    1. On the setup form, click **Continue**.
    2. Select **Do not allow admins to sign in to the admin account**.
    3. Skip creating any group attributes.
    4. In the app’s **Settings** tab, navigate to the **SAML Attributes** section.
    5. Create the following **global attributes**:

       | Name         | Value                       |
       | ------------ | --------------------------- |
       | `first_name` | User's preferred first name |
       | `last_name`  | User's preferred last name  |

    <Note>
      Clicking the **"test now"** button at this point will yield an error, as Rippling initially sets the SAML SSO as IdP-initiated. You will change this to SP-initiated in the next step.
    </Note>
  </Step>

  <Step title="Configure service provider (SP) initiated flow">
    1. In the Custom app's **Settings > Advanced SAML Settings**, enable **Application only supports login initiated from the application, also referred to as SP initiated flow**.
    2. In **URL to trigger SP-initiated flow**, enter the URL of your Omni instance, e.g. `https://blobsrus.omniapp.co/`.
  </Step>

  <Step title="Assign users and groups">
    In Rippling, assign users and user groups to the custom Omni application.
  </Step>

  <Step title="Test the setup">
    Test your SAML setup by logging out of Omni. On the Omni login page, you should see a **Log in with SAML** button. Click the button to log in using SAML.

    If the setup is successful, finish the setup by rolling out SAML authentication to the rest of your organization.
  </Step>
</Steps>

## What's next?

Setting up SAML allows your users to authenticate to Omni using their Rippling credentials. With this setup completed, you can also [configure SCIM to auto-provision users & user groups in Omni](/administration/authentication/rippling/scim).