This site requires JavaScript to be enabled
External Customer KB > General > Configure SSO for a Form-Based Application
Configure SSO for a Form-Based Application
Article: KB0010357 Published: 06/06/2019 Last modified: 08/20/2020

This topic describes how to configure OneLogin to provide SSO for an application using form-based authentication. 

About form-based authentication

In form-based authentication, a user is presented with an editable form to fill in and submit in order to log into an app. OneLogin handles apps that require form-based authentication by taking a stored, encrypted login and password and automatically injecting them into an application's login page, filling out the form, and logging that user in. This enables OneLogin to provide single sign-on access to applications that have not adopted SAML, which is token-based, or those that do not have an API interface.

All form-based OneLogin apps require users to have the OneLogin browser extension installed.

OneLogin administrators have flexibility in determining how a user's credentials are entered for form-based applications: Configured by end-users, Configured by admin, and Configured by admin and shared by all users.

  • Configured by end-users allows users to input their own credentials the first time they sign into the application. These will be securely stored by OneLogin and auto-injected into the sign-in page by the OneLogin browser extension every time they access that app. For this configuration, end-users will enter their username and password for the application.

  • Configured by admin allows the account administrator to set each user's credentials individually. This can be done manually on a per-user basis, or automatically by mapping the application field-values in the connector to corresponding user attributes. For this configuration, end-users will only enter their password for the application.

  • Configured by admin and shared by all users allows the account administrator to configure a single set of application credentials that will be used by every user accessing the application. A sample use-case is a single set of credentials to a company Twitter account that will be used by a group of users. For this configuration, administrators will enter the username and password for the application.

Adding a form-based app

Note. Some of the tabs on the App Edit page are not used for most apps that use form-based authentication.  For example, the Rules tab is used to set provisioning rules, but provisioning is not supported for most form-based apps.  

  1. Go to Apps > Add Apps.

  2. Search for an application to add and select it.

    You can edit the Display Name.

  3. Select Form-based auth under Connectors.

  4. Click Save to add the app to your Company Apps library and display additional tabs.

  5. If the Configuration tab is displayed, add a domain or connect to the app API.

    Most apps that use form-based authentication do not display this tab.  If yours does, your app connector may require the domain name that your company uses with the app and/or API login credentials (which are usually the username and password of an administrator for the app). For example, Google Apps uses an API connection to enable password provisioning, even if you are using form-based authentication.  You must enter the domain name ( that your company uses for Google Apps and click the Authenticate button to provide your API authentication credentials to Google Apps:


  6. Select the Parameters tab to set how login credentials are configured and to map your app credential fields to OneLogin values.

    • If credentials are Configured by end-users:

      Email/Username and Password will be mapped to - No default -. Users will enter their own credentials upon first signing into the application from their OneLogin portal. 

    • If credentials are Configured by admin:

      Email/Username will be mapped to whatever directory value is used as their username, and Password will be mapped to - No default -. Users will enter their own password upon first signing into the application from their OneLogin portal.

      You can manually update or change a user's credentials from that of the directory by going to the Apps > Company Apps > Application > Users and selecting that user to edit their individual record.

    • If credentials are Configured by admins and shared by all users:

      Email/Username will be the account's username, and Password will be the account's password. Users will not need to enter any credentials, as they are controlled by the administrator.

  7. On the Access tab, add users to the app.

    On this tab, you can assign users to the app by adding the app to a role.  To assign individual users to the app, you must go to Users > All Users and select the user account.  You can also use the Access tab to add a security policy for the app. See Roles and App Policies.

  8. (Optional) On the SSO tab, indicate whether or not admins who are assuming users are allowed to sign in this app as an assumed user.  See Assuming Users.

    This option is disabled by default.

  9. Click Save.

Now users with access to the application will be able to log into the application or enter their own credentials upon accessing the application.

Expand/Collapse Comments
Was this helpful?