Lightstep provides an integration with OneLogin that allows OneLogin to handle user authentication. Once you integrate with OneLogin and configure for single sign on (SSO), users can sign in to Lightstep either from OneLogin (IdP-initiated) or Lightstep (SP-Initiated).

Supported Features

Lightstep currently supports the following SAML features:

  • IdP-initiated SSO: Users log into OneLogin and then select the Lightstep app and are signed in.
  • SP-initiated SSO: Users log into Lightstep and OneLogin authenticates the user.
  • JIT (Just In Time) Provisioning: Once the user is assigned to Lightstep in OneLogin, they can provision a new Lightstep account upon first login.


You’ll need the following to integrate Lightstep with OneLogin:

  • An admin OneLogin account in an organization with SAML privileges.
  • An admin Lightstep user.
  • A default user role configured in Lightstep. This is the role that will be assigned to all OneLogin users (you can change it in Lightstep).

Integrate and Configure Lightstep with OneLogin

  1. From the Admin Portal in OneLogin, add the Lightstep application to your OneLogin account.
  2. Click on the Lightstep application to configure the application. Lightstep app in OneLogin
  3. In the upper right, under More Actions, click SAML metadata.
    You need an XML blob to configure communication between OneLogin and Lightstep.SAML page in OneLogin
  4. Copy the XML blob to your clipboard.
  5. In Lightstep, navigate to Account Settings.Account Settings in nav bar
  6. Click the SSO tab and paste the blob into the IDP metadata (XML) box.SSO configuration in Lightstep
  7. Click Save.
    A RelayState value is generated and displayed in the RelayState field.
  8. Copy the RelayState value to your clipboard.RelayState value in Lightstep
  9. Back in OneLogin, go to the Configuration tab and paste RelayState value into the Default Relay State field and save.RelayState in OneLogin

Enable SSO

When you enable SSO, users can sign into Lightstep either from the OneLogin or from Lightstep. You can assign Lightstep either to roles or to specific users.

To enable SSO for a OneLogin role:
In OneLogin as an admin, go to the Access tab and select the roles to have Lightstep access.Assign roles to Lightstep in OneLogin

To enable SSO for a OneLogin user:

  1. In OneLogin as an admin, go to the users page and search for the user you want to assign to Lightstep.User listing in OneLogin
  2. In their profile, click the Applications tab. User profile page in OneLogin
  3. Click the Plus next to Applications, select Lightstep from the dropdown, and click Continue to give the user access.Add Lightstep to a profile

Sign In to Lightstep from OneLogin

Once you’ve assigned a user to Lightstep in OneLogin, the Lightstep app displays in their dashboard. They can double-click the icon to log into LightstepOneLogin dashboard with Lightstep app

Sign In to Lightstep from Lightstep

Once you’ve assigned a user to Lightstep in OneLogin, they can also log in directly from Lightstep.

With SSO enabled, users must sign in from the SAML SSO tab.

To sign in from Lightstep

  1. Navigate to
  2. Click the SAML SSO tab and enter the email used to create the Lightstep user in OneLogin.Lightstep sign in from SAML tab