OnePACS now supports Single Sign-On (SSO) via SAML 2.0, enabling seamless and secure authentication through your organization's identity provider (IdP), such as Okta, Azure Active Directory, or other SAML-compatible services.
Use Your Existing Credentials: Log into OnePACS with your corporate username and password.
Enhanced Security: Centralized authentication via your IdP supports stronger access controls, including MFA policies.
Improved User Experience: No need to manage a separate OnePACS password, fewer credentials to remember and reset.
OnePACS SAML SSO is compatible with major IdPs, including:
Okta
Microsoft Azure AD
Google Workspace (SAML)
Ping Identity
Auth0
Any SAML 2.0-compliant IdP
Important Note: The OnePACS SAML Integration does not currently support user provisioning; however, this feature is planned for a future release.
✅ Preconditions for SAML SSO Integration
Before configuring SAML in OnePACS, you will need to configure the application in your SSO Provider based on the following information.
OnePACS’ SAML ACS URL: Each Identity Provider now has a unique ACS URL, generated when you create the IdP record in OnePACS. This ACS URL must be used for:
Entity ID: The Entity ID for OnePACS is the same as the ACS URL for that IdP.
To configure SSO for your organization:
Log in to OnePACS using your OnePACS admin credentials.
Identity Provider Configuration
Go to Admin > Identity Providers
Click Add at the bottom left of the screen.
Configure your Identity Provider in OnePACS with the metadata or information provided by your IdP:
Friendly Name for OnePACS
Certificate
Important Note: The ACS URL is only generated after you save your Identity Provider. If you need the ACS URL before entering the final details, you can save the Identity Provider with blank or temporary values and update it later.
Assigning Users to IdPs
Go to Admin > Users
Add or edit an existing user. Expand Identity Providers at the bottom left of the screen. Select the Identity Provider previously configured, along with the IdP username (must match the NameID returned in the SAML response).
**The IdP username must match the value passed back from this username attribute.
NOTE: Admins are responsible for creating Identity Providers (IdPs). They can either add users directly or delegate access by assigning privileges to facility managers, who can then add other facility managers, facility users, or assign existing users to IdPs for authentication.
NOTE: A user cannot change their password within OnePACS when configured to use SAML because that functionality is handled by the IdP. If you have trouble saving an IdP for a user, check to see if that user has the "Change password" permission and remove it, then try again.
Please reach out to our support team if you need assistance with setup.
To ensure secure SAML communication, OnePACS supports signed authentication requests. The X.509 certificate used to sign these requests is available directly within the Identity Provider configuration page.
Where to Find It:
This certificate should be added to your IdP configuration to validate incoming signed requests from OnePACS.
Once SSO is configured for your account:
web.onepacs.com, my.onepacs.com).