To get started you'll need to navigate to the Administrator section of OneLogin. Once you are there, the first step is to add a new app:
The type of App you are wanting to add is "SAML Test Connector (IDP)":
Once you add the connector, it will take you to the first configuration screen where you can give the App a name, like this:
Once this has saved, we need to setup the One Model company settings, so navigate to the instance that you are setting up, the url will look something like: https://onemodeltest.onemodel.us where onemodeltest is your company name.
Once you are logged in, navigate to the Admin -> Company section of the site:
This is where a customer can administer a number of things, one of which being SAML based SSO. Scroll down the page until you get to the SAML2 Integrations section and click the Add SAML2 Integration button:
To setup OneLogin, you'll want to select the "Manually configure SAML2" option, which will then ask you to provide a few items from the OneLogin Administration page, these are the IDP Url, the Issuer and the Public Key that is being used for the authentication. These items can be found in the SSO section of the OneLogin:
IDP Url - In OneLogin this is the "SAML 2.0 Endpoint (HTTP)"
Issuer - In OneLogin this is the "Issuer URL"
To find the Public Key, you need to view the details of the X.509 Certificate. This will take you to a screen like this:
From here you can copy the X.509 Certificate to the clipboard and paste it into the SAML Configuration section in the Company Admin in One Model:
Next select the NameID Type you'd like to use for Authentication to One Model, for this provider we would recommend using email as the NameID Type. Once you have done this, save your changes to the configuation in One Model. If the ACS URL and Entity ID haven't populated, refresh the Company settings page.
The ACS URL and Entity ID can now be used to finish the configuration in OneLogin. In OneLogin, navigate to the Configuration tab:
You will want to use the ACS URL to populate the "ACS (Consumer) URL*", the "Recipient" and "ACS (Consumer) URL Validator*", which when done will look something like the above.
The last step is to configure the parameters that are sent across with the SSO request from OneLogin to One Model. The only things that are required are:
Usually the NameID, will contain the Email address, in which case it won't need to be a separate attribute. When you set the First Name and Last Name up, you will want to specify that they are included in the SAML assertion.
The following attributes are optional for successful sign in to One Model, but are used for Contextual Role Based Security if this is something you'd like to use:
- personId - This is used to identify the person based on the key that your company uses to identify them. The exact key and where it links to in the data set is configurable in One Model. Usually this would be Employee Id, Person Id, or something similar.
The completed set of parameters will look like this:
At this point the SSO is all configured. If a new user authenticates using SSO, they will be given the roles specified in the SSO configuration in the Company Settings in One Model, if you haven't set this up, they will just be given an empty account that can't access any of the site's functions. If you have created users in One Model manually already, you will likely need to turn on the ability for them to SSO if you would like them to use this functionality as well. This setting can be found in the Admin -> Users:
It is in the edit the user section and is checkbox that says "Allow log in via Single Sign On":
If you don't turn this on, they will receive an Access Denied error when they try to login that looks like this: