OneLogin Identity Provider Configuration

Purpose

This document provides instructions to set up and configure OneLogin Identity Provider (IdP) for OUTSCAN or HIAB using Security Assertion Markup Language (SAML) protocol.

Introduction

OneLogin is an Identity and Access Management (IAM) solution, that provides Single Sign-On (SSO) solution allowing to authenticate once in an application portal and then access all available applications without the need to re-authenticate on each application. OneLogin provides several connector using different authentication protocol such as OpenID Connect (OIDC) and Security Assertion Markup Language (SAML).

OneLogin Configuration

To configure the OneLogin application using a SAML connector:

Log in to OneLogin Administration Portal for your company.
Once in the administration portal, open the Application menu and then click on the Add App button on the top right corner.
Enter SAML custom connector in the search field and select the SAML Custom Connector (Advanced).
Fill the Name and Description fields according to your setup and then click on the Save button on the top right corner.
Update the Application / Configuration of the newly created application to reflect OUTSCAN or HIAB setup, by adjusting/customizing the Applications details as follow:
1. Adjust Audience (EntityID) by replacing <OUTSCAN or HIAB_FQDN_OR_IP> with the FQDN or IP address of your OUTSCAN or HIAB setup.
  RelayState can be left empty.
2. Adjust ACS (Consumer) URL Validator and ACS (Consumer) URL by replacing <OUTSCAN/HIAB_FQDN_OR_IP> with the FQDN or IP address of your OUTSCAN or HIAB setup.
  
  Example:
  
  Note
  
  The UUID value that matches your integration use case can be found in the SP metadata XML file that you downloaded from OUTSCAN or HIAB Identity provider integration window.
  The ACS example given above illustrate the integration with OUTSCAN. In case of integration with HIAB 'outscan.outpost24.com' must be replace by HIAB IP address which can be also found in the SP metadata XML file downloaded from Identifty provider integration window.
  
  URL Validator consideration
  
  URL Validator is using regular expression to validate the URL, so keep in mind that for instance '.' character must be escaped and expressed '\.
3. Adjust Login URL by replacing <OUTSCAN/HIAB_FQDN_OR_IP> with the FQDN or IP address of your OUTSCAN or HIAB setup.
  
  example integration with outscan:
4. Adjust SAML initiator to Service Provider or OneLogin value as we only support application initiated authentication.
5. Adjust SAML issuer type to Generic value.
6. Adjust SAML signature element to Assertion value.
7. Adjust SAML encryption method to AES-256-CBC value.
Update the Application / Parameters of the newly created application to reflect OUTSCAN or HIAB setup, by adjusting/customizing the SAML Custom Connector (Advanced) Field as follow:
Click the + blue circle to open a popup in order to add a field and use the same filed name as the claim that you configured in OUTSCAN or HIAB.

Note

If you want to use uid then name the Field name uid instead of email.
Clicking the Save button, you will save this field and be able to adjust its value, by selecting the proper value according to you settings in OUTSCAN or HIAB. For example, in case of email address, you can select the Email value. Ensure you also enable it in the SAML assertion by checking the Include in SAML assertion check box as follow.
Once you are done, press the Save button again to save the newly created field.
It is now possible to retrieve and download the SAML Metadata file by clicking on the More Action drop-down menu in the top right corner and select SAML Metadata. This file is used during the OUTSCAN or HIAB configuration step located under generic Integration / Identity provider.
Continue to grant users access to the newly created application.
1. Go to Applications.
2. Select the application.
3. Go to Users to grant user access to the selected application.

OUTSCAN or HIAB Configuration

To configure OUTSCAN or HIAB to use OneLogin as Identity Provider, you need to achieve the following steps:

Retrieving the metadata file describing the identity provider
Adjust the metadata file (if needed)
Uploading the metadata file in OUTSCAN or HIAB

Retrieve Identity Provider Metadata file

In order to retrieve the metadata file from OneLogin for the OUTSCAN or HIAB application, you need to enter the application in OneLogin portal by clicking in the More Action drop-down menu on the top right corner and select SAML Metadata .

Save this file as it will be required during the OUTSCAN or HIAB configuration step that you can find under generic Integration > Identity provider.

Adjust Identity Provider Metadata file

To integrate an Identity Provider (IdP) in OUTSCAN or HIAB, you have to upload the SAML Metadata file describing the IdP. This file must comply to the SAML standard.

Upload the SAML Metadata File

Open the SAML Metadata file retrieved from the Identity Provider (IdP) and check that:

The file contains the XML tag: <?xml version='1.0' encoding='UTF-8'?>

XML tag consideration

If the XML tag is not present, just add the following tag <?xml version='1.0' encoding='UTF-8'?> at the beginning of the file.

The EntityDescriptor section contains validUntil attribute

validUntil attribute consideration

If this attribute is not present, just add it using the following format: validUntil="YYYY-MM-DDTHH:MM:SS"

A valid SAML Metadata file should looks like the following

SAML Metadata file consideration

Uploading the file in its current state will result in an error.

Identity Provider Setup

An Identity Provider (IdP) offers user authentication as a service. It is a trusted provider that allows the use of single sign-on (SSO) to access other application. SSO enhances usability by reducing password fatigue as passwords are maintained on your IdP.

Setting Up Identity Provider

To enable SSO on OUTSCAN or HIAB you must import meta-data from your IdP into the solution. You also need to export the service provider’s meta-data from OUTSCAN or HIAB and import it to your IdP.

While reading the response from IdP during signing in to our portal, we accept signed assertions with parameters. The parameters list which your IdP is returning in response must include your user name in a parameter. By default it is set to parameter named uid but you can set up to different parameter (eg Subject attribute).

To set up Identity Provider:

Go to Menu > Settings > Integrations and select the Identity Provider tab.

Provide the below information to enable Identity Provider (IdP):

Option	Description
Enabled	Select the Enabled checkbox to enable the protocol for single sign-on trusting another source to log in.
Use one or both of the following option to provide metadata of IdP:
Get metadata from file:	Select Identity provider’s metadata file by clicking the + symbol beside the field. Metadata contains information such as how it works, what type of login is acceptable and so on.
Get metadata from URL:	Provide a URL from which the OUTSCAN or HIAB (Service Provider) should fetch metadata from IdP.
Subject attribute:	Enter uid string if you want to use USERNAME that is not an email address. This field cannot be left empty. Subject attribute considerations uid is a reserved name in Outpost24 software to truncate the USERNAME to the part below the @ sign, meaning that if you want to use email address as USERNAME, you can not use uid as Subject attribute, but you can use any other string (such as emailAddress). The parameter name must be typed as expected in the SAML authentication response (one single word starting with lowercase and may include some upper cases (eg camelCase)).
Signature hash algorithm:	Select between SHA-256 or SHA-1.
Direct access to portal:	SSO binds you respectively to Portal UI or NetSec UI when box is checked or not checked. If 'Direct access to portal' appears in grey then you cannot use this capability unless you update the SP metadata on your Identity Provider. For that you need first to download the SP Metadata by clicking on SP Metadata button and then make sure to upload it on your IdP. Once done you can then select option to be directed to either NetSec or Portal UI. If 'Direct access to portal' appears in grey then only SP initiated SSO is available. If you need to enable IdP initiated SSO then you have to download the SP Metadata by clicking on SP Metadata button and then make sure to upload it on your IdP. Once done you can then perform Single Sign On from the Identity Portal side.
IDP Metadata	Click this button to display the currently uploaded metadata of the Identity Provider.
SP Metadata	Click on this button to display the service provider’s metadata.

After enabling the required settings, click Save to save the current settings.
Click Reset to fully remove the current settings. This disables the integration.

Verifying Integration Functionality

OneLogin allows either SP or IdP (OneLogin) initiated SSO not both at the same time.

SP Initiated SSO, for example from Outpost24 tool

Navigate to the login screen for the Outpost24 Tool
Enter the Outpost24 username (part below the @ sign in the user's email address as previously recommended settings) of the user added to the Outpost24 Application within Azure
Click Single sign on and you will be redirected to login via the Azure portal.

The users AD account needs to be added to the Outpost24 Application in Azure to successfully login.

IdP Initiated SSO, for example from <yourDomain>.onelogin.com

Login to <yourDomain>.onelogin.com
Click on <OUTPOST24 HIAB> and you are redirected to Outpost24 Application, depending on settings to either NetSec UI or Portal UI.

Reference

Security Assertion Markup Language (SAML) v2.0