OneLogin Identity Provider Configuration

Purpose

This document provides instructions to set up and configure OneLogin Identity Provider (IdP) for OUTSCAN or HIAB using Security Assertion Markup Language (SAML) protocol.

Introduction

OneLogin is an Identity and Access Management (IAM) solution that provides Single Sign-On (SSO) solution, allowing to authenticate once in an application portal and then access all available applications without the need to re-authenticate on each application. OneLogin provides several connectors using different authentication protocols such as OpenID Connect (OIDC) and Security Assertion Markup Language (SAML).

OneLogin Configuration

To configure the OneLogin application using a SAML connector:

1. Log in to OneLogin Administration Portal for your company.

2. Once in the administration portal, open the Application menu and then click on the Add App button on the top right corner.
   

   

   
   

3. Enter SAML custom connector in the search field and select the SAML Custom Connector (Advanced).
   

   

   
   

4. Fill the Name and Description fields according to your setup and then click on the Save button on the top right corner.
   

   

   
   
   

   

   
   
   

5. Update the Application / Configuration of the newly created application to reflect OUTSCAN or HIAB setup, by adjusting/customizing the Applications details as follow:

   1. Adjust Audience (EntityID) by replacing <OUTSCAN or HIAB_FQDN_OR_IP> with the FQDN or IP address of your OUTSCAN or HIAB setup.
      RelayStatecan be left empty.
      
       

      

      
      

   2. Adjust ACS (Consumer) URL Validator and ACS (Consumer) URL by replacing <OUTSCAN/HIAB_FQDN_OR_IP> with the FQDN or IP address of your OUTSCAN or HIAB setup.
      

      

      
      

      

      
      Example:
      

      

      
      Note that the UUID value that matches your integration use case can be found in the SP metadata XML file that you downloaded from OUTSCAN or HIAB Identity provider integration window.

      The ACS example given above illustrate the integration with OUTSCAN. In case of integration with HIAB 'outscan.outpost24.com' must be replace by HIAB IP address which can be also found in the SP metadata XML file downloaded from Identify provider integration window.
      

      URL Validator consideration

      URL Validator is using regular expression to validate the URL, so keep in mind that for instance '.' character must be escaped and expressed '\.

      
      

   3.  Adjust Login URL by replacing <OUTSCAN/HIAB_FQDN_OR_IP> with the FQDN or IP address of your OUTSCAN or HIAB setup.
      

      

      
      example integration with Outscan:
      

      

      
      

   4. Adjust SAML initiator to Service Provider or OneLogin value as we only support application initiated authentication.

   5. Adjust SAML issuer type to Generic value.

   6. Adjust SAML signature element to Assertion value.

   7. Adjust SAML encryption method to AES-256-CBC value.
      

      

      
      

6. Update the Application / Parameters of the newly created application to reflect OUTSCAN or HIAB setup, by adjusting/customizing the SAML Custom Connector (Advanced) Field as following:
   

   

   
   

7. Click the + blue circle to open a popup in order to add a field and use the same filed name as the claim that you configured in OUTSCAN or HIAB.
   

   

   
   

8. Clicking the Save button, you will save this field and be able to adjust its value, by selecting the proper value according to you settings in OUTSCAN or HIAB. For example, in case of email address, you can select the Email value. Ensure you also enable it in the SAML assertion by checking the Include in SAML assertion check box as follow.
   

   

   
   

9. Press the Save button again to save the newly created field.
   

   

   
   

10. It is now possible to retrieve and download the SAML Metadata file by clicking on the More Action drop-down menu in the top right corner and select SAML Metadata. This file is used during the OUTSCAN or HIAB configuration step located under generic Integration / Identity provider.
    

    

    
    

11. Continue to grant users access to the newly created application.

    1. Go to Applications.

    2. Select the application.

    3. Go to Users to grant user access to the selected application. 

URL Validator consideration

URL Validator is using regular expression to validate the URL, so keep in mind that for instance '.' character must be escaped and expressed '\.

URL Validator consideration

URL Validator is using regular expression to validate the URL, so keep in mind that for instance '.' character must be escaped and expressed '\.

Note

The UUID value that matches your integration use case can be found in the SP metadata XML file that you downloaded from OUTSCAN or HIAB Identity provider integration window.

The ACS example given above illustrate the integration with OUTSCAN. In case of integration with HIAB 'outscan.outpost24.com' must be replace by HIAB IP address which can be also found in the SP metadata XML file downloaded from Identifty provider integration window.

Note

The UUID value that matches your integration use case can be found in the SP metadata XML file that you downloaded from OUTSCAN or HIAB Identity provider integration window.

The ACS example given above illustrate the integration with OUTSCAN. In case of integration with HIAB 'outscan.outpost24.com' must be replace by HIAB IP address which can be also found in the SP metadata XML file downloaded from Identifty provider integration window.

OUTSCAN or HIAB Configuration

To configure OUTSCAN or HIAB to use OneLogin as Identity Provider, complete the following steps:

• Retrieve the metadata file describing the identity provider

• Adjust the metadata file (if needed)

• Upload the metadata file in OUTSCAN or HIAB

Retrieve Identity Provider Metadata file

In order to retrieve the metadata file from OneLogin for the OUTSCAN or HIAB application, you need to enter the application in OneLogin portal by clicking in the More Action drop-down menu on the top right corner and select SAML Metadata .

Save this file as it will be required during the OUTSCAN or HIAB configuration step that you can find under generic Integration > Identity provider.

Adjust Identity Provider Metadata file

To integrate an Identity Provider (IdP) in OUTSCAN or HIAB, you have to upload the SAML Metadata file describing the IdP. This file must comply to the SAML standard.

Upload the SAML Metadata File

Open the SAML Metadata file retrieved from the Identity Provider (IdP) and make sure that:

• The file contains the XML tag: <?xml version='1.0' encoding='UTF-8'?>

• The EntityDescriptor section contains validUntil attribute

A valid SAML Metadata file should looks like the following

Identity Provider Setup

An Identity Provider (IdP) offers user authentication as a service. It is a trusted provider that allows the use of single sign-on (SSO) to access other application. SSO enhances usability by reducing password fatigue as passwords are maintained on your IdP.

Setting Up Identity Provider

Verifying Integration Functionality

OneLogin allows either SP or IdP (OneLogin) initiated SSO not both at the same time.

SP Initiated SSO, for example from Outpost24 tool

1. Navigate to the login screen for the Outpost24 Tool

2. Enter the Outpost24 username (part below the @ sign in the user's email address as previously recommended settings) of the user added to the Outpost24 Application within Azure

3. Click Single sign on and you will be redirected to login via the Azure portal.

The users AD account needs to be added to the Outpost24 Application in Azure to successfully login.

IdP Initiated SSO, for example from <yourDomain>.onelogin.com

1. Login to <yourDomain>.onelogin.com

2. Click on <OUTPOST24 HIAB> and you are redirected to Outpost24 Application, depending on settings to either NetSec UI or Portal UI.

Reference

Security Assertion Markup Language (SAML) v2.0