OneLogin SAML Integration

Learn how to configure a connection to OneLogin via SAML.


Introduction

Each SSO Identity Provider requires specific information to create and configure a new Connection (through Application registered). Often, the information required to create a connection will differ by Identity Provider.


OneLogin integration with Cripsa using SAML consists of 4 parts.
  • 1. Create a project/select (an existing) project by logging into https://cripsa.com
  • 2. Create an App in OneLogin using admin account in https://login.xecurify.com/moas/admin/customer/home.
  • 3. Use Issuer/Metadata URL information of the OneLogin App registered to integrate it with Cripsa.
  • 4. Use the Final URI received to call against the User click to start the Authentication process.

Create Project through Cripsa

Login to Cripsa Dashboard by using email account


One Login SAML Image-1

One Login SAML Image-2

Once logged in Create project for SAML.


One Login SAML Image-3

Fill all the details. All the fields are required.


One Login SAML Image-4

Click on “Create Project”.


One Login SAML Image-5

Note Down all the above highlighted information which will be used while creation of the App in OneLogin Admin Console (https://.OneLogin.com/admin2/apps).

What Cripsa provides

Cripsa provides the ACS URL and the SP Entity ID. It’s readily available in your Project Detail page of Cripsa Dashboard.


One Login SAML Image-6

The ACS URL is the location an Identity Provider redirects its authentication response to. In OneLogin’s case, it needs to be set by the Enterprise when configuring your application in their OneLogin dashboard.

The SP Entity ID is a URI used to identify the issuer of a SAML request, response, or assertion. In this case, the entity ID is used to communicate that Cripsa will be the party performing SAML requests to the Enterprise’s OneLogin instance.

Specifically, the ACS URL will need to be set as the “ACS URL” and the SP Entity ID will need to be set as the “Entity ID” in the “Service Provider Details” step of the OneLogin SAML setup.


What you’ll need

In order to integrate you’ll need the metadata XML file from OneLogin.

Normally, this information will come from your Enterprise customer’s IT Management team when they set up your application’s SAML 2.0 configuration in their OneLogin admin dashboard. But should that not be the case during your setup, here’s how to obtain it.


1. Log in

Log in to the OneLogin dashboard, select “Apps” from the menu, then select “Applications->Applications->Add App”. If your application is already created, select it from the list of applications and move to Step 6. If you haven’t created a SAML application, select “Create Application” and then provide the details.


One Login SAML Image-7

One Login SAML Image-8

Now in the search field write “saml” and then select SAML test connector(ldp).


One Login SAML Image-9

2. Enter Your App’s Information

Give the app a Display Name and upload an icon, if applicable. Click “Continue”


One Login SAML Image-10

3. Adding Fields for SAML

Go to Parameters and click on "+" button in the right pane


One Login SAML Image-11

One Login SAML Image-12

Add http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress and click on SAVE


One Login SAML Image-13

Now select “Email” in the value field and click on SAVE again.


One Login SAML Image-14

Similarly add http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier and value as “Username”


One Login SAML Image-15

One Login SAML Image-16

4. Enter Service Provider Details

Now go to Configuration sidebar menu and provide all the details which you have got while creation of Project in Cripsa->SAML->Create Project


One Login SAML Image-17

For RelayState, enter any valid URL, such as https://www.example.com.

For Audience, enter “SP_EntityId”

For ACS (Consumer) URL Validator, enter “ACS” detail from create project.

For ACS (Consumer) URL, enter “ACS” detail from Create Project.


One Login SAML Image-18

5. Obtain Identity Provider Details

Select SSO left pane menu and note down Issuer URI which needs to be passed as Metadata URI in the Register App menu in Cripsa portal.


One Login SAML Image-19

One Login SAML Image-20

One Login SAML Image-21

6. Validating User Access

In the Users sidebar menu one can see users’ information who has the access to this app.


One Login SAML Image-22

7. Upload Metadata File by Register OneLogin App with Cripsa

From Step 4 use the Issuer URI to register the app with Cripsa.


Now go back to https://cripsa.com/saml-register-app ->Select your project you have just created.


One Login SAML Image-23

Here Three Fields are Mandatory to fill:

  • Register Type
  • Provider Name (name must be unique with no special character and all in small letter)
  • Metadata URL or File Upload

In the Register Type there are four options, and one has to select anyone of them as per your requirement. For more information on these options please see FAQ.


One Login SAML Image-24

One Login SAML Image-25

One Login SAML Image-26

8. User Login Testing

Using code URI to get code after successful login to Okta.


One Login SAML Image-27

One Login SAML Image-28

One Login SAML Image-29

One Login SAML Image-30

One Login SAML Image-31

Using token URI to get accessToken after successful login to Okta.


One Login SAML Image-32

One Login SAML Image-33

One Login SAML Image-2

One Login SAML Image-34

One Login SAML Image-35

Frequently asked questions

1. How many Registration Options available in Cripsa for SAML and what is the difference between them?


In the Register Type there are four options:

  • • Registration of SAML Only
  • • Registration of SAML in Separate Client
  • • Registration of SAML with Other Already registered Auth Type Apps/Method with MFA
  • • Registration of SAML with Other Already registered Auth Type Apps/Method without MFA
One Login SAML Image-36

Only the Login screen would be Different for each Registration Type.


One Login SAML Image-37
Figure 1 Registration of SAML Only
One Login SAML Image-38
Figure 2 Registration of SAML in Separate Client
One Login SAML Image-39
Figure 3 Registration of SAML with Other Already registered Auth Type Apps/Method with MFA

Here in the above diagram one can see MFA is available along with SAML authentication.


One Login SAML Image-40
Figure 4 Registration of SAML with Other Already registered Auth Type Apps/Method with MFA

Here in the above diagram one can see MFA is available along with SAML and AUTH 2.0 authentication.


One Login SAML Image-41
Figure 5 Registration of SAML with Other Already registered Auth Type Apps/Method without MFA