Configure OneLogin as a Third-Party IdP with SOTI Identity

Before you begin

Set up and verify a domain to use with this OneLogin IdP connection. Read more at Add Domains.

About this task

If you already have a set of users with OneLogin, you can configure SOTI Identity to delegate authentication and authorization to OneLogin rather than recreate an existing set of users and structures.

Note: This procedure includes steps to perform in an external tool and is subject to change without notice.

Procedure

Download SOTI Identity metadata
  1. In the SOTI Identity Admin Console, open the main menu and select Directories/IDP.
  2. Select New Directory > IdP Connection to open the Create Connection dialog box.
  3. Select SAML Based IdP.
  4. Select Downloads in the upper right corner of the Configure IdP dialog box and download the Identity Metadata and Identity Certificate to your computer.
  5. Open the downloaded SOTIIdentityMetadata.xml file in your preferred xml reader or browser.
  6. Search for and copy the following values to a new notepad for later use — "entityID=", "AssertionConsumerService" and "SingleLogoutService".
Configure OneLogin as an IdP for SOTI Identity
  1. Open another browser tab and log into the OneLogin administration portal as an administrator.
  2. From the Applications menu, select Applications.
  3. Select Add App and from the Find Applications list, find SAML Test Connector (Advanced).
  4. Change the Display Name to a friendly name and select Save.
  5. Open the Configuration tab and fill in the requested details. Select Save when you are done.
    Field name Value
    Audience (EntityID) https://identity.soti.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    Recipient https://identity.soti.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    ACS (Consumer) URL Validator https://identity.soti.net/sso/saml/Auth/HandleExternalIdpResponse
    ACS (Consumer) URL https://identity.soti.net/sso/saml/Auth/HandleExternalIdpResponse
    Single Logout URL https://identity.soti.net/slo/saml/auth/logout
    Login URL https://identity.soti.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    SAML encryption method AES-256-CBC
    Note: The FQDN is different based on the region where SOTI Identity is hosted.
    For example,
    • America - https://identity.soti.net
    • Europe - https://eu.identity.soti.net
    The entityID value in your SOTIIdentityMetadata.xml file will have the correct FQDN you need to use for the configuration.

    entityID="https://eu.identity.soti.net/

  6. Open the Parameters tab and select Add to add parameter field-value pairs. Add the following pairs:
    Field name Value
    Email Email
    First Name First Name
    Last Name Last Name
    Group MemberOf
  7. Check the Include in SAML assertion check box in the Edit Field Group window.
  8. After you add and fill in all four parameter fields, select Save.
  9. Open the SSO tab and change the value of SAML Signature Algorithm to SHA-256. Select Save.
  10. Open the Users tab and select a username to open the Edit SOTI Identity login for username dialog box.
  11. In the Group field, enter a name for the group and select Save.
  12. Open the More Actions menu (top-right corner) and select SAML Metadata to download OneLogin's metadata.
Import OneLogin metadata into SOTI Identity
  1. Return to the SOTI Identity Admin Console and open the main menu and select Directories/IDP.
  2. Select New Directory > IdP Connection to open the Create Connection dialog box.
  3. Select SAML Based IdP.
  4. In the Configure IdP dialog box. Give the OneLogin connection a name. We'll use OneLogin A.
  5. Beside IdP Metadata file, select Import and browse to the SAML metadata file you downloaded from OneLogin in step 18.
    The file populates the IdP Entity ID, SSO URL, Logout URL, and Certificates fields.
  6. Select one or more domains from the Select Domain list.
    Domains control who can (or cannot) log into a SOTI Identity account and its associated applications. Each SAML-based connection is mapped to at least one domain.

    Only verified domains appear in this list. If you have not set up a verified domain yet, select Manage Domains. The page redirects to the Domains view where you can add and verify domains. You are going to lose your current draft connection.

  7. Fill in the User Attributes that were defined in OneLogin SAML Applicationas shown in the following table.
    Email Email
    FirstName First Name
    LastName Last Name
    MemberOf Group
    Note: Ensure the details match exactly and there are no trailing spaces.
  8. Select Create.
    OneLogin is now connected to SOTI Identity and ready for authentication and authorization purposes.
Add a OneLogin User Group to SOTI Identity
Note: You can only add user groups and not individual users in SAML Based IdP connections.
  1. In the SOTI Identity Admin Console, open the main menu and select Users.
  2. Select your OneLogin IDP in the Directory list.
  3. Select Groups.
  4. Select New User Group in the upper right corner of the console.
  5. In the Add IDP User Group window, select OneLogin IDP Group.
  6. Type a name for the new IDP group. Ensure the name matches the name given in OneLogin.
  7. Optional: Make all users in the group SOTI Identity account administrators. Leave unselected if the users only need access to other SOTI ONE applications.
    Note: Account administrators can manage and modify all settings in your SOTI Identity console and account so you should be careful who you make an account administrator.
  8. Select Add to add the IdP group to SOTI Identity.

Results

You have connected your OneLogin connection to SOTI Identity. Users in the groups you just added will receive an email notifying that they have been enrolled in SOTI Identity. However, they will not have access to any applications until you assign one.

What to do next

Assign applications to OneLogin user groups.