Configure OneLogin as a Third-Party IdP with SOTI Identity
Before you begin
Set up and verify a domain to use with this OneLogin IdP connection. Read more at Add Domains.
About this task
If you already have a set of users with OneLogin, you can configure SOTI Identity to delegate authentication and authorization to OneLogin rather than recreate an existing set of users and structures.
Procedure
- In the SOTI Identity Admin Console, open the main menu and select Directories/IDP.
- Select Create Connection dialog box. to open the
- Select SAML Based IdP.
- Select Downloads in the upper right corner of the Configure IdP dialog box and download the Identity Metadata and Identity Certificate to your computer.
- Open the downloaded SOTIIdentityMetadata.xml file in your preferred xml reader or browser.
- Search for and copy the following values to a new notepad for later use — "entityID=", "AssertionConsumerService" and "SingleLogoutService".
- Open another browser tab and log into the OneLogin administration portal as an administrator.
- From the Applications menu, select Applications.
- Select Add App and from the Find Applications list, find SAML Test Connector (Advanced).
- Change the Display Name to a friendly name and select Save.
-
Open the Configuration tab and fill in the requested
details. Select Save when you are done.
Field name Value Audience (EntityID) https://identity.soti.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Recipient https://identity.soti.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ACS (Consumer) URL Validator https://identity.soti.net/sso/saml/Auth/HandleExternalIdpResponse ACS (Consumer) URL https://identity.soti.net/sso/saml/Auth/HandleExternalIdpResponse Single Logout URL https://identity.soti.net/slo/saml/auth/logout Login URL https://identity.soti.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx SAML encryption method AES-256-CBC Note: The FQDN is different based on the region where SOTI Identity is hosted.For example,The- America - https://identity.soti.net
- Europe - https://eu.identity.soti.net
entityID
value in your SOTIIdentityMetadata.xml file will have the correct FQDN you need to use for the configuration.entityID="https://eu.identity.soti.net/
-
Open the Parameters tab and select
Add to add parameter field-value pairs. Add the following
pairs:
Field name Value Email Email First Name First Name Last Name Last Name Group MemberOf - Check the Include in SAML assertion check box in the Edit Field Group window.
- After you add and fill in all four parameter fields, select Save.
-
Open the SSO tab and change the value of SAML
Signature Algorithm to
SHA-256
. Select Save. - Open the Users tab and select a username to open the Edit SOTI Identity login for username dialog box.
- In the Group field, enter a name for the group and select Save.
- Open the More Actions menu (top-right corner) and select SAML Metadata to download OneLogin's metadata.
- Return to the SOTI Identity Admin Console and open the main menu and select Directories/IDP.
- Select Create Connection dialog box. to open the
- Select SAML Based IdP.
-
In the Configure IdP dialog box. Give the OneLogin
connection a name. We'll use
OneLogin A
. -
Beside IdP Metadata file, select
Import and browse to the SAML metadata file
you downloaded from OneLogin in step 18.
The file populates the IdP Entity ID, SSO URL, Logout URL, and Certificates fields.
-
Select one or more domains from the Select Domain
list.
Domains control who can (or cannot) log into a SOTI Identity account and its associated applications. Each SAML-based connection is mapped to at least one domain.
Only verified domains appear in this list. If you have not set up a verified domain yet, select Manage Domains. The page redirects to the Domains view where you can add and verify domains. You are going to lose your current draft connection.
-
Fill in the User Attributes that were defined in
OneLogin SAML Applicationas shown in the following table.
Email Email FirstName First Name LastName Last Name MemberOf Group Note: Ensure the details match exactly and there are no trailing spaces. -
Select Create.
OneLogin is now connected to SOTI Identity and ready for authentication and authorization purposes.
- In the SOTI Identity Admin Console, open the main menu and select Users.
- Select your OneLogin IDP in the Directory list.
- Select Groups.
- Select in the upper right corner of the console.
- In the Add IDP User Group window, select OneLogin IDP Group.
- Type a name for the new IDP group. Ensure the name matches the name given in OneLogin.
- Optional:
Make all users in the group SOTI Identity account administrators. Leave unselected if the users only need access to other SOTI ONE applications.
Note: Account administrators can manage and modify all settings in your SOTI Identity console and account so you should be careful who you make an account administrator.
- Select Add to add the IdP group to SOTI Identity.
Results
You have connected your OneLogin connection to SOTI Identity. Users in the groups you just added will receive an email notifying that they have been enrolled in SOTI Identity. However, they will not have access to any applications until you assign one.
What to do next
Assign applications to OneLogin user groups.