Skip to main content

Tutorial: How to Configure SAML with OneLogin

Abstract

This is a step-by-step guide for configuring SAML on Access Server with OneLogin.

Overview

Access Server 2.11 and newer supports authentication using SAML with OneLogin as the identity provider. You can configure this in OneLogin with Access Server as your service provider.

The following steps walk you through how to enable SAML authentication for users and groups from OneLogin to Access Server.

You need the following to get started:

Important

We recommend using all lowercase usernames when signing in with SAML.

With OneLogin, you need to create an application for the SAML integration.

  1. Sign in to your OneLogin domain as an admin.

  2. Click Menu > Applications > Applications.

  3. Click Add App.

  4. In the search, enter ‘SAML custom connector’ and click on SAML Customer Connector (Advanced) in the results.

  5. Enter the Display Name and ensure you enable Visible in portal.

  6. Add icons and a description, then click Save.

  7. Click Configuration from the menu on the left.

  8. Enter your SP information as follows:

    1. RelayState: Enter ‘cws’ if you want your users to sign in to the Client Web UI, and enter ‘profile’ if you want users to download a profile for their VPN client after they authenticate. For more information about RelayState, refer to the section below, “Set up IdP-initiated sign-on in OneLogin.”

    2. Audience (Entity ID): Enter the SP Identity from Access Server.

    3. ACS (Consumer) URL Validator: Enter the SP ACS from Access Server.

    4. ACS (Consumer) URL: Enter the SP ACS again from Access Server.

    5. Under SAML signature element, select Assertion from the drop-down.

    6. Click Save.

You’ve added the SAML client for your OneLogin domain.

The simplest way to set up OneLogin SAML for Access Server is by providing metadata to Access Server. You can copy a metadata URL or download a metadata XML file.

Option 1: Copy the OneLogin metadata

  1. From your SAML app integration created in Step 1, click SSO from the left menu.

  2. Copy the Issuer URL.

Option 2: Download the OneLogin metadata file

  1. From your SAML app integration created in Step 1, click the More Actions drop-down.

  2. Click SAML metadata to download the XML file.

Now that you have the metadata, you can provide that to your Access Server through the Admin Web UI to automatically configure SAML.

If you copied the URL, follow the steps below to paste it into the SAML page for Access Server. If you downloaded the XML file, follow the steps below to upload it to the SAML page for Access Server.

Option 1: Paste the OneLogin metadata URL in the Admin Web UI

  1. Sign in to your Access Server Admin Web UI.

  2. Click Authentication > SAML.

  3. Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.

  4. Paste the Issuer URL from OneLogin into the IdP Metadata URL field, click Get, and click Update Running Server.

    • The IdP fields are now populated under Configure Identity Provider (IdP) Manually.

Option 2: Upload the OneLogin metadata file in the Admin Web UI

  1. Sign in to the Admin Web UI.

  2. Click Authentication > SAML.

  3. Click Configure Identity Provider (IdP) Automatically via Metadata to expand the section.

  4. In the field Select IdP Metadata, click Choose File to upload the XML file you downloaded from OneLogin, then click Upload and Update Running Server.

    • The IdP fields are now populated under Configure Identity Provider (IdP) Manually.

After saving, you should see the following data populated automatically by either the URL or the XML file:

  • IdP EntityId.

  • Sign On Endpoint.

  • Certificate (PEM format).

With SAML enabled for Access Server, you must add the app integration to your OneLogin users requiring access.

  1. Sign in to your OneLogin domain as an admin.

  2. From the menu, click Users > Users and select a user.

  3. Click Applications.

  4. Click the Add icon.

  5. Select your SAML integration application from the Select application drop-down and click Continue.

  6. Review the information for the user on the next screen, then click Save.

You can now test that the user can sign in to Access Server using SAML.

You can configure an IdP-initiated flow for signing into Access Server from OneLogin with the following steps:

  1. Sign in to your OneLogin domain as an administrator.

  2. Click Applications > Applications.

  3. Click on your SAML app integration.

  4. Ensure that Visible in portal is enabled.

  5. Click Configuration from the left menu.

  6. Enter one of the following into the RelayState field:

    1. cws: This directs your users to the Client Web UI after sign-in.

    2. profile: This directs your users to a profile download after sign-in.

  7. Save changes.

Test that the option displays for your users (for example, using the 'profile' relay state):

  1. Sign in to your OneLogin portal as a SAML user.

  2. Find the SAML app linked with Access Server and click on it.

  3. The user should be directed to the Import profile in App page without additional authentication requirements.