Skip to main content

Tutorial: How to Configure SAML with OneLogin

Abstract

This is a step-by-step guide for configuring SAML on Access Server with OneLogin.

Overview

Access Server supports authentication using SAML with OneLogin as the identity provider. You can configure this in OneLogin with Access Server as your service provider.

The following steps guide you through enabling SAML authentication for users and groups from OneLogin to Access Server.

Prerequisites

You need the following to get started:

Important

We recommend using all lowercase usernames when signing in with SAML.

Step 1: Create the OneLogin App integration

With OneLogin, you need to create an application for the SAML integration.

  1. Sign in to your OneLogin domain as an admin.

  2. Click Menu > Applications > Applications.

  3. Click Add App.

  4. In the search, enter ‘SAML custom connector’ and click on SAML Customer Connector (Advanced) in the results.

  5. Enter the Display Name and ensure you enable Visible in portal.

  6. Add icons and a description, then click Save.

  7. Click Configuration from the menu on the left.

  8. Enter your SP information as follows:

    1. RelayState: Enter ‘cws’ if you want your users to sign in to the Client Web UI, and enter ‘profile’ if you want users to download a profile for their VPN client after they authenticate. For more information about RelayState, refer to the section below, “Set up IdP-initiated sign-on in OneLogin.”

    2. Audience (Entity ID): Enter the SP Identity from Access Server.

    3. ACS (Consumer) URL Validator: Enter the SP ACS from Access Server.

    4. ACS (Consumer) URL: Enter the SP ACS again from Access Server.

    5. Under SAML signature element, select Assertion from the drop-down.

    6. Click Save.

You’ve added the SAML client for your OneLogin domain.

Step 2: Copy or download the OneLogin metadata

The simplest way to set up OneLogin SAML for Access Server is by providing metadata to Access Server. You can copy a metadata URL or download a metadata XML file.

Option 1: Copy the OneLogin metadata

  1. From your SAML app integration created in Step 1, click SSO from the left menu.

  2. Copy the Issuer URL.

Option 2: Download the OneLogin metadata file

  1. From your SAML app integration created in Step 1, click the More Actions drop-down.

  2. Click SAML metadata to download the XML file.

Step 3: Provide OneLogin metadata to Access Server

Now that you have the metadata, you can provide that to your Access Server through the Admin Web UI to automatically configure SAML.

If you copied the URL, follow the steps below to paste it into the SAML page for Access Server. If you downloaded the XML file, follow the steps below to upload it to the SAML page for Access Server.

Option 1: Paste the OneLogin metadata URL in the Admin Web UI

  1. Sign in to the Admin Web UI.

  2. Click Authentication.

  3. Click the SAML tab.

  4. Set Enable SAML authentication to Enabled.

  5. Under Configure Identity Provider (IdP), click Configure using metadata URL/file.

    • The Configure using metadata modal displays.

  6. In the field, IdP metadata configuration URL, paste the Issuer URL you copied from OneLogin, and click Get.

    • If the URL isn't valid, a message displays. Otherwise, the Identity Provider data populates the corresponding fields.

  7. Click Save and Restart.

Option 2: Upload the OneLogin metadata file in the Admin Web UI

  1. Sign in to the Admin Web UI.

  2. Click Authentication.

  3. Click the SAML tab.

  4. Set Enable SAML authentication to Enabled.

  5. Under Configure Identity Provider (IdP), click Configure using metadata URL/file.

    • The Configure using metadata modal displays.

  6. Click Click to upload to select your XML file or drag and drop it into the modal window.

    • The Identity Provider data populates the corresponding fields.

  7. Click Save and Restart.

Step 4: Assign SAML as user authentication

You can now enable SAML as the global default authentication or for specific groups and users.Tutorial: SAML user groups

Step 5: Assign the SAML app to OneLogin users

With SAML enabled for Access Server, you must add the app integration to your OneLogin users requiring access.

  1. Sign in to your OneLogin domain as an admin.

  2. From the menu, click Users > Users and select a user.

  3. Click Applications.

  4. Click the Add icon.

  5. Select your SAML integration application from the Select application drop-down and click Continue.

  6. Review the information for the user on the next screen, then click Save.

You can now test that the user can sign in to Access Server using SAML.

Optional: How to set up IdP-initiated flow

You can configure an IdP-initiated flow for signing into Access Server from OneLogin with the following steps:

  1. Sign in to your OneLogin domain as an administrator.

  2. Click Applications > Applications.

  3. Click on your SAML app integration.

  4. Ensure that Visible in portal is enabled.

  5. Click Configuration from the left menu.

  6. Enter one of the following into the RelayState field:

    1. cws: This directs your users to the Client Web UI after sign-in.

    2. profile: This directs your users to a profile download after sign-in.

  7. Save changes.

Test that the option displays for your users (for example, using the 'profile' relay state):

  1. Sign in to your OneLogin portal as a SAML user.

  2. Find the SAML app linked with Access Server and click on it.

  3. The user should be directed to the Import profile in App page without additional authentication requirements.

Optional: Map SAML group access control

You can automate group assignments for access control rules using a post-authentication Python script.

Refer to the steps in this tutorial:

In this section: