MemOneLogin is an Identity and Access Management (IAM) system, allowing you to perform Single Sign-On for all your web and mobile applications. The service offers a full-featured federation engine and a flexible access policy. A user can log in with a single ID to gain access to connected systems without being prompted to enter different usernames or passwords.


To learn more about SSO, click here on Understanding Single Sign-On.


This article covers two setups:

  1. Configuration in OneLogin
  2. Configuration in VIDIZMO


Configuration in OneLogin

These instructions will allow Manager or Administrator of the Portal to allow users to access their Portal using OneLogin credentials.


1. Go to www.onelogin.com and click on LOG IN.




2. From the login screen:

i. Enter your email address and password.

ii. Then click on the LOG IN button o proceed.




3. After successfully logging in, you need the copy the URL on the address bar which shall be something similar to https://[your-onelogin-app-name].onelogin.com/home. You need to copy the part of the URL before home, and append /oidc to it. The final URL will look something like: https://[your-onelogin-app-name].onelogin.com/oidc. This URL will be later needed as Authority URL when configuring app in VIDIZMO Portal.


4. From the top menu bar navigation, 

i. Hover on Applications

ii. Select Applications from the dropdown menu.




5. On the Company Apps screen, click on the ADD APP button.




6. You will be redirected to the Find Applications screen:

i. In the search box, type the keyword OpenIdConnect to list all OpenIdConnect related applications.

ii. From the list of search results, select OpenId Connect (OIDC).




7. Clicking on the OpenID Connect (OIDC) opens up its Info screen:

i. Enter a Display Name for your application in OneLogin.

ii. Then click on the Save button to add the application.


Note: To upload an icon for your APP, select from either the rectangle or the square, depending upon the shape of your icon.




8. The next tab is the Configuration tab where you are required to list the Redirect URL. This is your Portal URL with /sso/signin-onelogin appended at the end.  




9. To map user data with VIDIZMO, some new parameters need to be defined in Onelogin. To do this, click on the Parameters tab. 

i. Click on the radio button to select Configured by admin.

ii. Then click on the Add parameter link to start adding parameters to map with your application.




10. A New Field popup window will appear:

i. Enter the Field name of the parameter.

ii. As soon as you add a Field name, the Value field appears where you can select the available options from the dropdown list to map with the Field Name.

iii. Then click on the Save button to proceed to add the parameter.



 



101. The new parameter gets added successfully and shows up in the table with the rest of the parameters.


12. Repeat the steps above to add the following parameters and their values for OneLogin and your application to communicate successfully:


VIDIZMO Attribute

Value

User.Email

Email

User.FirstName

First name

User.LastName

Last Name

Primarysid

userPrincipalName

Groups

MemberOf




13. Once the parameters have been defined, click on the SSO tab. You will need the Client ID and the Client Secret when configuring SSO in your VIDIZMO Portal.


i. The Client ID gets generated automatically at this stage. Copy it using the clipboard icon against the ID.

ii. Click on the Regenerate Client Secret link to generate the client secret and then copy it for later use.

iii. Make sure to select the Authentication Method as POST from the drop-down menu.

iv. Click Save to complete configuring your app. Now you will be required to register this app in your VIDIZMO Portal.




Configuration in VIDIZMO

1. From the Portal's Homepage,

i. Click on the navigation menu on top left corner.

ii. Expand Admin tab.

iii. Click on the Settings tab and you'll be directed to Portal Settings page.




2. On Portal Settings page,

i. Click on the Apps tab on the left-hand panel.

ii. Further click on the Single Sign-On tab.

iii. Locate the OneLogin App on the screen, and click on the Settings icon at the right-hand side.



3. OneLogin Settings screen offers various fields, each of which is explained below:

i. Client ID: This attribute is the unique identifier for the client application that you copied in the step above

ii. Client Secret: The client secret is used in conjunction with Client Id to authenticate the client application. It is the same attribute you copied in the step above.

iii. Authority: This is the OIDC application homepage URL that you copied fromt he address bar in the step above.

iv. SSO Login Message: Here you can set a message that will be visible to all users above the login button via OneLogin SSO Provider. This is particularly useful when you have configured various SSO providers for different users and groups.

v. SSO Login Button Label: Here you 

vi. Force Login: Select the checkbox to enable forced login and it will take you directly to Okta. When unchecked, it will not redirect automatically to the IDP and you will be required to sign in through your Portal's sign in screen. Requires HTTPS Metadata check box is used to get metadata. When the request is handled for the first time, it tries to retrieve some metadata from the authorization server (also called an authority or issuer). This metadata, or discovery document in OpenID Connect terminology, contains the public keys and other details needed to validate tokens.

vii. Callback Path: Specifies the callback location where the authorization will be sent to your Portal. This needs to be appended with the portal's URL when specifying Redirect URI in OneLogin App configuration. Under Scopes, you define a space-delimited list of scopes. OpenID Connect uses scope values to specify what access privileges are being requested for access tokens. The scopes associated with access tokens determine which claims are available when they are used to access the OIDC /userinfo endpoint. The following scopes are supported: openid, profile, email, phone, groups etc.

viii. Response Type: Specifies the response type for OIDC authentication. Any combination of code, token, and id_token is used and is an opaque value that can be used to redeem tokens from the token endpoint. In our example, we have used "code" type. The code is returned if the response_type includes code. The code has a lifetime of 60 seconds.

ix. Save Tokens: Select to save tokens. You will need administrator privileges to save. API tokens have the same permissions as the user who creates them, and if the user permissions change, the API token permissions will also change.

x. Get Claims From UserInfo Endpoint: Selecting this option returns claims about the authenticated end user if the UserInfo endpoint claims need to be obtained implicitly.

xi. Attribute Mapping: Attribute Mapping allows you to map your attributes with the IDP's attributes.

xii. Click on the Save Changes button to proceed to the next step to activate SSO using OneLogin. 




A notification will appear stating Portal Information Updated Successfully.


4. In order to activate SSO for OneLogin:

i. Turn on the feature using the toggle button.



Result

Navigate to the Portal's login screen and you will see an option Log In with OneLogin. To learn further about signing in, read Sign in using OneLogin.




Roles and Permissions

Only Administrators and Managers can configure an SSO App in Portal Settings.