OneLogin is an Identity and Access Management (IAM) system, allowing you to perform Single Sign-On for all your web and mobile applications. The service offers a full-featured federation engine and a flexible access policy. A user can log in with a single ID to gain access to connected systems without being prompted to enter different usernames or passwords.
To learn more about SSO, click here on Understanding Single Sign-On.
This article covers two setups:
- Configuration in OneLogin
- Configuration in VIDIZMO
Configuration in OneLogin
These instructions will allow Manager or Administrator of the Portal to allow users to access their Portal using OneLogin credentials.
1. Go to www.onelogin.com and click on LOG IN.
2. From the login screen:
i. Enter your email address and password.
ii. Then click on the LOG IN button o proceed.
3. From the top menu bar navigation,
i. Click on APPS
ii. Select Company Apps from the dropdown menu.
4. On the Company Apps screen, click on the ADD APP button.
5. You will be redirected to the Find Applications screen:
i. In the search box, type the keyword OpenIdConnect to list all OpenIdConnect related applications.
ii. From the list of search results, select OpenId Connect (OIDC).
6. Clicking on the OpenID Connect (OIDC) opens up its Info screen:
i. Enter a Display Name for your application in OneLogin.
ii. Then click on the Save button to add the application.
Note: To upload an icon for your APP, select from either the rectangle or the square, depending upon the shape of your icon.
7. The next tab is the Configuration tab where you are required to list the Redirect URLs:
8. To map user data with VIDIZMO, some new parameters need to be defined in Onelogin. To do this, click on the Parameters tab.
i. Click on the radio button to select Configured by admin.
ii. Then click on the Add parameter link to start adding parameters to map with your application.
9. A New Field popup window will appear:
i. Enter the Field name of the parameter.
ii. As soon as you add a Field name, the Value field appears where you can select the available options from the dropdown list to map with the Field Name.
iii. Then click on the Save button to proceed to add the parameter.
10. The new parameter gets added successfully and shows up in the table with the rest of the parameters.
11. Repeat the steps above to add the following parameters and their values for OneLogin and your application to communicate successfully:
12. Once the parameters have been defined, click on the SSO tab. You will need the Client ID and the Client Secret when configuring SSO in your VIDIZMO Portal.
i. The Client ID gets generated automatically at this stage.
ii. Click on the Regenerate Client Secret link to generate the client secret.
Configuration in VIDIZMO
1. From the Portal's Homepage,
i. Click on the navigation menu on top left corner.
ii. Expand Admin tab.
iii. Click on the Settings tab and you'll be directed to Portal Settings page.
2. On Portal Settings page,
i. Click on the Apps tab on the left-hand panel.
ii. Further click on the Single Sign-On tab.
iii. Locate the OneLogin App on the screen, and click on the Settings icon at the right-hand side.
3. OneLogin Settings screen offers various fields, each of which is explained below:
i. Client ID: This attribute is the unique identifier for the client application.
ii. Client Secret: The client secret is used in conjunction with Client Id to authenticate the client application.
iii. Authority: This is the login URL used to login to the ID Provider (IDP). Enter here the URL of the App that you created in OneLogin.
iv. Force Login: Select the checkbox to enable forced login and it will take you directly to Okta. When unchecked, it will not redirect automatically to the IDP and you will be required to sign in through your Portal's sign in screen.
v. Requires HTTPS Metadata: Select this check box to get metadata. When the request is handled for the first time, it tries to retrieve some metadata from the authorization server (also called an authority or issuer). This metadata, or discovery document in OpenID Connect terminology, contains the public keys and other details needed to validate tokens.
vi. Callback Path: Specifies the callback location where the authorization will be sent to your Portal. This needs to be appended with the portal's URL when specifying Redirect URI in OneLogin App configuration.
vii. Scope: A space-delimited list of scopes. OpenID Connect uses scope values to specify what access privileges are being requested for access tokens. The scopes associated with access tokens determine which claims are available when they are used to access the OIDC /userinfo endpoint. The following scopes are supported: openid, profile, email, phone, groups etc.
viii. Response Type: Specifies the response type for OIDC authentication. Any combination of code, token, and id_token is used and is an opaque value that can be used to redeem tokens from the token endpoint. In our example, we have used "code" type. The code is returned if the response_type includes code. The code has a lifetime of 60 seconds.
ix. Save Tokens: Select to save tokens. You will need administrator privileges to save. API tokens have the same permissions as the user who creates them, and if the user permissions change, the API token permissions will also change.
x. Get Claims From UserInfo Endpoint: Selecting this option returns claims about the authenticated end user if the UserInfo endpoint claims need to be obtained implicitly.
xi. Attribute Mapping: Attribute Mapping allows you to map your attributes with the IDP's attributes.
xii. Click on the Save Changes button to proceed to the next step to activate SSO using OneLogin.
A notification will appear stating Portal Information Updated Successfully.
4. In order to activate SSO for OneLogin:
i. Turn on the feature using the toggle button.
Navigate to the Portal's login screen and you will see an option Log In with OneLogin. To learn further about signing in, read Sign in using OneLogin.
Roles and Permissions
Only Administrators and Managers can configure an SSO App in Portal Settings.