Follow

Adding Onelogin using SAML access to Password Server

On the OneLogin Side

  1. 1) Create a new Company App using the “SAML Test Connector (IdP w/attr w/sign response):
  2. On the Configuration tab of the app, match the following settings, but specific to your AAPS server URL:
    Audience: https://(Your FQDN)/AAPS/ssologin.aspx
    Recipient: https://(Your FQDN)/AAPS/ssologin.aspx
    ACS (Consumer) URL Validator: ^https:\/\/(Your FQDN)/.com$
    ACS (Consumer) URL: https://(Your FQDN)/
  3. On the Parameters tab, you’ll need to add two Custom Parameters:
  4. Match the remaining parameters (some fields can’t be removed from the SAML assertion, so you can just set them to “- No Default -" to avoid sending spurious information along with the SAML request:
  5. On the SSO tab, make sure you’re using a SHA1 certificate:
  6. Click the View Details link on the certificate, and download it as a X.509 PEM:
  7. Go back to the SSO screen and copy down the Issuer URL (we don’t need the SAML 2.0 endpoint nor the SLO endpoint) and note it for later:
  8. Ensure that the OneLogin App is visible to the necessary users
  9. Click on the OneLogin App and copy down the URL that you’re redirected to (be quick) and note it for later:

Configuring the AuthAnvil Password Server

  1. Go to Admin > General Settings > AuthAnvil Two Factor Auth Settings and click the “Single Sign-On Settings” button
  2. Check the box for “Enable Single Sign-On” and match the following:Issuer: (the Issuer URL from Step 7 above)
    Identity Provider Login URL: The URL from Step 9 above
    Identity Provider Logout URL: https://(Your FQDN)/AAPS/logout.aspx (substituting the URL for your AAPS instance)
  3. Upload the certificate you grabbed from OneLogin in Step 6
  4. Click the “Save Changes” button
  5. Users are not Just-In-Time provisioned—you must manually add the users that you wish to use the OneLogin App… match the screens below (make sure the e-mail address matches what’s coming over from OneLogin):

    (set Roles tab as appropriate)
  6. Test the integration

 

Thanks to Brian Dagan from CWPS for this information.


Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk