SSO With OneLogin (SAML)
This guide provides instructions to set up single sign-on (SSO) with OneLogin using the SAML 2.0 (Security Assertion Markup Language) login standard. In this scenario, OneLogin serves as your identity provider (IdP), authenticating users accessing strongDM as the service provider (SP).
- Users must authenticate using SSO every time they log in to strongDM. Authentications from previous sessions cannot be reused.
- The current SAML integration uses SHA-256 with RSA signature encryption.
- Email address serves as the default user ID in the SAML assertion.
- A RelayState HTTP parameter cannot be included as part of the SAML request and response.
- IdP-initiated authentication is currently not supported. The user must initiate the login from strongDM.
- The direct upload of an SSO provider's metadata file is not available.
To get started, make sure the following conditions are met:
- In OneLogin, you must be an administrator with the ability to manage application settings.
- In strongDM, your permission level must be set to Administrator.
- Ensure you have a unique identifier for users. Only email address is currently supported.
Use the following steps to configure strongDM to work with your IdP. Once the SAML feature is enabled in strongDM, these values can be copied to the configuration settings used in OneLogin.
- In the strongDM Admin UI, go to Settings > User Management.
- Click the Lock icon to make changes.
- Click Yes to enable single sign-on.
- Select OneLogin (SAML) from the Provider dropdown. With this setting, users log in to strongDM using OneLogin and the SAML protocol.
Verify the settings listed in the Single Sign-on section. Read-only fields are automatically generated based on your organization. You can copy these pre-populated values and paste them into the matching OneLogin configurations described in the next section.
The Metadata URL field cannot be added until you complete the OneLogin configurations. This is a required field that allows strongDM and OneLogin to communicate. Without it, the SSO configuration is incorrect and users cannot log in successfully. After adding the OneLogin configurations, follow the steps in the Add SAML Metadata section to add this URL value in strongDM.
Field Example Value Description Metadata URL
Public URL where strongDM can request metadata for an IdP's SAML configuration in order to communicate with the IdP; establishes trust by allowing strongDM to correctly sign and validate signatures from the IdP Entity ID
String that uniquely identifies strongDM as the SP entity to receive the SAML authentication message from the IdP ACS (Consumer) URL
The strongDM Assertion Consumer Service (ACS) endpoint where the IdP sends its authentication response; responsible for receiving and parsing the SAML assertion ACS (Consumer) URL Validator
Uses a regular expression to match the ACS (Consumer) URL explicitly and to secure the connector Login URL
The URL where OneLogin-initiated logins direct users
Select the desired general SSO settings.
Leave the strongDM browser window open and continue with the OneLogin configurations in the next section.
Use the following steps to add the recommended SAML settings in OneLogin. These settings have been tested and confirmed. However, other configuration options may apply.
Log in to the OneLogin admin dashboard using your company name.
Click Applications > Add App.
Search for and select the SAML Custom Connector (Advanced) application type.
Name the application strongDM and click Save.
Once the application is created, go to the Configuration section. Copy and paste the read-only values generated in step 4 of the Configure strongDM section.
- Audience (EntityID): Entity ID value from strongDM
- Recipient: ACS (Consumer) URL value from strongDM
- ACS (Consumer) URL Validator: ACS (Consumer) URL Validator value from strongDM
- ACS (Consumer) URL: ACS (Consumer) URL value from strongDM
- Login URL: Login URL value from strongDM
For the SAML-specific fields, use the following values:
- SAML not valid before: 3 (Default value that specifies the time period, in minutes, the assertion is valid for)
- SAML not valid on or after: 3 (Default value that specifies the time period, in minutes, the assertion is valid for)
- SAML initiator: Service Provider (Indicates that the SAML request begins at the service provider)
- SAML nameID format: Email (Serves as the attribute within the SAML assertion that specifies the username)
- SAML issuer type: Specific
- SAML signature element: Response
- SAML encryption method: TRIPLEDES-CBC (Default value)
- SAML sessionNotOnOrAfter: 1440 (Default value that specifies the time period, in minutes, the session is valid for)
Confirm that the email addresses for all users are identical in both strongDM and OneLogin.
To ensure users can access all intended resources, add each user to the strongDM application in OneLogin. This task cannot be accomplished from the app configuration area. Instead, go to Users > Users. Click the user's name and select Applications from the side navigation.
Continue with the next section to add your SAML metadata to strongDM.
Add SAML Metadata
SPs and IdPs swap XML metadata to share configurations, establish trust, and communicate with each other. For this purpose, you can copy the SAML metadata from OneLogin to the SSO section in the strongDM Admin UI. After you have configured the application settings in OneLogin, use these steps to add the IdP metadata URL to strongDM. This value is required for your SSO configuration to work correctly.
- From the admin dashboard in OneLogin, click Applications > Applications.
- Click to select the strongDM application.
- Select SSO from the side navigation.
- Copy the value in the Issuer URL field.
- Go to the strongDM browser window you left open while configuring the OneLogin (SAML) settings.
- In the Single Sign-on section, paste the copied Issuer URL value from OneLogin into the Metadata URL field in strongDM.
- Click Save to complete the setup.
The SAML metadata is currently cached for three hours. If any configuration changes are made, they may not appear immediately.
When troubleshooting your SAML integration, note that the following can prevent successful user logins:
- The correct SAML metadata URL must be added in strongDM. If this URL is incorrect, you may get errors that the XML is invalid during login attempts.
- If the application is misconfigured or the field values are wrong in OneLogin, you can get a permission denied error in strongDM. This error also displays if the user is not added to the app in OneLogin.
If any errors occur or if you have any further questions about the things covered on this page, please contact your account team for assistance.