SSO OneLogin Setup

The following instructions set up an identity provider in OneLogin.

Introduction

OneLogin is a Single Sign-On (SSO) Provider and application portal that supports SAML 2.0, OpenID Connect, and form-based authentication. Tehama can be integrated with OneLogin through SAML 2.0 and presented as a managed application alongside other OneLogin integrated applications.

Once enabled, authentication to Tehama must be made through OneLogin - local authentication through https://app.tehama.io is no longer possible except by using the Tehama Admin account. OneLogin/Tehama Integration is limited to authentication only.

User accounts are required for both OneLogin and Tehama. Both accounts must be configured with the same email address for SSO to work, and the user must accept the Tehama Welcome email before they will be able to launch a connection via OneLogin SSO.

Integration Summary

Integration with OneLogin SSO is a four step process as follows.

  1. Obtain initial configuration settings from Tehama
  2. Create an application in OneLogin
  3. Obtain the required Federation Metadata XML from OneLogin
  4. And enter it back into Tehama

Prerequisites for OneLogin Integration

  • A Tehama Account with Admin privileges
  • A OneLogin account with Super User privileges

Setup Time - 10 minutes

Create a connected application

Login to Tehama using the Admin Account and click on the SETTINGS tab in the navigation bar.

Select the AUTHENTICATION tab.

Check "Enable SAML Single-Sign on".

Tehama Organization Authentication Page with SAML-disabled

Make a note of the Entity ID and Callback URL (Assertion Consumer Service URL) values.

Open a second browser tab and sign in to your OneLogin Admin Account.

Select Administration from the top level menu on the App Portal.

OneLogin Top Level

Select Apps from the top level menu on the Administration page and then select Add Apps from the second level menu.

OneLogin Add Apps

Enter “SAML Test Connector” in the Search box

OneLogin Search for SAML Test Connector

and select the SAML Test Connector (IdP) application.

OneLogin Found SAML Test Connector (IdP)

OneLogin SAML Test Connector (IdP)

Complete the Application Details - you may download and save a copy of this image to use as the logo    Tehama Logo and click SAVE.

OneLogin SAML Test Connector (IdP) More Actions

Select SAML Metadata from the More Actions drop down menu to obtain a copy of the Federation Metadata, it will be saved as onelogin_metadata_#######.xml.

Open the Configuration tab.

OneLogin SAML Test Connector (IdP) Configuration Tab

Copy the Entity ID from the AUTHENTICATION METHOD section of the Tehama Web UI's Authentication page and paste it into the ACS (Consumer) URL Validator field.

Copy the Callback URL from the AUTHENTICATION METHOD section of the Tehama Web UI's Authentication page and paste it into the ACS (Consumer) URL field.

Leave all other fields at their default values.

Click Save.

Click Finish.

To complete the Tehama SSO setup open the downloaded XML file onelogin_metadata_#######.xml and copy the contents of the file to the clipboard.

Return to the Tehama Web UI and enable SSO by clicking on the checkbox to Enable SAML Single-Sign On (if not already enabled) then paste the IDP metadata into the Federation Metadata XML box.

Tehama Organization Authentication Page with SAML-enabled

and click SAVE.

Now that you have completed this step, each existing team member in your organization will receive an email inviting them to configure their SSO login by clicking on the provided link, CONFIGURE SSO LOGIN, and to follow the instructions.

Each subsequently added team member will receive the same email and must also configure their SSO login by clicking on the provided link.

Tehama SSO Configuration is now complete.

You will still need to return to the OneLogin Console to assign User and Groups as appropriate for your organization before it will be possible to access Tehama using OneLogin integration.