SSO OneLogin Setup
The following instructions set up an identity provider in OneLogin.
OneLogin is a Single Sign-On (SSO) Provider and application portal that supports SAML 2.0, OpenID Connect, and form-based authentication. Tehama can be integrated with OneLogin through SAML 2.0 and presented as a managed application alongside other OneLogin integrated applications.
Once enabled, authentication to Tehama must be made through OneLogin - local authentication through https://app.tehama.io is no longer possible except by using the Tehama Admin account. OneLogin/Tehama Integration is limited to authentication only.
User accounts are required for both OneLogin and Tehama. Both accounts must be configured with the same email address for SSO to work, and the user must accept the Tehama Welcome email before they will be able to launch a connection via OneLogin SSO.
Integration with OneLogin SSO is a four step process as follows.
- Obtain initial configuration settings from Tehama
- Create an application in OneLogin
- Obtain the required Federation Metadata XML from OneLogin
- And enter it back into Tehama
Prerequisites for OneLogin Integration
- A Tehama Account with Admin privileges
- A OneLogin account with Super User privileges
Setup Time - 10 minutes
Create a connected application
Login to Tehama using the Admin Account and click on the SETTINGS tab in the navigation bar.
Select the AUTHENTICATION tab.
Check "Enable SAML Single-Sign on".
Make a note of the Entity ID and Callback URL (Assertion Consumer Service URL) values.
Open a second browser tab and sign in to your OneLogin Admin Account.
Select Administration from the top level menu on the App Portal.
Select Apps from the top level menu on the Administration page and then select Add Apps from the second level menu.
Enter “SAML Test Connector” in the Search box
and select the SAML Test Connector (IdP) application.
Complete the Application Details - you may download and save a copy of this image to use as the logo and click SAVE.
Select SAML Metadata from the More Actions drop down menu to obtain a copy of the Federation Metadata, it will be saved as onelogin_metadata_#######.xml.
Open the Configuration tab.
Copy the Entity ID from the AUTHENTICATION METHOD section of the Tehama Web UI's Authentication page and paste it into the ACS (Consumer) URL Validator field.
Copy the Callback URL from the AUTHENTICATION METHOD section of the Tehama Web UI's Authentication page and paste it into the ACS (Consumer) URL field.
Leave all other fields at their default values.
To complete the Tehama SSO setup open the downloaded XML file onelogin_metadata_#######.xml and copy the contents of the file to the clipboard.
Return to the Tehama Web UI and enable SSO by clicking on the checkbox to Enable SAML Single-Sign On (if not already enabled) then paste the IDP metadata into the Federation Metadata XML box.
and click SAVE.
Now that you have completed this step, each existing team member in your organization will receive an email inviting them to configure their SSO login by clicking on the provided link, CONFIGURE SSO LOGIN, and to follow the instructions.
Each subsequently added team member will receive the same email and must also configure their SSO login by clicking on the provided link.
Tehama SSO Configuration is now complete.
You will still need to return to the OneLogin Console to assign User and Groups as appropriate for your organization before it will be possible to access Tehama using OneLogin integration.