Step 1: Create an account with OneLogin and login to your owner account

*Please note you will need to have an “Owner Account” to configure the SSO settings.*





Step 2: Create the App 


Navigate to Administration > Apps > Add Apps in the OneLogin administrator dashboard. Search for 'SAML Test Connector' 


image



image



a. Add the SAML connector APP (Idp with attribute with sign response)

-SAML Test Connector (IdP w/attr w/ sign response): Along with all the functionality of the basic IDP w/attr connector, this version has a signed response instead of a signed assertion found in the IDP & IDP w/attr connectors.


b. Change the app name if desired


c. Click save




Step 3: Configure the App



a. Modify configuration

There are several parameters available for configuration. The purpose of all fields are described here, but not all are required to make the app functional. Required fields are marked as such.

  • Relay State
    • This is the SAML version of deep linking. This field will accept a URL that will immediately redirect the user to a particular place in your application. If no URL is present, the app will take the user to the default home page.
  • Audience
    • The URL placed in this field goes along with the ACS (Consumer) URL. The URL here will be one that describes an entity that is expected to receive the SAML message. Typically, the format for this URL would resemble a simple domain, so for an ACS (Consumer) URL of https://mySafeConsoleServer.com/safeconsole/sso-login/acs, the Audience URL would be mySafeConsoleServer.com.
  • Recipient
    • The Recipient URL is another layer of security to make sure that the SAML response is meant for you and only you. The Recipient will tell you exactly who the SAML response is for, but the Audience will tell you, at a broader level, where the response should go. So for example, the Recipient could be Yankee Stadium, while the Audience could be New York City.


Using both Audience and Recipient values is recommended.


  • ACS (Consumer) URL **Required**
  • ACS (Consumer) URL Validator **Required**
    • This field is used by OneLogin to ensure that we POST the response to the right place. It is a regex that will take the form of your previously entered ACS (Consumer) URL, but with anchors ('^' and '$') at the beginning and end of the string, and all special characters escaped with a backslash ('\'). For example, the validator for the previous SC server at URL "https://mySafeConsoleServer.com" would be:
      • ^https\:\/\/mySCServer\.com\/safeconsole\/sso-login\/acs$
    • Creating a secure ACS (Consumer) URL Validator value is key to the security of the connector. If setup is misconfigured, an attacker could forge Authentication Requests to mySafeConsoleServer.com. For example, if the anchors were missing from the previous validator (i.e. https\:\/\/mySCServer\.com\/safeconsole\/sso-login\/acs) then it could be bypassed with an ACS (Consumer) URL of:


  • SLO URL
    • This will be the logout endpoint address to which, upon the user logging out of OneLogin, OneLogin will send a logout request. The logout endpoint address will then send a logout response back, completely logging the user out of the application. For this feature to work, you'll need to implement Single Log-Out.



b. Define user accessibility

At this point app configuration is essentially completed, however, the app is not accessible to any users. Users are given access to apps based on the roles assigned to them. To modify which roles will have access to this app, navigate to "access" and select all the roles you wish to have access.

Note: By default the user's role MUST be exactly "SUPPORT", "MANAGER", or "ADMINISTRATOR", or else attempts to log in to SafeConsole will fail. Details for changing this are provided in the "The 'Member of' Attribute" section. A user with the role selected below, "SUPport" would fail when attempting to log in.


 image




Step 4: Configuring SafeConsole


a. Download the SAML metadata of your newly configured app image

b. Upload the metadata to your SafeConsole server image




The "Member of" Attribute

The "Parameters" section of app configuration defines the user information that the app sends to SafeConsole when a log in is attempted. SafeConsole uses the "Member of" attribute to determine the level of permissions an SSO user will log in to SafeConsole with (e.g. if the "Member of" attribute evaluates to "ADMINISTRATOR", then the user will be logged in with admin privileges). By default, OneLogin sets the value of the "Member of" attribute to the user's role within OneLogin. 

image

If desired, the value used to define "Member of" can be changed.

Note: "Member of" MUST evaluate to exactly "ADMINISTRATOR", "MANAGER", or "SUPPORT", in all caps, in order to successfully log in to SafeConsole. This means that if we change the value assigned to the "Member of" attribute to be "Title", then the user's title must be exactly "ADMINISTRATOR", "MANAGER", or "SUPPORT". The value can also only contain one item, or else SafeConsole will be unable to differentiate (e.g. if role is used to define "Member of", then the user cannot have multiple roles)

Note: The app's "Member of" attribute is not to be confused with an individual user's "memberOf" attribute. The user's "memberOf" attribute has no bearing on their permissions within SafeConsole, unless configured otherwise.