OneLogin

An Identity Provider (IdP) vouches for the identity of a person through the use of an authentication token. Virtual Appliance uses IdP for several things, including logging in to the Admin Console and portals, deploying printers, releasing print jobs, and more.

If you use an IdP, the Control Panel Application (CPA) only supports badge and PIN authentication.

JIT Provisioning is the only option available when using OneLogin with the Virtual Appliance.

Configure Connection

To add and configure app properties for the Virtual Appliance connection do the following:

  1. Create OneLogin App.
  2. Add IdP Template.
  3. Configure Single Sign On.
    1. Configure Parameters.
  4. Add the X-509 Certificate.
  5. Complete IdP Settings.
  6. Assign Access.
  7. JIT Provisioning.
  8. Add Virtual Appliance Admins.

1. Create OneLogin App

  1. In your preferred browser log in to your OneLogin Admin Portal. https://<your domain>.onelogin.com/login

  2. Hover your pointer over Applications in the top menu, then select Applications.

    OneLogin portal with the top Applications menu expanded and the Applications sub-option showing.

  3. Select Add App in the upper-right of the Applications window.
  4. Search for and select the SAML Custom Connector (Advanced) app.
  5. Give your app a unique display name and description.
  6. Select Save

Add SAML Custom Connector tab with the display name highlighted, the Visible in Portal option enabled, and the Save button in the upper right.

Leave the current browser open to the new app page. To continue the app configuration, you need to open another browser and open the and access the service provider information.

If the IdP Settings page does not look like the image shown below, you may not be using the latest version and should contact Product Support to upgrade your IdP settings.

2. Add IdP Template

When configuring this IdP through Virtual Appliance, use the Custom option in the IdP Template drop-down.

  1. In a separate browser tab, open your Virtual Appliance Admin Console and sign in.
  2. Select Tools then Settings then General, and scroll down to the Identity Provider Settings section.
  3. Select IdP, and then select Add.
  4. Select the identity provider you want to configure in the IdP Template drop-down.
  5. Select SAML2 in the Authentication Protocol section.

  6. For Provisioning it is assumed that JIT will be used for most Virtual Appliance applications. Check the box for JIT provisioning.

    When you consider how to set up your IdP configuration be aware that SCIM provisioning requires an open connection from the IdP provider into the Virtual Appliance instance gateway container. We recommend JIT provisioning when setting up your IdP connection.

  7. In the Name field, enter the name you want displayed on the login button for users, e.g. My Company, Login, Acme Corp, etc.
  8. Scroll down and select the desired enable setting(s).
    • Enable for End Users Login — Allows end users to login using this IdP. (Self-service Portal)
    • Enable for Admin Login — Allows Admin users to login using this IdP. (Admin Console)
    • Both boxes can be checked when using a single IdP, or if the admin and end users use the same IdP to log in.

Keep the IdP Settings screen open so that the Service Provider Information at the bottom is available for the following steps.

IdP Settings window showing the different fields and the Service provider information section.

3. Configure Single Sign On

  1. In OneLogin, select the app's Configuration option from the left-side menu.
  2. In the Virtual Appliance Admin Console IdP Settings window, copy the Relay State and paste it into the OneLogin RelayState field.
  3. In the IdP Settings window, copy the Identifier (Entity ID) and paste it into the OneLogin Audience (Entity ID) field.
  4. In the IdP Settings window, copy the Reply URL (ACS) and paste it into both the OneLogin ACS (Consumer) URL Validator and ACS (Consumer) URL fields.
  5. Configure any other fields as desired, but they can be left with the default values.
  6. Select Save
  7. Select the OneLogin app's SSO option in the left-menu.

  8. Copy the OneLogin Issuer URL and paste it into the Admin Console Issuer URL field.

    Leave the Admin Console Issuer ID field blank.

  9. Copy the OneLogin SAML 2.0 Endpoint (HTTP) value and paste it into the Admin Console SSO URL field.
  10. Select Save

SAML Custom Connector's Configuration tab with the ACS (Consumer) URL Validator and ACS Consumer URL fields.

Configure Parameters

  1. Select the app's Parameters option in the left-menu.

  2. Select the + button.

    Parameters tab showing the SAML Custom fields and the plus sign to the right.

  3. In the Field name field enter “FirstName.”

  4. Check the Include in SAML assertion box then select Save.

    New Field pop-up with the enabled Include in SAML Assertion option in the Flags section.

  5. In the Edit Field modal Value drop-down, select “First Name” then select Save.
  6. Repeat these steps for the following parameters.
    1. Field Name: LastName, Value: Last Name.
    2. Field Name: Email, Value: Email.
    3. Field Name: Username, Value: Username.
  7. Select Save

SAML Custom Connector's Parameters tab with the added fields highlighted, and the Save button in the upper right.

4. Add the X-509 Certificate

  1. Select the OneLogin app's SSO option in the left-menu.

  2. In the SSO window's X.509 Certificate section, right-click on the View Details link and select Open in new tab.

    SSO window showing the View Details link underneath the X.509 Certificate section.

    If you don't open the link in a new tab that's fine. After completing this section you'll need to navigate back to the app you created. Hover over Applications in the top-menu, select Applications, then select your app from the Applications page.

  3. Scroll down to the X.509 Certificate section and copy the certificate body, including the Begin / End Certificate headers.

    Certificate window showing the x-509 certificate content highlighted, excluding the Begin/end certificate portions.

  4. Paste the certificate into the Admin Console X-509 Certificate field.
  5. Select Apply in Admin Console.
  6. Select Save at the top-right corner of the General page.

IdP Settings template showing the X509 cert and other fields configured.

5. Complete IdP Settings

  1. On the Admin Console General page, navigate back to the Identity Provider Settings section.

  2. To have Virtual Appliance prompt your users to authenticate through the IdP when performing any function requiring authorization, such as installing a printer, select the Automatically Open Browser to Login on Desktop Client option.

    If this option is not selected, the user must manually navigate to the IdP login screen to sign in.

  3. We recommend enabling the Use Loopback with SAML2 option. The IdP needs to provide an authentication token to the desktop clients whenever authentication happens. This option allows the client to handle the token and automatically log in without interaction from end users.

    General tab's Identity Provider Settings section with the IdP option selected and two additonal options selected below the IdP.

  4. The option to Use Domain User (Windows only) will automatically authorize domain-joined Windows users and not require login via the configured IdPs.
  5. Select Save in the top-right corner of the General page.

6. Assign Access

  1. In the OneLogin Admin Portal, select the app's Access option.
  2. Select the Group(s) of users you want to have access to the Virtual Appliance application, and select Save.
  3. Select the Users option and verify the appropriate users have been assigned to the application.

SAML Custom Connector's Access tab with the Roles section near the bottom and the Save button in the upper right.

7. JIT Provisioning

JIT does not support the provisioning of group membership associations, so you cannot apply RBAC roles, printer deployments or portal security roles to groups. All assignments have to be done individually for each user.

When using JIT Provisioning, the application creates users during the first sign-in attempt.

  1. Access your Virtual Appliance instance and select Sign in with <IdP Name>.
  2. Attempt to login with your IdP credentials.

  3. This login attempt will fail and return you to the login page.

    This is expected. With JIT, this action triggers the user creation in the instance.

  4. The following login attempt with valid credentials initiates a typical login sequence.

Administrators who need access to the Admin Console still need to be added to the Tools then Users page using the steps in Admin Console Users.

8. Add Virtual Appliance Admins

For steps on assigning users and roles to the Virtual Appliance Admin Console reference Admin Console Users.