Setting up SSO with OneLogin

Introduction

Apteco offers single sign-on (SSO) with a few different providers, and this article takes an administrator through the process of getting it setup to use with OneLogin.

Create your OneLogin account

You can start a free OneLogin trial here: onelogin.com/free-trial

Once you have created and verified your OneLogin account, you can then create the app.#

You can configure this SSO provider to use OpenID Connect.

This is a much simpler configuration than SAML as it does not require installation of an Orbit login service. See the article Setting up SSO with OpenID Connect for more information. To instead use SAML, follow the steps below.

Create App

To create your app in OneLogin:

Login to the OneLogin portal.
Click Administration.
Click Applications, then select Applications from the drop-down menu.
Click Add App.
Search for “SAML Custom Connector” and select SAML Custom Connector (Advanced).
Change the Display Name and add icons.
Click Save.

After saving, the App is generated and can then be configured. Add the icons again.

Add icons

Configuration

Go to the Configuration tab and enter the following details:

Header	Description	Details
RelayState	https://<server name>/Orbit/en/external-login	Where the Login should arrive at the end. The URL should be same where the Orbit API is installed.
Audience (EntityID)	https://AptecoLoginApi	https://AptecoLoginApi – is Apteco code, should match setting in the SSO config (details below).
Recipient	https://<server name>/OrbitAPI/ExternalLogin/AssertionConsumerService	The URL is where the Orbit Login API (the SSO API) is installed.
ACS (Consumer) URL Validator*	https://<server name>/OrbitAPI/ExternalLogin/AssertionConsumerService	The URL is where the Orbit Login API (the SSO API) is installed.
ACS (Consumer) URL*	https://<server name>/OrbitAPI/ExternalLogin/AssertionConsumerService	The URL is where the Orbit Login API (the SSO API) is installed.
Single Logout URL	https://<server name>/OrbitAPI/ExternalLogin/SingleLogoutService	The URL is where the Orbit Logout API (the SSO API) is installed.

Note: You can leave the remaining settings on Configuration as default.

Default configuration

Single sign-on

To set up single sign-on in OneLogin:

Create Certificate and Endpoint at OneLogin.
For the SAML Signature Algorithm, select at least the SHA-256 Signature Algorithm.

The Issuer URL/SAML/SLO endpoint will be used in the Orbit Login (SSO) configuration.
Click Save.

Certificates

To set up certificates in OneLogin:

Click Security, then Certificates.
Select the Standard Strength Certificate (2048-bit).
Change the SHA fingerprint to match the SAML Signature Algorithm of at least SHA256.
Click Download.
Move the onelogin.pem certificate to the OrbitLoginService\Certificates Directory (standard install is C:\Program Files (x86)\Apteco\OrbitLoginService\Certificates).

Orbit Configuration

How to configure Orbit to use a Login Service.

See Orbit login service.

Configure Orbit Login Service

At the moment, the Orbit Login Service doesn’t have a configurator, meaning that the appsettings.json file needs to be edited through a text editor. The default installation location for the Orbit Login Service is C:\Program Files (x86)\Apteco\OrbitLoginService.

App settings

Under SAML → Configurations → LocalServiceProviderConfiguration are the entries that the Login Service uses to make the SSO requests. These settings should match exactly as they are on the OneLogin configuration.

Header	Description	Details
Name	https://AptecoLoginApi	Should exactly match Audience (Entity ID) in OneLogin
AssertionConsumerServiceUrl	https://<server name>/OrbitAPI/ExternalLogin/AssertionConsumerService	Should exactly match Recipient in OneLogin
SingleLogoutServiceUrl	https://<server name>/OrbitAPI/ExternalLogin/SingleLogoutService	Should exactly match Single Logout URL in OneLogin

Local Service Provider Configuration

Under PartnerIdentityProviderConfigurations are all the different identity providers that Apteco have partnered with. The following settings need to be edited under the section with the description of OneLogin. These settings should match exactly as they are on the OneLogin SSO.

Header	Description	Details
Name	https://app.onelogin.com/saml/metadata/<IssuerURL>	Should exactly match Issuer URL in OneLogin
SingleSignOnServiceUrl	https://apteco.onelogin.com/trust/saml2/http-post/sso/1234567	The Id should be changed to the same digits as the Single Logout Service URL detailed below
SingleLogoutServiceUrl	https://apteco.onelogin.com/trust/saml2/http-redirect/slo/1234567	Should exactly match SLO Endpoint in OneLogin

Custom connector

Under PartnerName, update the Url to match the Name set in the PartnerIdentityProviderConfigurations so that the Login Service knows to use this provider.

Update the AllowedReturnUrlOrigins to be the name of the web server.

Partner name

Example

Below is an example of the appsettings.json for a Orbit Login Service using OneLogin. Where the <> tags are, the settings need to be updated.

Copy

{
  "Serilog": {
    "MinimumLevel": {
      "Default": "Debug",
      "Override": {
        "Microsoft": "Warning",
        "System": "Warning",
        "ComponentSpace.Saml2": "Warning"
      }
    },
    "WriteTo": [
      {
        "Name": "Trace"
      },
      {
        "Name": "RollingFile",
        "Args": {
          "pathFormat": "C:\\temp\\Orbit\\Logs\\OrbitLogin-{Date}.txt"
        }
      }
    ],
    "Enrich": [ "FromLogContext", "WithMachineName", "WithThreadId" ]
  },
  "Kestrel": {
    "Endpoints": {
      "Http": {
        "Url": "http://localhost:5005"
      }
    }
  },
  "AllowedHosts": "*",
  "SAML": {
    "$schema": "https://www.componentspace.com/schemas/saml-config-schema-v1.0.json",
    "Configurations": [
      {
        "LocalServiceProviderConfiguration": {
          "Name": "https://AptecoLoginApi",
          "Description": "Apteco Orbit Login API",
          "AssertionConsumerServiceUrl": "https://<WebServer>/OrbitAPI/ExternalLogin/AssertionConsumerService",
          "SingleLogoutServiceUrl": "https://<WebServer>/OrbitAPI/ExternalLogin/AssertionConsumerService",
          "LocalCertificates": [
            {
              "FileName": "certificates/sp.pfx",
              "Password": "password"
            }
          ]
        },
        "PartnerIdentityProviderConfigurations": [
          {
            "Name": "https://app.onelogin.com/saml/metadata/<OneLoginGUID>",
            "Description": "OneLogin",
            "DisableDestinationCheck": "true",
            "DisableRecipientCheck": "true",
            "SingleSignOnServiceUrl": "https://apteco.onelogin.com/trust/saml2/http-post/sso/<OneLogin Id>",
            "SingleLogoutServiceUrl": "https://apteco.onelogin.com/trust/saml2/http-redirect/slo/<OneLogin Id>",
            "PartnerCertificates": [
              {
                "FileName": "certificates/onelogin.pem"
              }
            ]
          },
        ]
      }
    ]
  },
  "PartnerName": "https://app.onelogin.com/saml/metadata/<OneLoginGUID>",
  "JWT": {
    "Key": "VerySecretAptecoJWTKey",
    "Issuer": "https://AptecoLoginApi"
  },
  "AllowedReturnUrlOrigins": "https://<WebServer>"

You must now Configure Apteco to use SSO to complete the setup process.