Setting up SSO with OneLogin
Introduction
Apteco offers single sign-on (SSO) with a few different providers, and this article takes an administrator through the process of getting it setup to use with OneLogin.
Create your OneLogin account
You can start a free OneLogin trial here: onelogin.com/free-trial
Once you have created and verified your OneLogin account, you can then create the app.#
You can configure this SSO provider to use OpenID Connect.
This is a much simpler configuration than SAML as it does not require installation of an Orbit login service. See the article Setting up SSO with OpenID Connect for more information. To instead use SAML, follow the steps below.
Create App
To create your app in OneLogin:
-
Login to the OneLogin portal.
-
Click Administration.
-
Click Applications, then select Applications from the drop-down menu.
-
Click Add App.
-
Search for “SAML Custom Connector” and select SAML Custom Connector (Advanced).
-
Change the Display Name and add icons.
-
Click Save.
After saving, the App is generated and can then be configured. Add the icons again.
Configuration
Go to the Configuration tab and enter the following details:
Header | Description | Details |
---|---|---|
RelayState | https://<server name>/Orbit/en/external-login | Where the Login should arrive at the end. The URL should be same where the Orbit API is installed. |
Audience (EntityID) | https://AptecoLoginApi | https://AptecoLoginApi – is Apteco code, should match setting in the SSO config (details below). |
Recipient | https://<server name>/OrbitAPI/ExternalLogin/AssertionConsumerService | The URL is where the Orbit Login API (the SSO API) is installed. |
ACS (Consumer) URL Validator* | https://<server name>/OrbitAPI/ExternalLogin/AssertionConsumerService | The URL is where the Orbit Login API (the SSO API) is installed. |
ACS (Consumer) URL* | https://<server name>/OrbitAPI/ExternalLogin/AssertionConsumerService | The URL is where the Orbit Login API (the SSO API) is installed. |
Single Logout URL | https://<server name>/OrbitAPI/ExternalLogin/SingleLogoutService | The URL is where the Orbit Logout API (the SSO API) is installed. |
Note: You can leave the remaining settings on Configuration as default.
Single sign-on
To set up single sign-on in OneLogin:
-
Create Certificate and Endpoint at OneLogin.
-
For the SAML Signature Algorithm, select at least the SHA-256 Signature Algorithm.
The Issuer URL/SAML/SLO endpoint will be used in the Orbit Login (SSO) configuration.
-
Click Save.
Certificates
To set up certificates in OneLogin:
-
Click Security, then Certificates.
-
Select the Standard Strength Certificate (2048-bit).
-
Change the SHA fingerprint to match the SAML Signature Algorithm of at least SHA256.
-
Click Download.
-
Move the onelogin.pem certificate to the OrbitLoginService\Certificates Directory (standard install is C:\Program Files (x86)\Apteco\OrbitLoginService\Certificates).
Orbit Configuration
How to configure Orbit to use a Login Service.
See Orbit login service.
Configure Orbit Login Service
At the moment, the Orbit Login Service doesn’t have a configurator, meaning that the appsettings.json file needs to be edited through a text editor. The default installation location for the Orbit Login Service is C:\Program Files (x86)\Apteco\OrbitLoginService.
Under SAML → Configurations → LocalServiceProviderConfiguration are the entries that the Login Service uses to make the SSO requests. These settings should match exactly as they are on the OneLogin configuration.
Header | Description | Details |
---|---|---|
Name | https://AptecoLoginApi | Should exactly match Audience (Entity ID) in OneLogin |
AssertionConsumerServiceUrl | https://<server name>/OrbitAPI/ExternalLogin/AssertionConsumerService | Should exactly match Recipient in OneLogin |
SingleLogoutServiceUrl | https://<server name>/OrbitAPI/ExternalLogin/SingleLogoutService | Should exactly match Single Logout URL in OneLogin |
Under PartnerIdentityProviderConfigurations are all the different identity providers that Apteco have partnered with. The following settings need to be edited under the section with the description of OneLogin. These settings should match exactly as they are on the OneLogin SSO.
Header | Description | Details |
---|---|---|
Name | https://app.onelogin.com/saml/metadata/<IssuerURL> | Should exactly match Issuer URL in OneLogin |
SingleSignOnServiceUrl | https://apteco.onelogin.com/trust/saml2/http-post/sso/1234567 | The Id should be changed to the same digits as the Single Logout Service URL detailed below |
SingleLogoutServiceUrl | https://apteco.onelogin.com/trust/saml2/http-redirect/slo/1234567 | Should exactly match SLO Endpoint in OneLogin |
Under PartnerName, update the Url to match the Name set in the PartnerIdentityProviderConfigurations so that the Login Service knows to use this provider.
Update the AllowedReturnUrlOrigins to be the name of the web server.
Example
Below is an example of the appsettings.json for a Orbit Login Service using OneLogin. Where the <> tags are, the settings need to be updated.
{
"Serilog": {
"MinimumLevel": {
"Default": "Debug",
"Override": {
"Microsoft": "Warning",
"System": "Warning",
"ComponentSpace.Saml2": "Warning"
}
},
"WriteTo": [
{
"Name": "Trace"
},
{
"Name": "RollingFile",
"Args": {
"pathFormat": "C:\\temp\\Orbit\\Logs\\OrbitLogin-{Date}.txt"
}
}
],
"Enrich": [ "FromLogContext", "WithMachineName", "WithThreadId" ]
},
"Kestrel": {
"Endpoints": {
"Http": {
"Url": "http://localhost:5005"
}
}
},
"AllowedHosts": "*",
"SAML": {
"$schema": "https://www.componentspace.com/schemas/saml-config-schema-v1.0.json",
"Configurations": [
{
"LocalServiceProviderConfiguration": {
"Name": "https://AptecoLoginApi",
"Description": "Apteco Orbit Login API",
"AssertionConsumerServiceUrl": "https://<WebServer>/OrbitAPI/ExternalLogin/AssertionConsumerService",
"SingleLogoutServiceUrl": "https://<WebServer>/OrbitAPI/ExternalLogin/AssertionConsumerService",
"LocalCertificates": [
{
"FileName": "certificates/sp.pfx",
"Password": "password"
}
]
},
"PartnerIdentityProviderConfigurations": [
{
"Name": "https://app.onelogin.com/saml/metadata/<OneLoginGUID>",
"Description": "OneLogin",
"DisableDestinationCheck": "true",
"DisableRecipientCheck": "true",
"SingleSignOnServiceUrl": "https://apteco.onelogin.com/trust/saml2/http-post/sso/<OneLogin Id>",
"SingleLogoutServiceUrl": "https://apteco.onelogin.com/trust/saml2/http-redirect/slo/<OneLogin Id>",
"PartnerCertificates": [
{
"FileName": "certificates/onelogin.pem"
}
]
},
]
}
]
},
"PartnerName": "https://app.onelogin.com/saml/metadata/<OneLoginGUID>",
"JWT": {
"Key": "VerySecretAptecoJWTKey",
"Issuer": "https://AptecoLoginApi"
},
"AllowedReturnUrlOrigins": "https://<WebServer>"
You must now Configure Apteco to use SSO to complete the setup process.