Skip to main content

Set up SSO with OneLogin

Lisa Wong
Updated

Set up SSO with OneLogin

This topic walks you through how to set up Single Sign-On (SSO) between the Alida platform and OneLogin.

Note:

In some cases, only users that are members of verified domains can be added to your community. This occurs if the community-level SSO-only mode is enabled. In this case, a flag is displayed at the top of the SSO Settings page.

In some cases, users may be prevented from signing in with their email and password. This occurs if the domain-level SSO-only mode is enabled for selected domains. In this case, a flag is displayed at the top of the SSO Settings page. You can view the affected users by selecting Product Settings > Manage Users in the navigation bar. The SSO column displays a flag for users that are restricted to SSO login only.

If the SSO column is not included in the Manage Users table, no users are affected.

Create a OneLogin application

In this part of the workflow, you are creating the application tile that SSO users will click to access the Alida platform.

  1. Log in to OneLogin.
  2. Click Administration.
  3. Select Applications > Applications.
  4. Click Add App.
  5. Find and select SAML Custom Connector (Advanced).
  6. Enter a display name for the application, which will be the label on the SSO tile (for example, Alida).
  7. Click Save.

Start your OneLogin application configuration

After you create the application tile, you need to copy specific configuration values. You'll enter these values into Alida's SSO Setup page later.

  1. Click SSO.
  2. Copy the Issuer URL and store it for later use.

    Click the screenshot below to view a larger version.

  3. Click X.509 Certificate > View Details.
  4. Copy the X.509 Certificate and store it for later use.

    Click the screenshot below to view a larger version.

Install OneLogin SSO on a community

Enter the OneLogin configuration values into Alida's SSO Setup page.

Important: If you are migrating from the old SSO integration, do not generate your SSO configuration setting on the Alida SSO setup page until you are ready to proceed.

Users will be unable to authenticate from the time you generate these settings until you complete the SSO configuration in your Identity Provider.

Contact Technical Support to schedule your migration. You must have a member of the Alida Cloud Team available on a call to assist before the migration can proceed.

  1. Sign in to the Alida platform and switch to the desired community.
  2. Ensure that there's a user who matches the email of a potential SSO user (for example, bob.smith@example.com).

    This user must be part of the domain you added. This user must also be a user in the Alida community.

    For more information about adding new users to a community, see Add a user.

  3. Open Product Settings > SSO > Setup.
  4. In the Identity Provider drop-down list, select OneLogin.
  5. Under Issuer URL, enter the Issuer URL you copied earlier.
  6. Under X.509 Certificate, enter the X.509 certificate you copied earlier.
  7. Under Unique ID claim, enter userId.
  8. Under Email claim, enter email.
  9. Click Save and confirm.
  10. Copy the Single Sign-On URL and store it for later use.
  11. Copy the Audience Entity ID and store it for later use.

    Click the screenshot below to view a larger version.

Add and verify a domain

Add the registered domain that your company owns and that you use for employees' email addresses.

  1. Open Product Settings > SSO.
  2. Click the Domains tab.
  3. In the Add new domain field, type the domain value, select the Type (CNAME or TXT), and click Add Domain.

    For example, if a potential SSO user's email is bob.smith@example.com, you'd type example.com as the domain.

    The new entry is added to the domains list as an Unverified domain.

  4. Click the down-arrow to the left of the domain entry to display the DNS Record.
  5. Keep the browser tab that has the Alida Domains page open. Open a new browser tab to access your DNS site.
  6. Add the values from the Domains page to your DNS configuration.

    For both CNAME and TXT DNS records, the three required values are listed separated by spaces:

    • Add the first value as the owner or source name.
    • Add the second value as the DNS record type. It will either be CNAME or TXT.
    • Add the third value as the target or destination name.

    Example

    This example shows the two supported DNS record formats configured in AWS Route 53. The first is a TXT record, and the second is a CNAME record.

    • The first value in the DNS record is added as the Record Name field.
    • The second value in the DNS record is added as the Type field.
    • The third value in the DNS record is added as the Value/Route traffic to field.

  7. On the Alida Domains page, select Verify from the domain's action menu.

    The domain's status changes to Verified.

  8. Click Apply.
    The domain status changes from Verified to Active.

Complete your OneLogin application configuration

  1. Log in to OneLogin.
  2. Click Administration.
  3. Select Applications > Applications.
  4. Open your application (for example, Alida).
  5. Click Configuration.
  6. Under Audience (EntityID), enter the Audience Entity ID you copied earlier.
  7. Under ACS (Consumer) URL, enter the Single Sign-On URL you copied earlier.

    Click the screenshot below to view a larger version.

  8. Click Save.
  9. Click Parameters.
  10. Add the parameter email with value Email and flag Include in SAML assertion enabled.
  11. Add the parameter userId with value OneLogin ID and flag Include in SAML assertion enabled.
  12. Click Save.
  13. To ensure that the Alida app has the certificate containing all the necessary configured values, you should update the certificate entry in the SSO settings page:
    1. In OneLogin click SSO > Setup.
    2. Click X.509 Certificate > View Details.
    3. Copy the X.509 Certificate.
    4. In Alida, select Product Settings > SSO.
    5. Click Edit.
    6. Paste the certificate value in the X.509 Certificate text box.
    7. Click Save.

Add a user to the OneLogin application

In order for SSO to work, the same user must exist in OneLogin (with the Alida application added to that user) and in the Alida platform.

  1. Do one of the following:
    • Find and click the user you want to add (for example, bob.smith@example.com).
    • Add a new user.
      1. Select User > Users.
      2. Click New User.
      3. Enter:
        • First name: Any string
        • Last name: Any string
        • Email: A brand new email with the domain you added earlier
        • Username: Any string, but copying Email is recommended for uniqueness
      4. Click Save User.
  2. Click Applications.
  3. Add the application (for example, Alida).
  4. Click Continue.
  5. Click Save.

    Click the screenshot below to view a larger version.

Verify SSO login

  1. Ask the user you added (for example, bob.smith@example.com) to log in to OneLogin using their credentials.
  2. They user clicks the application's tile (for example, Alida).
    The community opens or they are able to switch to it.
Related information

Related articles

Powered by Zendesk