OneLogin

This guide will show you how to integrate GoodAccess with OneLogin SSO/SCIM.

This feature is available in the Premium plan and higher.

Remember to grant your OneLogin users access permissions to GoodAccess. Users without them won't be able to log in.

Step 1 - Adding a new identity provider

Click + Add provider, enter the Provider name, choose your Identity Provider, and click Continue.

Step 2 - Setting up Single Sign-On with SAML

Click Add App, and select SCIM Provisioner with SAML (SCIM v2 Enterprise, full SAML) (you can use the searchbar).

Give the application a name, and click Save.

OneLogin Admin console with key steps to adding a new custom SAML application.

1. Configuration

Go to Configuration, and copy the details from GoodAccess - (2) GoodAccess links.

SAML Audience URL - Entity ID
RelayState - Relay State
ACS (Consumer) URL - Assertion Consumer Service URL
Login URL - Login URL
SAML initiator - OneLogin
SAML nameID format - Email

Leave the rest at default values.

Return to GoodAccess, and click Continue.

Return to OneLogin.

OneLogin Admin console with key steps to setting up the "Configuration".

2. Parameters

Go to Parameters, and click ( + ).

Name - "email" (without quotes)
Value - Email
Flags - Check Include in SAML assertion

Click Save.

OneLogin Admin console with key steps to setting up the "Parameters".

3. SSO

Go to SSO, and set SAML Signature Algorithm to SHA-256.

Click Save, then copy the details to GoodAccess - (3) Identity Provider links, and click Continue.

Sign in URL - SAML 2.0 Endpoint (HTTP)
Entity ID - Issuer URL
X509 signing certificate - Click View Details and copy the certificate

OneLogin Admin console with key steps to setting up the "SSO".

If you don't want to setup SCIM, skip the next step in GoodAccess, and click Submit to finish the configuration.

You have now successfully set up your OneLogin SSO with GoodAccess.

Step 3 (optional) - Setting up SCIM

1. API Connection

In the application, go to Configuration, and scroll down to the bottom of the page.

Copy the URL and Token from GoodAccess - (4) User provisioning (SCIM).

Copy the below code into SCIM JSON Template:

{
  "schemas": [
    "urn:scim:schemas:core:2.0",
    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
  ],
  "userName": "{$user.email}",
  "displayName": "{$user.email}",
  "externalId": "{$user.id}",
  "name": {
    "familyName": "{$user.lastname}",
    "givenName": "{$user.firstname}",
    "formatted": "{$user.display_name}"
  },
  "emails": [{
    "value": "{$user.email}",
    "type": "work",
    "primary": true
  }]
}

Return to GoodAccess, and click Submit.

Return to OneLogin, click Save, and Enable to confirm your settings.

OneLogin Admin console with key steps to setting up the "API Connection".

2. (optional) Adding groups to provisioning

During our testing, this feature was not supported by the default SCIM connector. However, it is possible the identity provider has implemented it by now.

Go to Parameters, and open the existing Groups parameter. Here, check Include in User Provisioning, and click Save.

Go to Provisioning > Entitlements, and click Refresh.

OneLogin Admin console with key steps to adding groups to provisioning.

3. Starting the provisioning

Go to Provisioning, check Enable provisioning, and click Save.

OneLogin Admin console with key steps to starting the provisioning.

The whole provisioning process will take around 20 minutes to complete depending on the number of members and groups being added.

You have now successfully set up OneLogin SCIM with GoodAccess.

Step 4 - Managing user access

Go to Access, choose which roles should have access and click Save.

OneLogin Admin console with key steps to managing user access.

PreviousOkta NextPing Identity

Last updated 8 months ago

Was this helpful?