# OneLogin

{% hint style="info" %}
This feature is available in the **Premium plan and higher**.
{% endhint %}

{% hint style="danger" %}
**Remember to** [**grant your OneLogin users access permissions**](#step-4-managing-user-access) **to GoodAccess. Users without them won't be able to log in.**
{% endhint %}

### Step 1 - Adding a new identity provider <a href="#step-1-adding-a-new-identity-provider" id="step-1-adding-a-new-identity-provider"></a>

[Log in to the GoodAccess **Control Panel**, and go to **Settings** > **SSO & Identity**.](https://app.goodaccess.com/sso-and-identity/)

Click **+ Add provider**, enter the **Provider name**, choose your **Identity Provider**, and click **Continue**.

### Step 2 - Setting up Single Sign-On with SAML <a href="#step-2-setting-up-single-sign-on-with-saml" id="step-2-setting-up-single-sign-on-with-saml"></a>

Log in to the [OneLogin Admin console](https://app.onelogin.com/login), and go to **Applications** > **Applications**.

Click **Add App**, and select **SCIM Provisioner with SAML (SCIM v2 Enterprise, full SAML)** (you can use the searchbar).

Give the application a name, and click **Save**.

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FB0lAs0KKe7yyoPMR3Hei%2FFeatures_SSO_OneLogin_01.png?alt=media&#x26;token=7ba1a286-9365-4b0f-be60-63be2d4b78ff" alt="OneLogin Admin console with key steps to adding a new custom SAML application."><figcaption><p>Adding a new custom SAML application</p></figcaption></figure>

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2F058FuplUFXKFDa3sLBdz%2FFeatures_SSO_OneLogin_02.png?alt=media&#x26;token=b4915107-5c3c-43ff-a573-2feb0a45b4fa" alt="OneLogin Admin console with key steps to adding a new custom SAML application."><figcaption><p>Adding a new custom SAML application</p></figcaption></figure>

### 1. Configuration

Go to **Configuration**, and copy the details from GoodAccess - **(2) GoodAccess links**.

* **SAML Audience URL** - Entity ID
* **RelayState** - Relay State
* **ACS (Consumer) URL** - Assertion Consumer Service URL
* **Login URL** - Login URL
* **SAML initiator** - OneLogin
* **SAML nameID format** - Email

Leave the rest at default values.

Return to GoodAccess, and click **Continue**.

Return to OneLogin.

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FROxRwTqdM5SgDyk3AN2k%2FFeatures_SSO_OneLogin_03.png?alt=media&#x26;token=1940d0e6-8734-4b46-8be3-ce8664d489aa" alt="OneLogin Admin console with key steps to setting up the &#x22;Configuration&#x22;."><figcaption><p>Setting up the Configuration</p></figcaption></figure>

### 2. Parameters

Go to **Parameters**, and click **( + )**.

* **Name** - "email" (without quotes)
* **Value** - Email
* **Flags** - Check Include in SAML assertion

Click **Save**.

<div><figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FF0T3lv5QAetTvun1fCNY%2FFeatures_SSO_OneLogin_04.png?alt=media&#x26;token=d2f86cb1-48e3-47a5-9337-73dfd0fd0aa9" alt="OneLogin Admin console with key steps to setting up the &#x22;Parameters&#x22;." width="563"><figcaption><p>Setting up the Parameters</p></figcaption></figure> <figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FIkHWUMih55crIJLTePHD%2FFeatures_SSO_OneLogin_05.png?alt=media&#x26;token=6eb3e9a1-c622-4198-b4c0-147ed1630e5a" alt="OneLogin Admin console with key steps to setting up the &#x22;Parameters&#x22;." width="279"><figcaption><p>Setting up the Parameters</p></figcaption></figure></div>

### 3. SSO

Go to **SSO**, and set **SAML Signature Algorithm** to **SHA-256**.&#x20;

Click **Save**, then copy the details to GoodAccess - **(3) Identity Provider links**, and click **Continue**.

* **Sign in URL** - SAML 2.0 Endpoint (HTTP)
* **Entity ID** - Issuer URL
* **X509 signing certificate** - Click **View Details** and copy the certificate

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2F7cbG7YNvbz5VbZdiH4jz%2FFeatures_SSO_OneLogin_06.png?alt=media&#x26;token=bc848021-7400-40db-88bf-9d62c73cdc95" alt="OneLogin Admin console with key steps to setting up the &#x22;SSO&#x22;."><figcaption><p>Setting up the SSO</p></figcaption></figure>

{% hint style="info" %}
If you don't want to setup SCIM, skip the next step in GoodAccess, and click **Submit** to finish the configuration.
{% endhint %}

You have now successfully set up your OneLogin SSO with GoodAccess.

## Step 3 (optional) - Setting up SCIM

### 1. API Connection

In the application, go to **Configuration**, and scroll down to the bottom of the page.

Copy the **URL** and **Token** from GoodAccess - **(4) User provisioning (SCIM)**.

Copy the below code into **SCIM JSON Template**:

```
{
  "schemas": [
    "urn:scim:schemas:core:2.0",
    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
  ],
  "userName": "{$user.email}",
  "displayName": "{$user.email}",
  "externalId": "{$user.id}",
  "name": {
    "familyName": "{$user.lastname}",
    "givenName": "{$user.firstname}",
    "formatted": "{$user.display_name}"
  },
  "emails": [{
    "value": "{$user.email}",
    "type": "work",
    "primary": true
  }]
}
```

Return to GoodAccess, and click **Submit**.

Return to OneLogin, click **Save**, and **Enable** to confirm your settings.

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FhFpeMYxEK4V8QgGKjwTq%2FFeatures_SSO_OneLogin_07.png?alt=media&#x26;token=1e27d358-81a3-4607-a56e-63680ba7ef70" alt="OneLogin Admin console with key steps to setting up the &#x22;API Connection&#x22;."><figcaption><p>Setting up the API Connection</p></figcaption></figure>

### 2. (optional) Adding groups to provisioning

{% hint style="danger" %}
During our testing, this feature was not supported by the default SCIM connector. However, it is possible the identity provider has implemented it by now.
{% endhint %}

Go to **Parameters**, and open the existing **Groups** parameter. Here, check **Include in User Provisioning**, and click **Save**.

Go to **Provisioning** > **Entitlements**, and click **Refresh**.

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FlFjrof4mgij62RRaA72B%2FFeatures_SSO_OneLogin_08.png?alt=media&#x26;token=fda65b9e-f768-49b3-bbea-db8e7410c87d" alt="OneLogin Admin console with key steps to adding groups to provisioning." width="479"><figcaption><p>Adding groups to provisioning</p></figcaption></figure>

### 3. Starting the provisioning

Go to **Provisioning**, check **Enable provisioning**, and click **Save**.

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FpsGXbk4eIsaalTt6gFeT%2FFeatures_SSO_OneLogin_08.png?alt=media&#x26;token=3f0b5fa7-213c-484e-9b72-ef4362b4b44f" alt="OneLogin Admin console with key steps to starting the provisioning."><figcaption><p>Starting the provisioning</p></figcaption></figure>

{% hint style="info" %}
The whole provisioning process will take around **20 minutes** to complete depending on the number of members and groups being added.
{% endhint %}

You have now successfully set up OneLogin SCIM with GoodAccess.

## Step 4 - Managing user access

Go to **Access**, choose which roles should have access and click **Save.**

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FTxPdiaAyXdkeRi6Fqxee%2FFeatures_SSO_OneLogin_10.png?alt=media&#x26;token=07312e69-8022-4f41-833f-fa71aa72561d" alt="OneLogin Admin console with key steps to managing user access."><figcaption><p>Managing user access</p></figcaption></figure>