OneLogin

This guide will show you how to integrate GoodAccess with OneLogin SSO/SCIM.

This feature is available in the Premium plan and higher.

Remember to grant your OneLogin users access permissions to GoodAccess. Users without them won't be able to log in.

Step 1 - Adding a new identity provider

Click + Add provider, enter the Provider name, choose your Identity Provider, and click Continue.

Step 2 - Setting up Single Sign-On with SAML

Click Add App, and select SCIM Provisioner with SAML (SCIM v2 Enterprise, full SAML) (you can use the searchbar).

Give the application a name, and click Save.

1. Configuration

Go to Configuration, and copy the details from GoodAccess - (2) GoodAccess links.

SAML Audience URL - Entity ID
RelayState - Relay State
ACS (Consumer) URL - Assertion Consumer Service URL
Login URL - Login URL
SAML initiator - OneLogin
SAML nameID format - Email

Leave the rest at default values.

Return to GoodAccess, and click Continue.

Return to OneLogin.

2. Parameters

Go to Parameters, and click ( + ).

Name - "email" (without quotes)
Value - Email
Flags - Check Include in SAML assertion

Click Save.

3. SSO

Go to SSO, and set SAML Signature Algorithm to SHA-256.

Click Save, then copy the details to GoodAccess - (3) Identity Provider links, and click Continue.

Sign in URL - SAML 2.0 Endpoint (HTTP)
Entity ID - Issuer URL
X509 signing certificate - Click View Details and copy the certificate

If you don't want to setup SCIM, skip the next step in GoodAccess, and click Submit to finish the configuration.

You have now successfully set up your OneLogin SSO with GoodAccess.

Step 3 (optional) - Setting up SCIM

1. API Connection

In the application, go to Configuration, and scroll down to the bottom of the page.

Copy the URL and Token from GoodAccess - (4) User provisioning (SCIM).

Copy the below code into SCIM JSON Template:

{
  "schemas": [
    "urn:scim:schemas:core:2.0",
    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
  ],
  "userName": "{$user.email}",
  "displayName": "{$user.email}",
  "externalId": "{$user.id}",
  "name": {
    "familyName": "{$user.lastname}",
    "givenName": "{$user.firstname}",
    "formatted": "{$user.display_name}"
  },
  "emails": [{
    "value": "{$user.email}",
    "type": "work",
    "primary": true
  }]
}

Return to GoodAccess, and click Submit.

Return to OneLogin, click Save, and Enable to confirm your settings.

2. (optional) Adding groups to provisioning

During our testing, this feature was not supported by the default SCIM connector. However, it is possible the identity provider has implemented it by now.

Go to Parameters, and open the existing Groups parameter. Here, check Include in User Provisioning, and click Save.

Go to Provisioning > Entitlements, and click Refresh.