Remote authentication is a mechanism through which OneLogin users can be authenticated automatically, with the help from another trusted source that the user might already be authenticated against, such as Active Directory. 

The authentication mechanism relies on shared keys for validating the authentication message. It is not required for the company to open up firewalls or change other security settings.

How it works

OneLogin’s remote authentication mechanism leverages on Windows Integrated Authentication, provided by MS Internet Information Server (IIS), the web server of choice in Windows environments. IIS has the ability to identify visiters based on their username in Active Directory, as long as the the server IIS is installed on is also part of the same domain. 

For detailed information on Windows Integrated Authentication:

http://msdn.microsoft.com/en-us/library/aa292114(VS.71).aspx

Note that you do not have to allow public internet access to your webserver in order to use it for remote authentication for OneLogin.
A remote authentication script carrying your OneLogin accounts secret key is installed in IIS and protected by Windows Integrated Autentication. The following describes a common usage scenario of OneLogin’s remote authentication:

1. The user (an employee in your organization) logs into their computer, which is on the corporate network either physically or via VPN. The user enters their Active Directory username and password to login to the PC. 
2. Once logged in, Internet Explorer is opened, and the user who wants to access one of the SaaS applications that the organization uses, clicks the OneLogin padlock in the browser toolbar.
3. The OneLogin website is contacted and detects that the user originates from the IP address that has been preconfigured in the OneLogin administration pages. This initiates the remote authentication process.
4. OneLogin redirects the user to the remote authentication script that is installed on the IIS web server. The web server might be serving the company intranet on the corporate LAN, and might not have public internet access. For this reason, the URL for the webserver has a LAN IP-address or local host name in it (e.g. http://intranet/ or http://192.168.1.100). The user’s browser can be redirected to this URL, because the browser has both internet- and LAN access at the same time. 
5. When the user’s browser requests the remote authentication script, Windows Integrated Authentication comes into play, and verifies the user’s identity in Active Directory. The result will usually be in the form DOMAIN/username. The remote authentication script uses this information to query AD through LDAP for the user’s full name and email address. This information is combined into parameters on a URL, which is used to authenticate the user against OneLogin. The URL has the following format:


   
   https://app.onelogin.com/sessions/remote/?firstname=(firstname)&lastname={lastname}&email=(email)&accountid=(accountid)&timestamp=(timestamp)&hash=(MD5(firstname+lastname+email+secret+timestamp)
6. OneLogin also has the secret key which it uses this to compile the hash, based on the information provided and compares the received hash against the computed hash. If the two hashes match, and the timestamp matches the current system time within a certain margin, it is verified that the name and email is from a verified source, and that the data hasn’t been tampered with during transmission.
7. The OneLogin dashboard is shown, and the user has access to all the SaaS products enabled on his or her account. 

To ensure that only the intended audience is logged into OneLogin by the means of remote authentication, the account admin should always provide the company’s public IP address. OneLogin uses this to identify the organization, and make sure that only users from that network can be authenticated using OneLogin’s secret key.

Launching an application

You have the option to let OneLogin launch an application (such as Salesforce or Google Apps) as a part of this process. This provides a very smooth user experience where a user can click on a link in your intranet and get logged into the application directly without any further user interaction needed. To launch an app directly, add the launch parameter to the about URL. The value of that parameter can be determined by going to Company Apps and editing the app. In the sidebar you'll find two links. The top link contains a number which is the app ID. The modified URL will have this format:

https://app.onelogin.com/sessions/remote/?firstname=(firstname)&lastname=(lastname)&email=(email)&accountid=(accountId)&timestamp=(timestamp)&accountid=(accountid)&hash=(MD5(firstname+lastname+email+secret+timestamp))&launch={appID} 

Browser support

The procedure above will work with any browser on any platform, but only NTLM-capable browsers in an NTLM-capable environment will perform the authentication without prompting the user for a network username and password. Currently, that is supported by Internet Explorer, Chrome, Safari and Firefox running on Windows.