This topic describes how to configure ADFS and OneLogin to allow users to sign in to the OneLogin portal using ADFS as the trusted identity provider (IdP). It also describes how to enable users to log in directly to OneLogin-managed apps using ADFS. For general information about allowing users to sign in to OneLogin or OneLogin-managed apps using third-party identity providers, see Trusted IdP (Relying Party Trust).
This topic covers the following scenarios:
- Sign users into OneLogin using a SAML assertion from ADFS.
This allows ADFS to sign users securely into shared applications like Salesforce and Google Apps. Users do not have to have OneLogin accounts and do not require individual OneLogin licenses.
Allowing ADFS to sign users into OneLogin
- In ADFS, navigate to Trust Relationships > Relying Party Trust, and choose Add Relying Party Trust.
- OneLogin does not currently support federation Metadata URL, so select the radio button for "Enter the data about relying party manually" and continue.
- Display name can be anything.
- Select ADFS 2.0 Profile and continue.
- On the optional token encryption certificate configuration, skip this step (not required by OneLogin).
- Enable support for the SAML 2.0 WebSSO and add the URL: https://app.onelogin.com/sessions/saml
- Relying party trust identifier URL is: https://app.onelogin.com/sessions/saml
- Permit/deny all user access based on requirements.
- Add trust endpoint https://app.onelogin.com/sessions/saml with a binding of "Post" and select finish.
- Open the properties for the newly created Relying Party Trust, go to the Advanced tab, select SHA-1 for Secure hash algorithm.
- Select Edit Claim Rules, for the new trust, and add the rule "Send LDAP attributes as Claims". Select the LDAP attribute from the Attribute store containing an email for a user. Map this to an outgoing claim type of E-Mail Address.
- Create a second rule "Transform an incoming claim". Configure incoming claim of E-Mail Address to Outgoing claim type Name ID (Format: Email).
- You will need to export your Token-signing certificate from ADFS. In ADFS, go to Service > Certificates, open the details for the token signing certificate, go to the Details tab and select Copy to File... You will need to convert this certificate to PEM format for configuration in OneLogin (you might use OpenSSL win32 port).
- In OneLogin, go to Settings > Trusted IdP to configure your trusted IdP settings. If you have not created a trusted IdP for this ADFS account, click the New Trust button. If you have already created the Trusted IdP, select it from the list on the Trusted IdPs page. Under Issuer, enter the URL of the ADFS Federation Service Identifier in the format http://fully_qualified_domain_name/adfs/services/trust. Under Trusted IdP Certificate, enter the public key from ADFS in PEM format (include the begin and end certificate tags). Select Sign users into OneLogin.
Allowing ADFS to sign users into an app
To configure ADFS to allow users to sign directly into applications, follow the instructions above, with the following modifications:
You must create a Trusted IdP in OneLogin and configure it to enable users to sign in to applications.
- Go to Settings > Trusted IdP and click New Trust.
- Select Sign users into additional applications.
Throughout the ADFS relying party trust setup process, replace the URL
https://app.onelogin.com/sessions/samlwith an app-specific SAML sign-on URL. To generate this URL:
- In OneLogin, after you have enabled Sign users into additional applications, go to the Apps tab, and select the checkbox for your app.
- Select the app row to open the Details for app_name dialog, where you can view and copy the SAML Sign-on URL.
Important! If you have set up your app to require multi-factor authentication (MFA), you must modify the SAML Sign-on URL before you provide it to ADFS. Replace
/sessions/saml?return_to=/launch/, as in the following example: