After you add an app to your OneLogin account, you can configure various options for your users.
Note: When you add an app from the Add App page, limited options are available. Portal enables you to edit the app name, icons, and whether the app appears at all. Connectors determine if this app will be configured through SAML or through a form, while Personal or Organizational App determines whether the app will be in the list of company apps or personal only.
After you save changes and add the app, more configuration options appear including Info, Configuration, Parameters, Rules, Single Sign-On, Access Control, Provisioning, and Users.
Under the Info tab, you can update the app display name, visibility, icons, the tab it appears under in the list of apps, and any notes that you want to associate with the application.
The Configuration tab is split into two parts: Application Details and API Connection. Under Application Details on top, you'll find fields that enable SAML integration, domain connectors, and settings that allow for single sign-on functionality. Below, under API Connection, you'll find fields for hooking into application API's and allowing for user provisioning functionality with those apps.
The Parameters tab contains settings that allows for tight control over what OneLogin user fields are mapped to specific fields within the application. This will allow which values within the application are mapped to specific values within OneLogin, and what entitlements are available for mapping to users in the Rules tab. It also allows you to specify whether the credentials are solely admin-configured, or shared amongst all users.
This affects both user field associations for single sign-on, and for user provisioning. Selecting one of these fields opens a small configuration pane where you can assign which value field from OneLogin will be associated with that value in the application. It will also provide the option to both include the value in the SAML assertion as its passed through, as well as to include that value as the user is provisioned (if the application allows for provisioning).
Some values, such as Roles and Groups, will have an Edit Pane that contains the Name-Value relationship, but has been expanded to host two tables. This allows for a deeper level of attribute association, for example, a series of specific roles or groups that will be used in your organization. Below, you'll notice that the Role field can contain a variety of available roles for this application, but we've only selected the four values on the right to be associated with our users in our organization. By selecting Include in User Provisioning, these values will be then available for provisioning in the Rules.
Moving next to Rules, you'll find that this is essentially the entitlements mapping page that used to be found under the Provisioning tab in the previous version of the application configuration page. These mappings can affect both the OneLogin roles and groupings, as well as entitlements and attributes that will be associated with the user or groups of users when provisioning occurs. These entitlements will come directly from the Parameters tab, and will allow values configured there to be mapped out to users.
Selecting an existing rule, or generating a new rule by selecting New Rule, will open the rule mapping pane. Just as with entitlement and user mappings, this set of options will allow you to configure a mapping that ties users or groups of users to specific attributes inside of the application.
The example below shows an administrative mapping that makes all users that are a part of the 'Administrative Group' admins within Google Apps.
Single Sign-On tab contains the SAML endpoint information used to allow integrations with other applications, while Assumed Sign-In allows admins currently assuming a user to log in to those user's applications. Below that, you'll find access to the currently associated X.509 certificate, the Issuer URL metadata, and both the SAML HTTP Endpoint, and HTTP Single Logout (SLO) endpoint.
Select the roles and policies you want to associate with the application.
The Provisioning tab contains all options related to automating provisioning tasks.. The top portion contains the Details and Workflow sections, where rules are defined as to how users are provisioned and de-provisioned within the application, while Entitlements just contains one option to Refresh Entitlements. If entitlement mappings have been moved to the Rules tab, where all entitlement mappings now exist.
Finally, the Users page shows all the users currently associated with the application and their provisioning state, if applicable. The provisioning state displays a color-coded backing to each user state: green for provisioned, yellow for pending, red if the provisioning failed, and unmarked if the user status is unknown. The list of provisioned users here can be filtered by roles, groups, and names.