Now that you've added some applications to your OneLogin account, you'll be ready to begin configuring those applications for your users. This will occur for both SAML and forms-based applications, and will allow you to configure them for single sign-on and for mapping to users via roles and groups. This will also be where you'll find the configuration options for user provisioning, if the application supports it.
Application configuration options include Info, Configuration, Parameters, Rules, Single Sign-On, Access Control, Provisioning, and Users.
When you access app configuration from the Add App page, only the Portal, Connector, and Personal or Organization App options are available. Portal options enable you to edit the app name as it appears to users, the icons that appear to users, and whether the app appears at all. Rectangular icons appear in tile views of apps. Connectors determine if this app will be configured through SAML or through a form, while Personal or Organizational App determines whether the app will be in the list of company apps or personal only.
After you click Save to add the app, the Info tab appears. Here you can update the app display name, visibility, icons, the tab it appears under in the list of apps, and any notes that you want to associate with the application.
The Configuration tab is split into two parts: Application Details and API Connection. Under Application Details on top, you'll find fields that enable SAML integration, domain connectors, and settings that allow for single sign-on functionality. Below, under API Connection, you'll find fields for hooking into application API's and allowing for user provisioning functionality with those apps.
The Parameters page contains settings that allows for tight control over what OneLogin user fields are mapped to specific fields within the application. This will allow which values within the application are mapped to specific values within OneLogin, and what entitlements are available for mapping to users in the Rules tab. It also allows you to specify whether the credentials are solely admin-configured, or shared amongst all users.
This affects both user field associations for single sign-on, and for user provisioning. Selecting one of these fields opens a small configuration pane where you can assign which value field from OneLogin will be associated with that value in the application. It will also provide the option to both include the value in the SAML assertion as its passed through, as well as to include that value as the user is provisioned (if the application allows for provisioning).
Some values, such as Roles and Groups, will have an Edit Pane that contains the Name-Value relationship, but has been expanded to host two tables. This allows for a deeper level of attribute association, for example, a series of specific roles or groups that will be used in your organization. Below, you'll notice that the Role field can contain a variety of available roles for this application, but we've only selected the four values on the right to be associated with our users in our organization. By selecting Include in User Provisioning, these values will be then available for provisioning in the Rules.
Moving next to Rules, you'll find that this is essentially the entitlements mapping page that used to be found under the Provisioning tab in the previous version of the application configuration page. These mappings can affect both the OneLogin roles and groupings, as well as entitlements and attributes that will be associated with the user or groups of users when provisioning occurs. These entitlements will come directly from the Parameters tab, and will allow values configured there to be mapped out to users.
Selecting an existing rule, or generating a new rule by selecting New Rule, will open the rule mapping pane. Just as with entitlement and user mappings, this set of options will allow you to configure a mapping that ties users or groups of users to specific attributes inside of the application.
The example below shows an administrative mapping that makes all users that are a part of the 'Administrative Group' admins within Google Apps.
Proceeding to the Single Sign-On tab, this tab will contain the SAML endpoint information used to allow the integration with other applications, while Assumed Sign-In allows admins currently assuming a user to log in to those user's applications. Below that, you'll find access to the currently associated X.509 certificate, the Issuer URL metadata, and both the SAML HTTP Endpoint, and HTTP Single Logout (SLO) endpoint.
Looking into Access Controls, you'll find the options to select which role and which policy (if any) will be associated with the application.
The Provisioning tab contains all options related to automating provisioning tasks.. The top portion contains the Details and Workflow sections, where rules are defined as to how users are provisioned and de-provisioned within the application, while Entitlements just contains one option to Refresh Entitlements. If entitlement mappings have been moved to the Rules tab, where all entitlement mappings now exist.
Finally, the Users page will show all the users currently associated with the application and their provisioning state, if applicable. The provisioning state displays a color-coded backing to each user state: green for provisioned, yellow for pending, red if the provisioning failed, and unmarked if the user status is unknown. The list of provisioned users here can be filtered by roles, groups, and names.