The OneLogin SAML test connector allows you to build custom application connectors for applications that are not found within the OneLogin catalog, e.g. internally developed apps that are only used within your company. It is also useful for testing whether a 3rd party application has successfully integrated the SAML assertion process into their authentication system.
Adding the SAML Test Connector
Start by navigating to Apps > Add Apps in the OneLogin administrator dashboard. Search for 'SAML Test Connector' and select the first result from the search results.
Before proceeding, you'll notice that the search will yield eight connectors. We recommend using the basic connector to test general functionality, but all eight are explained below for your understanding. IdP or SP in the name will indicate if the connector is configured for IdP or SP initiated SAML.
SAML Test Connector: This is the basic connector that contains the general URL fields that will be used to pass the connector information between OneLogin and the application in question.
SAML Test Connector (IdP w/attr): Along with all the functionality of the basic connector, this version allows for additional User Attribute Fields to be passed over in the SAML assertion than just the 'Email' field contained in the basic test connector.
SAML Test Connector (IdP w/attr w/ sign response): Along with all the functionality of the basic IDP w/attr connector, this version has a signed response instead of a signed assertion found in the IDP & IDP w/attr connectors.
SAML Test Connector (IdP) w/encrypt: Along with all the functionality of the IDP connector w/attr w/sign response, this version includes an encrypted assertion.
SAML Test Connector (IdP) w/ NameID (Unspec): Along with all the functionality of the basic IDP w/attr connector, this version has the NameID format set to Unspecified.
SAML Test Connector (SP): This is the basic SP Initiated connector that contains the general URL fields that will be used to pass the connector information between OneLogin and the application in question.
SAML Test Connector (SP) w/Public Cert: Along with all the functionality of the basic SP connector, this version includes an encrypted assertion.
SAML Test Connector (SP w/signed Response): Along with all the functionality of the basic SP connector, this version uses a signed response element rather than the signed assertion element.
Save it and OneLogin will take you to the application Info page, where you will navigate to the Configuration tab adjacent to it.
Here you'll find a variety of exposed fields which will consume the application SAML messages and responses. Some fields are required, while others are optional depending on the nature and development of the application in question.
Test Connector Configuration Page
|Relay State||Not required.||
This is the SAML version of deep linking. This field will accept a URL that will immediately redirect the user to a particular place in your application.
If no URL is present, the app will take the user to the default home page.
The URL placed in this field goes along with the ACS (Consumer) URL. The URL here will be one that describes an entity that is expected to receive the SAML message.
Typically, the format for this URL would resemble a simple domain, so for an ACS (Consumer) URL of
|Recipient||Required when used with the SAML Toolkit for Java.||
The Recipient URL is another layer of security to make sure that the SAML response is meant for you and only you.
The Recipient will tell you exactly who the SAML response is for, but the Audience will tell you, at a broader level, where the response should go. So for example, the Recipient could be Yankee Stadium, while the Audience could be New York City.
Using both Audience and Recipient values is recommended.
|ACS (Consumer) URL Validator||Required.||
This field is used by OneLogin to ensure that we POST the response to the right place. If the response is Service Provider (SP) initiated, they will provide the URL to POST the SAML response to.
Basically, the ACS (Consumer) URL Validator will take the form of the ACS (Consumer) URL, however it will be "escaped out," meaning that all periods and backslashes will have forward slashes immediately preceding them.
Creating a secure ACS (Consumer) URL Validator value is key to the security of the connector. If setup is misconfigured, an attacker could forge Authentication Requests to serviceprovider.com (SP).
For example, consider this ACS (Consumer) URL:
A secure ACS (Consumer) URL Validator regular expression would be:
Note the essential anchors:
Here is an example of an insecure ACS (Consumer) URL Validator regular expression:
This insecure ACS (Consumer )URL Validator could be bypassed with an ACS (Consumer) URL of:
|ACS (Consumer) URL||Required.||This field will contain the address where the SAML response is posted to.|
|SLO URL||Not required.||
This will be the logout endpoint address to which, upon the user logging out of OneLogin, OneLogin will send a logout request. The logout endpoint address will then send a logout response back, completely logging the user out of the application.
For this feature to work, you'll need to implement Single Log-Out.