You can configure OneLogin to sign users into Microsoft SharePoint 2010, 2013, or 2016 using WS-Federation with SAML 1.1, and you can enable the People Picker for Sharepoint 2013 and 2016 to search and filter for all OneLogin users in your account.
To set up the OneLogin SharePoint integration to provide SSO and enable the SharePoint People Picker to search users in your OneLogin account, you must complete the following tasks:
- Add the SharePoint app to your OneLogin account and get the OneLogin certificate
- Configure OneLogin as a Trusted Identity Provider for SharePoint
- Enable OneLogin as a Trusted Identity Provider for your SharePoint web application
- Install the OneLogin Claims Provider (SharePoint 2013 and 2016 only)
- Set up the OneLogin Claims Provider (SharePoint 2013 and 2016 only)
- Complete the SAML configuration in OneLogin to provide SSO to SharePoint
- For SAML SSO only: SharePoint 2010, 2013, or 2016
- For People Picker: SharePoint 2013 SP1 or 2016
- 64 bit SharePoint host
- SSL-enable your SharePoint web application (strongly recommended)
Add the SharePoint app to your OneLogin account
Log in to OneLogin as an admin and add a new OneLogin certificate.
Go to Settings > Certificates and click New.
Create the new certificate, give it a user-friendly name, and save it.
We recommend that you sign it with SHA256.
Download the certificate as an X.509 DER file.
- Copy the certificate file to the SharePoint host machine.
Go to Apps > Add apps, search for SharePoint (All Attributes) Protocol, and select it.
You should see the initial Configuration tab.
Click Save to add the app to your Company Apps and display additional setup tabs.
Go to the Configuration tab and configure the following:
- Protocol: the communication protocol for your SharePoint site (https or http)
- FQDN: the fully qualified domain name of your SharePoint site (for example, portal.acme.com)
- Realm: an identifier that lets you configure OneLogin as a trusted identity provider for your SharePoint site. It can be any unique value, typically in the format urn:onelogin:SharePoint. You will use it later in the SharePoint configuration.
- Site: the path to the target website (for example, /sites/site1/ or /sitepages/Home.aspx)
Go to the Parameters tab and map the Sharepoint Field userPrincipalName to the OneLogin value Email.
Click the userPrincipalName row to open the Edit Field UserPrincipalName dialog and select Email from the Value drop-down. Keep the defaults for the remaining mappings.
Go to the SSO tab to assign the new X.509 certificate to the app and copy the WS-Federation Web SSO Endpoint URL.
- Under X.509 Certificate, click Change.
- In the dialog that pops up, select your new certificate from the drop-down list.
- Change the SAML Signature Algorithm to SHA-256 (recommended).
- Copy the WS-Federation Web SSO Endpoint URL to a text editor; you will use this later when you configure your SharePoint site.
- Click Save.
Configure OneLogin as a Trusted Identity Provider for SharePoint
On the machine that hosts your SharePoint site, open the SharePoint Management Shell.
Run it as an account with appropriate permissions to make changes to your SharePoint farm, along with appropriate PowerShell permissions.
Load the OneLogin certificate into an object:
Create a SharePoint Trusted Root Authority using the certificate:
New-SPTrustedRootAuthority -Name "OneLogin Certificate Name" -Certificate $cert
You can use any name that you like for the certificate. The command should return details about the newly created TrustedRootAuthority.
Create the attribute/claim mappings between OneLogin and SharePoint, using the following commands:
$fname = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" -IncomingClaimTypeDisplayName "GivenName" -SameAsIncoming $lname = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" -IncomingClaimTypeDisplayName "Surname" -SameAsIncoming $email = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming $upn = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "UPN" -SameAsIncoming $role = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming
These commands do not return anything.
Create the SharePoint Trusted Identity Token Issuer, issuing the following command as a single string of one line:
-SignInUrl "WS-Federation Web SSO Endpoint"
Replace Realm with the Realm value that you entered on the SharePoint connector's Configuration tab in OneLogin in the first task.
Replace WS-Federation Web SSO Endpoint with the WS-Federation Web SSO Endpoint URL you copied from the SharePoint connector's SSO tab in OneLogin in the first task.
The command will return details about the newly created Trusted Identity Provider.
Enable OneLogin as a Trusted Identity Provider for your SharePoint web application
Open SharePoint Central Administration
Open Application Management from the left menu.
Under Web applications, select Manage web applications.
Select your SharePoint Web Application.
Note that it should be enabled for SSL.
Click Authentication Providers from the top menu.
Select the Default Zone.
Select the Trusted Identity Provider checkbox and select the trusted identity provider that you created for OneLogin in the previous task.
- Click Save.
Install the OneLogin Claims Provider (SharePoint 2013 and 2016 only)
This step enables the SharePoint People Picker to pick OneLogin people. It is only supported with SharePoint 2013 and 2016. If you are enabling SAML SSO for SharePoint 2010, skip ahead to "Complete the SAML configuration in OneLogin to provide SSO to SharePoint."
Download the OneLogin Claims Provider for SharePoint installer.
On a domain-joined machine, launch the installer.
Accept OneLogin's license agreement terms.
Provide your OneLogin Client ID and OneLogin Client Secret.
Use the Client ID and Client Secret from your OneLogin API Credentials. To create or get these values, follow the instructions in Working with API Credentials. We strongly recommend that the API credentials you use for your SharePoint integration be Read All. There is no reason to provide more permissive access.
When the installation is complete, click Finish.
Set up the OneLogin Claims Provider (SharePoint 2013 and 2016 only)
Open the SharePoint Management Shell.
Associate the OneLogin Trusted Identity Token Issuer with the newly installed OneLogin Claims Provider, using the following commands:
$tokenissuer = Get-SPTrustedIdentityTokenIssuer "OneLogin" $tokenissuer.ClaimProviderName $tokenissuer.ClaimProviderName="Onelogin Claims Provider" $tokenissuer.update("true")
For the value of
SPTrustedIdentityTokenIssuer, use the name that you provided when you configured OneLogin as Trusted Identity Provider. In our example, that name was "OneLogin". The value of
ClaimProviderNameis by definition "Onelogin Claims Provider".
(Optional) If the name that you provided when you configured OneLogin as Trusted Identity Provider is NOT "OneLogin," update the OneLogin Claims Provider property
OLTrustedProviderfor your SharePoint farm, using the following commands.
You can run these separately or copy and paste them all into the shell at once.
$farm = SPFarm $farm.Properties["OLTrustedProvider"]="OneLogin Trusted Identity Provider Name"
Note that the default value for
OLTrustedProvideris "OneLogin," which is why you don't need to complete this step if you used "OneLogin" as the name when you configured OneLogin as Trusted Identity Provider.
Now you're ready to start selecting OneLogin users using the SharePoint People Picker. Your OneLogin users will be available for search and selection when you change site collection administrators, share your site with users, or share content in the site. All of SharePoint's user search, filtering, and auto-completion functionality will retrieve your OneLogin users.
To complete your SharePoint integration with OneLogin, we recommend that you also set up OneLogin to provide SAML-based SSO for your users.
Complete the SAML configuration in OneLogin to provide SSO to SharePoint
In OneLogin, go to Apps > Company Apps and open the SharePoint (All Attributes) Protocol app that you added in the first task.
For example you can attach a policy to the app to require multi-factor authentication.
You can also go to Users > All Users to add the app to individual user accounts.
You can view SharePoint logs using the Unified Logging System (ULS) viewer.
Download the ULS viewer.
Unzip and start the viewer.
Click File, point to Open From, and click ULS.
In the Setup the ULS Runtime feed dialog, select Use ULS feed from default log-file directory (local machine only).
Verify that this option points to
%CommonProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS\
Filter for OneLogin events by selecting the Filter icon and entering Field=Category, Operation=Contains, and Value=onelogin.