Skip to content

Setting up SSO with OneLogin

This article takes an administrator through the process of setting up SSO with OneLogin.

You can start a free OneLogin trial at onelogin.com/free-trial.

Create an app in OneLogin

  1. Log in to the OneLogin portal.
  2. Click Administration.
  3. Click Applications, then select Applications from the drop-down menu.

    Applications menu in OneLogin

  4. Click Add App.

    Add App button

  5. Search for "SAML Custom Connector" and select SAML Custom Connector (Advanced).

    SAML Custom Connector (Advanced) in search results

  6. Change the Display Name and add icons.

    Display name and icons fields

  7. Click Save. Add the icons again after saving.

    Add icons after initial save

Configuration tab

Enter the following details on the Configuration tab:

Field Value
RelayState https://[your-server]/Orbit/en/external-login
Audience (EntityID) https://AptecoLoginApi
Recipient https://[your-server]/OrbitAPI/ExternalLogin/AssertionConsumerService
ACS (Consumer) URL Validator https://[your-server]/OrbitAPI/ExternalLogin/AssertionConsumerService
ACS (Consumer) URL https://[your-server]/OrbitAPI/ExternalLogin/AssertionConsumerService

Default configuration settings

Single sign-on tab

  1. Create a certificate and endpoint at OneLogin.
  2. For SAML Signature Algorithm, select at least SHA-256. The Issuer URL/SAML/SLO endpoint will be used in the Orbit Login Service configuration.

    Rules settings for SAML signature

  3. Click Save.

Certificates

  1. Click Security, then Certificates.

    Security > Certificates in OneLogin

  2. Select the Standard Strength Certificate (2048-bit).

    Standard Strength Certificate option

  3. Change the SHA fingerprint to match the SAML Signature Algorithm (at least SHA-256).

  4. Click Download.

    Download certificate button

  5. Move the onelogin.pem certificate to the OrbitLoginService Certificates directory:

    Text Only
    C:\Program Files (x86)\Apteco\OrbitLoginService\Certificates\
    

    Certificate file moved to OrbitLoginService Certificates directory

Configure the Orbit Login Service

See Orbit login service to install and configure the Login Service first.

Configure the Local Service Provider using the following values:

Field Value
Name https://AptecoLoginApi—must exactly match Audience (Entity ID) in OneLogin
AssertionConsumerServiceUrl https://[your-server]/OrbitAPI/ExternalLogin/AssertionConsumerService—must exactly match Recipient in OneLogin

Local Service Provider Configuration

Configure the Partner Identity Provider using:

Field Value
Name https://app.onelogin.com/saml/metadata/[OneLoginGUID]—must exactly match Issuer URL in OneLogin

Custom connector configuration

Under PartnerName, update the URL to match the Name set in PartnerIdentityProviderConfigurations. Update AllowedReturnUrlOrigins to the name of the web server.

Partner name and AllowedReturnUrlOrigins fields

Example configuration

JSON
{
  "Serilog": {
    "MinimumLevel": {
      "Default": "Debug",
      "Override": {
        "Microsoft": "Warning",
        "System": "Warning",
        "ComponentSpace.Saml2": "Warning"
      }
    },
    "WriteTo": [
      { "Name": "Trace" },
      {
        "Name": "RollingFile",
        "Args": { "pathFormat": "C:\\temp\\Orbit\\Logs\\OrbitLogin-{Date}.txt" }
      }
    ],
    "Enrich": ["FromLogContext", "WithMachineName", "WithThreadId"]
  },
  "Kestrel": {
    "Endpoints": {
      "Http": { "Url": "http://localhost:5005" }
    }
  },
  "AllowedHosts": "*",
  "SAML": {
    "$schema": "https://www.componentspace.com/schemas/saml-config-schema-v1.0.json",
    "Configurations": [
      {
        "LocalServiceProviderConfiguration": {
          "Name": "https://AptecoLoginApi",
          "Description": "Apteco Orbit Login API",
          "AssertionConsumerServiceUrl": "https://<WebServer>/OrbitAPI/ExternalLogin/AssertionConsumerService",
          "LocalCertificates": [
            { "FileName": "certificates/sp.pfx", "Password": "password" }
          ]
        },
        "PartnerIdentityProviderConfigurations": [
          {
            "Name": "https://app.onelogin.com/saml/metadata/<OneLoginGUID>",
            "Description": "OneLogin",
            "DisableDestinationCheck": "true",
            "DisableRecipientCheck": "true",
            "SingleSignOnServiceUrl": "https://apteco.onelogin.com/trust/saml2/http-post/sso/<OneLoginId>",
            "PartnerCertificates": [
              { "FileName": "certificates/onelogin.pem" }
            ]
          }
        ]
      }
    ]
  },
  "PartnerName": "https://app.onelogin.com/saml/metadata/<OneLoginGUID>",
  "JWT": {
    "Key": "VerySecretAptecoJWTKey",
    "Issuer": "https://AptecoLoginApi"
  },
  "AllowedReturnUrlOrigins": "https://<WebServer>"
}