Integration with OneLogin authentication

System Configuration for SAML: OneLogin IdP Integration

PAM supports integration with OneLogin Identity Provider using SAML protocol to defer user authentication to OneLogin.

The following guide describes how to configure your OneLogin integration.

Requirements

Before you begin your integration, be sure you meet the following pre-requisities:

• A working PAM deployment with the Federated Sign-In experience.
• Access to your existing PAM host server. You will need to update a configuration file, certificates and restart services.
• Access to your OneLogin portal to configure your AuthPoint authentication services.
• If Users are created and managed in OneLogin, then a matching user must also be created as PAM Local User.
• If Users are synced from Active Directory to OneLogin, then you must also integrate PAM with the same Active Directory.

Step 1: Begin the OneLogin Configuration

1. Login to your OneLogin account with admin account (https://someorg.onelogin.com/portal/)

2. Navigate to Administration.

3. Go to Applications > Applications.

   

4. Click Add App button.

   

5. Navigate to Find Applications search for saml and choose SAML Test Connector (Advanced).

6. Enter meaningful name in Display Name field, for example, SAML PAM and click Save.

7. Go to SSO page and select SHA-256 for SAML Signature Algorithm. Copy Issuer URL for using it in next step. Click Save.

Step 2: Perform the PAM Configuration

 

1. Login to your PAM host server.

   On PAM server go to $PAM_HOME/web/conf folder. Open the file $PAM_HOME/web/conf/catalina.properties in a text editor and add the following new section. Confirm that the values for each parameter is accurate to your System deployment. Add new section with SAML provide configuration to catalina.properties with prepopulated data

   # OneLogin SSO SAML

   cas.authn.pac4j.saml[0].clientName=OneLoginSSO

   cas.authn.pac4j.saml[0].keystorePassword=password

   cas.authn.pac4j.saml[0].privateKeyPassword=password

   cas.authn.pac4j.saml[0].serviceProviderEntityId={managed_path}

   cas.authn.pac4j.saml[0].serviceProviderMetadataPath=$PAM_HOME/content/keys/oneloginsso.xml

   cas.authn.pac4j.saml[0].keystorePath=$PAM_HOME/content/keys/samlKeystoreOneLoginSSO.jks

   cas.authn.pac4j.saml[0].identityProviderMetadataPath={Issuer URL From step 1.7}

   cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=2073600

2. When complete, save and close your catalina.properties file and restart PamManagement service.

3. After the service fully restarts, it could take 3-5 minutes to fully restart, the keystore file should appear in samlKeystoreOneLoginSSO.jks keystore and oneloginsso.xml metadata files should appear in $PAM_HOME/content/keys.

Step 3: Complete the OneLogin Configuration

1. Return to your OneLogin portal.

2. In OneLogin application configuration go to Configuration page.

3. Enter values for all necessary fields that match those that were entered into the the catalina.properties file from the previous step:

   Audience (EntityID): cas.authn.pac4j.saml[0].serviceProviderEntityId value from step 8

   Recipient: https://pam.yourorg.com/cas/login?client_name=OneLoginSSO

   ACS (Consumer) URL Validator: ^https:\/\/pam.yourorg.com\/cas\/login\?client_name=OneLoginSSO$

   ACS (Consumer) URL: https://pam.yourorg.com/cas/login?client_name=OneLoginSSO

   Login URL: https://pam.yourorg.com/xtam

   SAML signature element: Assertion

   

   

   

   Click Save button.

4. Navigate to Users > Users.



5. Select user that needs to login to the System using newly created application. Go to Applications and click + button.

6. From dropdown menu select your application click Continue and click Save User.



7. Finally, you can open your PAM login page, click the button named OneLogin and test the login process with the User that was created in the previous step.