Integration with OneLogin authentication

System Configuration for SAML: OneLogin IdP Integration

PAM supports integration with OneLogin Identity Provider using SAML protocol to defer user authentication to OneLogin.

The following guide describes how to configure your OneLogin integration.

Requirements

Before you begin your integration, be sure you meet the following pre-requisities:

  • A working PAM deployment with the Federated Sign-In experience.
  • Access to your existing PAM host server. You will need to update a configuration file, certificates and restart services.
  • Access to your OneLogin portal to configure your AuthPoint authentication services.
  • If Users are created and managed in OneLogin, then a matching user must also be created as PAM Local User.
  • If Users are synced from Active Directory to OneLogin, then you must also integrate PAM with the same Active Directory.

Step 1: Begin the OneLogin Configuration

  1. Login to your OneLogin account with admin account (https://someorg.onelogin.com/portal/)

  2. Navigate to Administration.Help-SAML1

  3. Go to Applications > Applications.

    Help-SAML2

  4. Click Add App button.

    Help-SAML3

  5. Navigate to Find Applications search for saml and choose SAML Test Connector (Advanced).Help-SAML4

  6. Enter meaningful name in Display Name field, for example, SAML PAM and click Save.Help-SAML5

  7. Go to SSO page and select SHA-256 for SAML Signature Algorithm. Copy Issuer URL for using it in next step. Click Save.Help-SAML6

Step 2: Perform the PAM Configuration

  •  

    1. Login to your PAM host server.

      On PAM server go to $PAM_HOME/web/conf folder. Open the file $PAM_HOME/web/conf/catalina.properties in a text editor and add the following new section. Confirm that the values for each parameter is accurate to your PAMdeployment. Add new section with SAML provide configuration to catalina.properties with prepopulated data:

      Copy 
      # OneLogin SSO SAML
      cas.authn.pac4j.saml[0].clientName=OneLoginSSO
      cas.authn.pac4j.saml[0].keystorePassword={password}
      cas.authn.pac4j.saml[0].privateKeyPassword={password}
      cas.authn.pac4j.saml[0].serviceProviderEntityId={managed_path}
      cas.authn.pac4j.saml[0].serviceProviderMetadataPath={PAM_HOME/content/keys/oneloginsso.xml}
      cas.authn.pac4j.saml[0].keystorePath={PAM_HOME/content/keys/samlKeystoreOneLoginSSO.jks}
      cas.authn.pac4j.saml[0].identityProviderMetadataPath={Metadata URL from step 1.7}
      cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=2073600

      In the lines above, the following {placeholders} need to be updated using your own values explained here.

      Save and close the file when you are finished.

      1. cas.authn.pac4j.saml[0].clientName={OneLoginSSO} - name SSO provider, it must match with item.

      2. cas.authn.pac4j.saml[0].keystorePassword={password} - Create an alphanumeric password. Any value you want to enter.

      3. cas.authn.pac4j.saml[0].privateKeyPassword={password} - Create an alphanumeric password. Any value you want to enter.

      4. cas.authn.pac4j.saml[0].serviceProviderEntityId={managed_path} - audience URI, it must match with item.

      5. cas.authn.pac4j.saml[0].serviceProviderMetadataPath=$PAM_HOME/content/keys/oneloginsso.xml} The full path and file name of the okta.xml file. For example, C:/$PAM_HOME/content/keys/oneloginsso.xml (use forward slashes not backslashes)

      6. cas.authn.pac4j.saml[0].keystorePath=$PAM_HOME/content/keys/samlKeystoreOneLoginSSO.jks - Define a path and name for the PAM auto-generated key. For example, $PAM_HOME/content/keys/samlKeystoreOneLoginSSO.jks (use forward slashes not backslashes)

      7. cas.authn.pac4j.saml[0].identityProviderMetadataPath={Issuer URL From step 1.7} - Copy and paste the full URL from your Identity Provider Metadata used in step (4). For example, https://subDomain.OneLoginSSO.com/app/[externalKey]/sso/OneLoginSSO/metadata.

      8. cas.authn.pac4j.saml[0].maximumAuthenticationLifetime=2073600: This value defines a 24 day period (value in seconds) in which a user has generated a last authentication event in Active Directory. This parameter helps if users begin experiencing login issues due to old authentication events.

    2. When complete, save and close your catalina.properties file and restart PamManagement service.

    3. After the service fully restarts, it could take 3-5 minutes to fully restart, the keystore file should appear in samlKeystoreOneLoginSSO.jks keystore and oneloginsso.xml metadata files should appear in $PAM_HOME/content/keys.

    Step 3: Complete the OneLogin Configuration

    1. Return to your OneLogin portal.

    2. In OneLogin application configuration go to Configuration page.Help-SAML7

    3. Enter values for all necessary fields that match those that were entered into the the catalina.properties file from the previous step:

      Audience (EntityID): cas.authn.pac4j.saml[0].serviceProviderEntityId value from step 8

      Recipient: https://pam.yourorg.com/cas/login?client_name=OneLoginSSO

      ACS (Consumer) URL Validator: ^https:\/\/pam.yourorg.com\/cas\/login\?client_name=OneLoginSSO$

      ACS (Consumer) URL: https://pam.yourorg.com/cas/login?client_name=OneLoginSSO

      Login URL: https://pam.yourorg.com/xtam

      SAML signature element: Assertion

      Help-SAML8

      Help-SAML9

      Help-SAML10

      Click Save button.

    4. Navigate to Users > Users.

      5. Help-SAML11

    5. Select user that needs to login to the System using newly created application. Go to Applications and click + button.Help-SAML12

    6. From dropdown menu select your application click Continue and click Save User.

      7. Help-SAML13

    7. Finally, you can open your PAM login page, click the button named OneLogin and test the login process with the User that was created in the previous step.