OneLogin
Access Type: Organization Settings - Editor
Premium Feature: SSO
Single Sign-On (SSO) is an authentication process that allows users to access multiple applications or systems with one set of login credentials. In this article, we will cover how to configure SSO using the SAML 2.0 standard protocol with OneLogin.
Retrieve SSO SAML identifiers
To start, your organization needs to retrieve the SSO SAML identifiers from the Didomi console to continue setup in your identity provider.
Click My organization and selecting Single Sign-on from the drop-down menu.
Use the provided fields in the Get your SSO SAML identifiers step to record the following:
Configured issuer
Your organization's identity provider's unique identifier within the Didomi console.
Login URL
Where user will be redirected after successful login on the identity provider.
Logout URL
Where user will be redirected after successful logout on the identity provider.
Click Continue when finished.
Create Didomi console app in OneLogin
Navigate to the Administration section of your organization's OneLogin portal and navigate to the following:
Select Applications > Applications.
Click Add App.
Search for SAML Custom Connector (Advanced) and select it from the list.
For the Display Name field, enter a name for your new application that is recognizable as being for the Didomi console (e.g. Didomi Console). This is where your organization will configure the SSO SAML.
Click Save when finished.
A new app will be created in your OneLogin account.
Configure Didomi console app in OneLogin
From your newly created Didomi console app in One Login, navigate to the Configuration tab on the left-hand panel.
Use the provided fields to input the following values:
Some values are retrieved from the Didomi SSO SAML identifiers.
Audience (EntityID)
Configured issuer
ACS (Consumer) URL Validator
[-a-zA-Z0-9@:%.\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%\+.~#?&//=]*)
ACS (Consumer) URL
Login URL
Single Logout URL
Logout URL
SAML initiator
Service Provider
Next, click Parameters from the left-hand panel and click + inline with the SAML Custom Connector (Advanced Field) header.
In the subsequent modal:
Input
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressin the Field name field.Select Email in the Value field.
Enable the checkbox for Include in SAML assertion and click Save.
Retrieve OneLogin metadata
From your newly created Didomi console app in One Login, navigate to the SSO tab on the left-hand panel. Record the values for the following fields (collectively Didomi refers to these values as metadata):
X.509 Certificate (under View Details)
SAML 2.0 Endpoint (HTTP)
SLO Endpoint (HTTP)
Add OneLogin metadata
With the metadata from OneLogin copied, navigate back to the SSO configuration within the Didomi console and input those values in the provided fields for the Setup SSO settings step.
X509 certificate
X.509 certificate
Login URL
SAML 2.0 Endpoint (HTTP)
Logout URL
SLO Endpoint (HTTP)
Test and complete SSO configuration
Didomi will verify the identity provider metadata. When successful, utilize the Domain(s) field to add email domains to which the SAML authentication will be restricted (i.e. only users whose emails have this domain will be allowed to login with SSO SAML).
For security, the domain added to the Domain(s) field must match the email domain of the user performing the configuration (e.g. didomi.io can only be added if the user adding it is signed into the Didomi console using an @didomi.io email address.
To add more than one domain, please contact the Didomi support team via chat or email at [email protected].
Click Save settings.
Assign user access
Navigate to the Administration section of your organization's OneLogin portal and navigate to Users > Users.
Follow the instructions to assign users to the Didomi console application created in OneLogin.
Last updated