On the OneLogin Side
- 1) Create a new Company App using the “SAML Test Connector (IdP w/attr w/sign response):
- On the Configuration tab of the app, match the following settings, but specific to your AAPS server URL:
Audience: https://(Your FQDN)/AAPS/ssologin.aspx
Recipient: https://(Your FQDN)/AAPS/ssologin.aspx
ACS (Consumer) URL Validator: ^https:\/\/(Your FQDN)/.com$
ACS (Consumer) URL: https://(Your FQDN)/
- On the Parameters tab, you’ll need to add two Custom Parameters:
- Match the remaining parameters (some fields can’t be removed from the SAML assertion, so you can just set them to “- No Default -" to avoid sending spurious information along with the SAML request:
- On the SSO tab, make sure you’re using a SHA1 certificate:
- Click the View Details link on the certificate, and download it as a X.509 PEM:
- Go back to the SSO screen and copy down the Issuer URL (we don’t need the SAML 2.0 endpoint nor the SLO endpoint) and note it for later:
- Ensure that the OneLogin App is visible to the necessary users
- Click on the OneLogin App and copy down the URL that you’re redirected to (be quick) and note it for later:
Configuring the AuthAnvil Password Server
- Go to Admin > General Settings > AuthAnvil Two Factor Auth Settings and click the “Single Sign-On Settings” button
- Check the box for “Enable Single Sign-On” and match the following:Issuer: (the Issuer URL from Step 7 above)
Identity Provider Login URL: The URL from Step 9 above
Identity Provider Logout URL: https://(Your FQDN)/AAPS/logout.aspx (substituting the URL for your AAPS instance) - Upload the certificate you grabbed from OneLogin in Step 6
- Click the “Save Changes” button
- Users are not Just-In-Time provisioned—you must manually add the users that you wish to use the OneLogin App… match the screens below (make sure the e-mail address matches what’s coming over from OneLogin):
(set Roles tab as appropriate) - Test the integration
Thanks to Brian Dagan from CWPS for this information.