Home > Guides > Workspace administrator > OneLogin

Configuring ACP with OneLogin as an identity provider using the SAML federation

Instructions on configuring ACP with OneLogin as an identity provider using the SAML federation

Prerequisites

  • ACP access/account
  • OneLogin access/account

Configure OneLogin

  1. Cre­ate a new SAML application in One­L­o­gin amin por­tal by selecting Add App.

  2. In the Find Application view, select SAML Test Connector (Advanced).

  3. Save your new application.

  4. Select SSO from the sidebar and copy/save the SAML 2.0 endpoint URL (required in step 5 of Configure ACP).

Configure ACP

  1. Log in to the ACP admin portal.

  2. Switch to the workspace that you want to integrate with OneLogin.

  3. Add a SAML Identity Provider on the ACP side.

  4. Enter the copied SAML 2.0 endpoint URL as Sign in URL and select Save.

    Note

    Check step 3 of Configure OneLogin for the relevant URL.

Enable the trust

Trust be­tween One­L­o­gin and ACP

To establish the trust be­tween One­L­o­gin and ACP, you need to con­fig­ure the SAML X509 certificate used for the verification of the SAML assertion.

  1. Go to OneLogin > Security > Certificates.

  2. Select Standard Strength Certificate (2048-bit) and down­load it in the X.509 PEM fro­mat.

  3. Go to ACP and paste the val­ue of the certificate un­der IDP certificate in the SAML IDP configuration view.

  4. Set Name ID for­mat as emailAd­dress.

  5. Save the SAML IDP con­figuration.

    Result

    The entity issuer attribute is generated for your IDP.

  6. Copy the val­ue of the entity issuer at­tribute from the SAML IDP view.

  7. Go to OneLogin and navigate to the Configuration view of your SAML application. Enter the copied val­ue of entity issuer at­tribute into the Audience (EntityID) field. Select Save.

  8. Navigate to the Parameters view and configure at least one assertion pa­ra­me­ter on top of NameID val­ue.

    Note

    It is required to avoid empty SAML assertions, which are not supported by ACP.

Check if it works

  1. Open the user portal.

  2. Select LOGIN TO DEMO APP.

  3. Select your configured OneLogin IDP and, next, authenticate in OneLogin.

Result

ACP displays the consent page that lists data scopes to be shared with the application. When you proceed to the application (ALLOW ACCESS), the PII data coming from IDP is delivered through the access token and the ID token generated by ACP.

Read more

For information on granting and managing ACP consents, see ACP OAuth consents.