OneLogin Secure SSO integration with SAML

OneLogin is a cloud-based identity and access management company that offers enterprise-level companies and organizations a unified access management (UAM) platform.

This document explains how to configure OneLogin and Invicti Platform for Single Sign-On.

Configure OneLogin with SAML

There are three steps to this procedure:

• Step 1: Add Invicti to OneLogin
• Step 2: Configure OneLogin Single Sign-On Integration with SAML
• Step 3: Configure auto-provisioning with SAML (optional)

Step 1: Add Invicti to OneLogin

1. Select Applications > Applications in the OneLogin administrator's main menu.
2. Click Add App.

3. On the Find Applications page, search for "SAML custom connector" and select SAML Custom Connector (Advanced) from the search results.

4. On the Add SAML Custom Connector (Advanced) page, enter a name for your app and optionally change icons and enter a description.
5. Enable the Visible in portal toggle.

6. Click Save to add the application.

Step 2: Configure OneLogin SSO integration with SAML

1. Select Applications > Applications in OneLogin.
2. Click your app to edit it.
3. In a new browser tab, select Settings > SSO & Provisioning from the Invicti left-side menu.
4. Turn on the Enable SSO for your organization toggle.
5. Select OneLoginSecure from the SSO provider drop-down list.

6. In the OneLogin tab, select Configuration from the left-side menu.
7. In the Invicti tab, copy the Identifier and paste it into the Audience (EntityID) field on the OneLogin tab.

Audience (EntityID) is required

Although OneLogin doesn't mark this field as required, leaving it empty causes a SAML parsing error on login.

8. In the Invicti tab, copy the SAML 2.0 Service URL and paste it into the ACS (Consumer) URL field on the OneLogin tab.
9. In the ACS (Consumer) URL Validator field, do one of the following:
   • Paste the same Identifier value; OR
   • Enter a regular expression pattern to validate the ACS URL (for example, ^https:\/\/yourdomain\.example\.com\/saml\/consume$ or ^https:\/\/.* for testing purposes).

info

If using a regular expression pattern for the validator, ensure your regular expression includes the ^ and $ anchors denoting the beginning and end of the URL for security purposes.

10. Click Save.
11. Select Parameters from the left menu in the OneLogin tab.
12. Click + (the plus sign) to add a new parameter.
13. On the New Field dialog, enter user.FirstName to the Field name.
14. Select Include in SAML assertion and click Save.

15. On the Edit Field user.FirstName dialog, select First Name from the Value drop-down. Then click Save.

16. On the SAML Custom Connector (Advanced) page, select SSO.
17. From the SAML signature algorithm drop-down, select SHA-256 and click Save.
18. Copy the Issuer URL field into the IdP identifier field in Invicti.
19. In the OneLogin tab, copy the SAML 2.0 endpoint (HTTP) URL. Then paste it into the SAML 2.0 endpoint field in Invicti.

20. In the OneLogin tab, select View Details in the X.509 Certificate section.

21. Copy the X.509 Certificate information and paste it into the X.509 Certificate field in Invicti.
22. In Invicti, select the checkboxes for signed assertions, encrypted assertions, or sign requests as needed.

23. If you enable any assertions or requests, a new section appears where you can do one of the following:
    • Select Generate a new certificate; OR
    • Select I have an existing certificate, then upload your certificate and enter the certificate password.

24. From the Invicti SSO exemptions drop-down, you can select specific users to exempt them from SSO. This means the selected users can log in to Invicti via password.

25. Click Save on the Invicti tab to complete the integration.

Users with existing Invicti accounts who are assigned the Invicti application in OneLogin can now log in using Single Sign-On.

To automatically create Invicti accounts for users on first login, continue to Step 3: Configure auto-provisioning with SAML.

Step 3: Configure auto-provisioning with SAML

Auto-provisioning automatically creates user accounts in Invicti when users log in via OneLogin for the first time. To enable it, you must add the remaining attribute statements in OneLogin so that Invicti receives the user's last name and email, then enable provisioning in Invicti.

Add attribute statements in OneLogin

1. Open your application and select Parameters from the left-side menu.
2. Click + (the plus sign) to add a new parameter.
3. On the New Field dialog, enter user.LastName to the Field name.
4. Select Include in SAML assertion and click Save.
5. On the Edit Field user.LastName dialog, select Last Name from the Value drop-down. Then click Save.
6. Click + again to add another parameter.
7. On the New Field dialog, enter user.EmailAddress to the Field name.
8. Select Include in SAML assertion and click Save.
9. On the Edit Field user.EmailAddress dialog, select Email from the Value drop-down. Then click Save.

Enable auto-provisioning in Invicti

1. Select Settings > SSO & provisioning from the left-side menu.
2. In the Provisioning with SAML/SCIM section, set the Enable automatic provisioning for your organization toggle to Yes.

3. In the Default access for new users and teams section, select a role from the Role drop-down to assign to newly provisioned users.
4. Optionally, click Select collections to choose which collections new users can access. If none are selected, new users get access to all current and future collections by default.

5. Click Save.

info

For more information about SSO fields and auto-provisioning behavior, refer to the Single Sign-On configuration document.

---

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center