Use Case:
Configure OneLogin as federation Service Provider with VMware Identity Manager (IDP).
Prerequisites:
- Access to VMware Identity Manager administrative interface.
- Access to OneLogin administrative interface.
- OneLogin Enterprise Edition. Lower OneLogin Editions do not have the feature to enable a trusted IDP.
- At least one test user account in VMware Identity Manager and OneLogin. The user email should match in both systems.
Steps:
- Identify VMware Identity Manager SAML metadata and SAML signing cert.
- Configure OneLogin as Service Provider using information from step 1.
- Configure VMware Identity Manager as Identity Provider.
- Test federation connection for IDP and SP initiated authentication flows.
Step 1: Identify VMware Identity Manager SAML metadata and SAML signing cert
- Log into VMware Identity Manager (vIDM) as an admin
- Go to Catalog > Settings SAML Metadata > Identity Provider (IdP) metadata
- Keep vIDM IDP Metadata open in a web browser window
Step 2: Configure OneLogin as Service Provider
- Log into OneLogin as an admin
- Go to Settings > Trusted IdPs.
- Click "New Trust" button
- On Trusted IdP Settings page, copy following informaiton from VMware Identity Manager IDP SAML metadata to OneLogin configuration wizard:
- Enter a name for trusted IdP configuration (i.e. VMware Identity Manager)
- entityID (from vIDM) ==> Issuer
- bindings:HTTP-POST Location (from vIDM) ==> IdP Login URL
- vIDM signing cert (from vIDM) ==> Trusted IdP Certificate
- User Attribute Mapping: keep this as Email.
Here's how OneLogin configuration wizard looks:
- Goto "Setting" for this newly created Trusted IDP
- Under MORE SETTING, select "Set as default Trusted IdP"
Step 3: Configure VMware Identity Manager as Identity Provider
You will need OneLogin SP Assertion Consumer Service (ACS) URL and it should be in the following format:
https://your_subdomain.onelogin.com/sessions/saml
For example, if your subdomain is acme-corp, your ACS will be https://acme-corp.onelogin.com/sessions/saml
- In VMware Identity Manager admin console, go to:
Catalog > Application Catalog > Add Application > ...Create a new one
- In the app wizard, Enter App Name (i.e. OneLogin)
- Click Next
- Under Configure Via, select Manual configuration
- Enter following values:
- Assertion Consumer Service ==> https://your_subdomain.onelogin.com/sessions/saml
- Recipient Name ==> https://your_subdomain.onelogin.com
- Audience ==> https://your_subdomain.onelogin.com
- Name ID Format ==> Email Address
- Make sure "Include Cert" is checked
- Take defaults for rest of the parameters
- Click Save
- Entitle this App (assign app to users)
- Click Add group entitlement
- Click "or browse"
- Select "ALL USERS" and click Save.
- Don't forget to click "Done"
- Under Access Policies, select "default_access_policy_set"
Step 4: Test federation connection
- SP initiated authentication flow
This can be tested by going directly to your OneLogin tenant URL. E.g. Go to https://your_subdomain.onelogin.com.
Following video demonstrates this login flow:
https://youtu.be/_gYULQg218M
- IDP initiated authentication flow
This can be tested by going directly to your VMware Identity Manager tenant URL. After successfully logging into VMware Identity Manager portal, click on OneLogin app icon.
Following video demonstrates this login flow: