Use Case:
An organization wants to use OneLogin to federate with SaaS applications and utilize VMware Workspace ONE for conditional access and unified app portal (catalog/launcher).
Users will be able to log into Workspace ONE unified portal and see apps federated with OneLogin and VMware Identity Manager (Workspace ONE). When users click on apps in the unified portal (OneLogin federated or VMware Identity Manager federated), they experience seamless SSO.
Prerequisites:
- Workspace ONE (VMware Identity Manager) configured as IDP for OneLogin. Please see following guide to learn how to set it up:
VMware Identity Manager as federated Identity Provider for OneLogin
- A SaaS application federated with your OneLogin tenant. For simplicity, in this tutorial we use Salesforce.com. In your setup, assume your own app.
- This tutorial assumes you have basic understanding of federated identity concepts.
Steps:
- Configure direct app level signon in OneLogin.
- In VMware Identity Manager, configure direct singon into OneLogin federated app.
- Test.
Detailed steps are provided below.
1. Configure direct app level signon in OneLogin
- Log into OneLogin admin interface and go to SETTINGS > Trusted IdPs > VMware Identity Manager.
- Ensure "Sign users into OneLogin" and "Sign users into additional applications" are checked.
- Click SAVE
- Select "App" tab
- Check "Salesforce" app
- Click on the link for "Salesforce" app and copy the SAML Signon URL. OneLogin SAML Signon URL enables an identity provider to sign users directly into an app without the users going to OneLogin portal. This URL will be used in next step.
2. In VMware Identity Manager, configure direct singon into OneLogin federated app
- Configure VMware Identity Manager as IDP with OneLogin using following steps:
VMware Identity Manager as federated Identity Provider for OneLogin
- In VMware Identity Manager, goto: Catalog > Application Catalog and select "OneLogin" application.
- Select "Details" section under Application Info.
- Under Application Details, change Application Name from "OneLogin" to "Salesforce (OneLogin Federated)".
- Click Save.
- Click "Configuration".
- Copy SAML Signon URL from step 1 to "Assertion Consume Service" text box.
- Click Save.
- If you have multiple applications, please repeat step 2 for each application.
Test federation connection
Before we start testing, it might help to review our test environment setup. The following diagram provide high level understanding:
SP initiated authentication flow
This can be tested by going to your OneLogin federated app. For example, Salesforce.com My Domain URL (i.e. https://onloginworkspace-dev-ed.my.salesforce.com)
Following video demonstrates this login flow:
IDP initiated authentication flow
This can be tested by going to your Workspace ONE (VMware Identity Manager) unified portal (i.e. https://acmecorp.vmwareidentity.com).
Following video demonstrates this login flow:
Also check out: