Preface
The document describes the base line configurations to setup an integration with our Identity Access Management System (IAM) and your Identity Provider (OneLogin).
Pre-requisites
- PSP Owner - enable
accounts.sso_enabled
- Account Owner - authorize
users
invitation / user-account creation; test SSO once configured - IT representative - configure SSO
- Information exchange - forms with OIDC or SAML configuration values exchanged
OneLogin Configuration
The following details pertain to our Production environment and will need a representative from Core Strengths to enable the feature within your platform account.
On the OneLogin portal page (https://your-new-domain.onelogin.com/portal/ ), choose Administration.
At the top of the Administration page, pause on Apps, and then choose Add apps.
In the search bar under Find Applications, enter saml, and then choose SAML Custom Connector (Advanced) to open the SAML Custom Connector (Advanced) page.
Navigate to the Configuration page and populate the following details:
Audience:
urn:amazon:cognito:sp:us-east-1_lEQznSWeV
ACS (Consumer) URL Validator: https://core-cloud-prod.cognito.corestrengths.com/saml2/idpresponse
ACS (Consumer) URL: https://core-cloud-prod.cognito.corestrengths.com/saml2/idpresponse
Single Logout URL: https://core-cloud-prod.cognito.corestrengths.com/saml2/logout
If you want to have your employees navigate to the login page directly without first proceeding to our application you may populate the Login URL field with https://core-cloud-prod.cognito.corestrengths.com/oauth2/authorize?redirect_uri=https://app.corestrengths.com&response_type=code&client_id=438ma1rcb2sf9orgd2dg4cgi41&identity_provider=INSERT_IDP_AFTER_CONFIGURATION_WITH_CORE_STRENGTHS&scope=email openid profile
And also change SAML Initiator to Service Provider
Now navigate to the Parameters page to fill out the claims:
NameIdentifier
Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Value: Email
Family Name
Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/family_name
Value: Last Name
Given Name
Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/given_name
Value: First Name
That is the only configuration necessary for OneLogin SAML page. All other settings may be ignored.
Core Strengths Platform Configuration
Configuration within Core Strengths Account Settings: (Feature Flag SSO Enabled
will need to be enabled [true
] upon engagement)
https://app.corestrengths.com/%7BaccountID%7D/account/settings
Click SSO Enabled
Add email domains we wish to target within the Email Identifiers input
I.E:
yourdomain.com
For the email attribute mapping add
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Fill in MetadataURI with your given Issuer URL similar to:
https://app.onelogin.com/saml/metadata/520af980-2a08-48f1-8f6c-a94bb83682d1
Optionally Enable Single Sign-out workflows (SSOut)
This allows session termination (logout) to call our IdP. When a user logs off of Core Strengths Platform, the platform will request a best-effort “sign-out of all-applications” to your IdP.
Now Click
Save