OneLogin SSO Configuration

Preface - This document describes the baseline configurations to setup an integration with our Identity Access Management System (IAM) and your Identity Provider (OneLogin).

Pre-requisites

PSP Owner - enable accounts.sso_enabled
Account Owner - authorize users invitation / user-account creation; test SSO once configured
IT representative - configure SSO
Information exchange - forms with OIDC or SAML configuration values exchanged


1. OneLogin Configuration

The following details pertain to our Production environment and will need a representative from Core Strengths to enable the feature within your platform account.

1. On the OneLogin portal page (https://your-new-domain.onelogin.com/portal/ ), choose Administration.

2. At the top of the Administration page, pause on Apps, and then choose Add apps.

3. In the search bar under Find Applications, enter saml, and then choose SAML Custom Connector (Advanced) to open the SAML Custom Connector (Advanced) page.

4. Navigate to the Configuration page and populate the following details:

And also change SAML Initiator to Service Provider

 

5. Now navigate to the Parameters page to fill out the claims:

 

COMPLETED
That is the only configuration necessary for OneLogin SAML page. All other settings may be ignored.

2. Core Strengths Platform Configuration

Configuration within Core Strengths Account Settings: (Feature Flag SSO Enabled will need to be enabled [true] upon engagement)

https://app.corestrengths.com/%7BaccountID%7D/account/settings

  1. Click SSO Enabled

  2. Add email domains we wish to target within the Email Identifiers input

    1. I.E: yourdomain.com

  3. For the email attribute mapping add
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

  4. Fill in MetadataURI with your given Issuer URL similar to:

    1. https://app.onelogin.com/saml/metadata/520af980-2a08-48f1-8f6c-a94bb83682d1

  5. Optionally Enable Single Sign-out workflows (SSOut)

    1. This allows session termination (logout) to call our IdP. When a user logs off of Core Strengths Platform, the platform will request a best-effort “sign-out of all-applications” to your IdP.

  6. Now Click Save

 

Once a CoreStrengths Platform account has been configured for SSO, people can navigate to the login page directly without first proceeding to the platform. The Login URL field will be very similar to the following (replacing the identity_provider value with one provided to you by CoreStrengths)

This Hosted SSO Link (example above), specific for your organization, can be found on the AccountSettings page, under the SSO chunk. See below for an in-page location hint.