OneLogin SAML Integration
4 minute read
The Edge Delta web app offers OneLogin SAML integration. This allows users who are registered with OneLogin to use their existing OneLogin identity to log into Edge Delta.
Before users can log in with OneLogin, an administrator needs to add a custom application connector for the Edge Delta app in OneLogin, and configure Edge Delta with the OneLogin connector details.
Edge Delta supports both identity provider (IDP) and service provider (SP) initiated login workflows. The IDP workflow logs in a user from the IDP dashboard, whereas the SP workflow logs a user in from the Edge Delta login page.
1. Create an Application Connector
- Open OneLogin and click Applications - Applications.
- Click Add App.
- Search for and select SAML Custom Connector (Advanced).
- Name the application listing
ED SAML Custom Connector (Advanced), optionally add an icon, and click Save.
- Open the Configuration page and enter the following details:
- ACS (Consumer) URL Validator:
- ACS (Consumer) URL:
If the SP (Service Provider) initiated flow is used RelayState can be empty.
- Open the Parameters page and ensure the following configuration is set:
- SAML Custom Connector (Advanced) Field:
- Open the SSO page and select
SHA-256for the SAML Signature Algorithm.
- Click Save.
- Copy the Issuer URL, this will be used in a later step as the IDP Metadata URL.
2. Create Users
- In OneLogin, click Users and create any users that will need to access Edge Delta if they don’t already exist.
- Open each user and select the Applications tab.
- Click Add + and select the ED SAML Connector (Advanced) application.
- Click Continue.
3. Create Groups (Optional)
Optionally, configure attribute mapping if group attributes are required in the assertion response, for example, to enable JIT permissions provisioning:
- In OneLogin, on the Users page, add or select a user attribute to be used for grouping, such as MemberOf.
- In the Applications page, on the Parameters tab add a groups field and specify the user attribute.
- Select the Include in SAML assertion checkbox and click Save.
4. Configure Edge Delta
- Log on to the Edge Delta App with an administrator account.
- Click Admin - My Organization.
- In the SAML Settings section, click Edit.
- If you are using a Service Provider Initiated login workflow, you must enter the domain of the email addresses of authorized users.
- Select Metadata URL, and then paste the IDP Metadata URL you copied earlier.
- For Metadata URL Verification, select Enabled.
- Optionally, select Enforcement - Require Authentication Via SAML To Access This Organization. This disables the ability to log in to Edge Delta with a user name and password for normal users. They must use the IDP to log in. However, Edge Delta admin account holders can still log in with their username and password on the Edge Delta login page.
- Optionally, select JIT Provisioning - Enable JIT User Provisioning And Dynamic Group Membership For This Organization. Enter a Group Attribute Mapping Field and a Default Group. The field name is
groupsby default but it is configurable. It should match the SAML attribute name sent by IDP.
- Click Save.
Just in Time (JIT) provisioning determines the group configured for the user in the IDP based on the Group Attribute Mapping Field and it assigns users to an existing Edge Delta permissions group with the same name.
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="groups"> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">custom_admin </saml:AttributeValue> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">custom_super_admin </saml:AttributeValue> </saml:Attribute>
In this example of an IDP’s SAML group assertion, the
groups values are
super_custom_admin. The user will be added to an Edge Delta group called
custom_admin if it exists in Edge Delta and it will also be added to the
super_custom_admin group if it exists. When there is more than one group, the user will have the most permissive permissions of the groups they belong to.
If no IDP group is detected, or if the asserted group does not match an existing Edge Delta group, the user is added to the default group. When the user logs out, they are removed from the Edge Delta group.