OneLogin - Configuring Single Sign-On Authentication

In this article, you will learn how to set up Single Sign-On (SSO) using the SAML protocol in OneLogin. SSO is an authentication method that allows users access to multiple applications with a single account. This will allow you to onboard your users using SSO and let them access the Staffbase platform using the same credentials they use to access other platforms in your organization.

• You have access to the OneLogin Administration.
• You have super user privilege in OneLogin.
  Learn more.

For creating an app integration in OneLogin, you need to receive the following from Staffbase Support:

• SAML Audience URL: The entityID which is provided in the Staffbase metadata.
• ACS URL: The ACS URL directs the SAML response to Staffbase server after authenticating a user.

You need to create an App in OneLogin to set up SSO.

1. In OneLogin, go to Administration.

2. Click Applications > Applications.

3. Click Add App.

4. Search SCIM Provisioner with SAML (SCIM v2 Enterprise, full SAML) and select the app.

5. Provide a display name for the application. For example, Staffbase SSO or something similar to help you instantly identify the application. Click Save.

6. Under Configuration, provide the following details, and click Save:

• SAML Audience URL: Provide the identifier you received from Staffbase.
• Recipient: Provide the ACS URL you received from Staffbase without the query string part of the URL (remove the part in the URL after the question mark).
• ACS (Consumer) URL Validator: Provide the validator that is a regular expression based on the ACS URL. In the given example, the validator would look like ^https:\/\/myapp\.mydomain\.com\/auth\/saml\/.{0,}$
• ACS (Consumer) URL: Provide the ACS URL you received from Staffbase.
• Login URL: Provide the ACS URL you received from Staffbase.
• SAML initiator: Select Service Provider.
• SAML nameID format: Select Unspecified.
• SAML signature element: Select Assertion.

7. Under Parameters, provide the following details:

• SAML NameID (Subject): Change the value to OneLogin ID

8. Click the + sign and add the following fields:

• Field name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname ->

  • Include in SAML assertion: Enable the option. > Click Save.
  • Value: First Name > Click Save.

• Field name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname ->

  • Include in SAML assertion: Enable the option. > Click Save
  • Value: Last Name > Click Save.

• Field name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress ->

  • Include in SAML assertion: Enable the option. > Click Save
  • Value: Email > Click Save.

8. Click Save.

Provide Staffbase with the SAML Metadata for the app you created. Under SSO copy the Issuer URL.

After creating the app, you can decide which OneLogin users need access to the Staffbase platform using SSO.

1. In the app you created, click Access.

2. Select the roles you want to add and click Save.
   You have assigned roles to the app integration.

After you have provided Staffbase Support with the metadata, you will be informed when SSO was added to your Staffbase instance and is ready for testing.

After testing the SSO authentication works as expected, you can add all users and/or groups in OneLogin to the app.

You have configured and enabled SSO for your Staffbase platform.

• OneLogin - SCIM Provisioner with SAML (SCIM v2 Enterprise)
• OneLogin - Overview of SAML