In this article, you will learn how to set up
SSO is optional for user management. You can choose an option based on your business requirements. Learn more about other options.
Prerequisites
- You have access to the OneLogin Administration.
- You have super user privilege in OneLogin.
Learn more.
Receive information from Staffbase Support
For creating an app integration in OneLogin, you need to receive the following from Staffbase Support:
- SAML Audience URL: The entityID which is provided in the Staffbase metadata.
- ACS URL: The ACS URL directs the SAML response to Staffbase server after authenticating a user.
Create an app
You need to create an App in OneLogin to set up SSO.
Staffbase recommends creating a dedicated application to maintain users for your Staffbase platform.
- In OneLogin, go to Administration.
- Click Applications > Applications.
- Click Add App.
- Search SCIM Provisioner with SAML (SCIM v2 Enterprise, full SAML) and select the app.
- Provide a display name for the application. For example, Staffbase SSO or something similar to help you instantly identify the application. Click Save.
- Under Configuration, provide the following details, and click Save:
- SAML Audience URL: Provide the identifier you received from Staffbase.
- Recipient: Provide the ACS URL you received from Staffbase without the query string part of the URL (remove the part in the URL after the question mark).
- ACS (Consumer) URL Validator: Provide the validator that is a regular expression based on the ACS URL. In the given example, the validator would look like
^https:\/\/myapp\.mydomain\.com\/auth\/saml\/.{0,}$ - ACS (Consumer) URL: Provide the ACS URL you received from Staffbase.
- Login URL: Provide the ACS URL you received from Staffbase.
- SAML initiator: Select Service Provider.
- SAML nameID format: Select Unspecified.
- SAML signature element: Select Assertion.
- Under Parameters, provide the following details:
- SAML NameID (Subject): Change the value to
OneLogin ID
The SAML NameID (Subject) and the identifier in your Staffbase platform must match for each user using SSO.
If you want to use a different identifier value than the one already in place for your users in the Staffbase platform, you must first update the user identifiers in your Staffbase platform. In such a case, ensure that you also use these new identifiers for all future user management.
- Click the + sign and add the following fields:
-
Field name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname->- Include in SAML assertion: Enable the option. > Click Save.
- Value: First Name > Click Save.
-
Field name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname->- Include in SAML assertion: Enable the option. > Click Save
- Value: Last Name > Click Save.
-
Field name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress->- Include in SAML assertion: Enable the option. > Click Save
- Value: Email > Click Save.
- Click Save.
Provide Staffbase your app integration details
Provide Staffbase with the SAML Metadata for the app you created. Under SSO copy the Issuer URL.
Assign users
After creating the app, you can decide which OneLogin users need access to the Staffbase platform using SSO.
Staffbase recommends adding a few users initially to test that everything works as expected.
- In the app you created, click Access.
- Select the roles you want to add and click Save.
You have assigned roles to the app integration.
Test SSO
After you have provided Staffbase Support with the metadata, you will be informed when SSO was added to your Staffbase instance and is ready for testing.
After testing the SSO authentication works as expected, you can add all users and/or groups in OneLogin to the app.
You have configured and enabled SSO for your Staffbase platform.