OneLogin Setup and Authentication

 Last updated: March 12, 2018     


Overview

Objective

Your SSO configuration is not the same as user provisioning. The SSO configuration is based on the preferences you set up on the Sign-On tab. SpringCM and OneLogin communicate via SCIM provisioning, which allows cross-identity management to create, update and delete users.

Summary

You need to be an Admin in OneLogin and a Super Administrator in SpringCM in order to configure user provisioning. Additionally, SSO is based on the data center you choose when configuring SAML2.0.User provisioning is based on the token after you approve the SSO process. 

User management information is provisioned from OneLogin to SpringCM; however, any changes you make in SpringCM to a user profile do not provision back to OneLogin.

Known Issues

OneLogin's refresh token expires after approximately one hour. Clear the token instance and re-authenticate it on the app's Configuration tab until this is fixed.

Concepts

User Changes

Changes made in OneLogin

User in SpringCM

Change user first name

Updated in SpringCM

Change user last name

Updated in SpringCM

Change login name

Updated in SpringCM unless the login name is not unique in SpringCM.

Change email address

Error thrown indicating an email address can not be changed.

Change the SCIM username

If the username is changed in One Login, this requires a re-mapping from the User’s Tab associated to the App.

No email address

If the Login Name is in the form of an email address, it will be used as the email else an error will occur

Set/change manager

Not synchronized

Set/change department

Not synchronized

Change login name

Updated in SpringCM unless the login name is not unique in SpringCM.

Change email address

Error thrown indicating an email address can not be changed.

Change the SCIM username

If the username is changed in One Login, this requires a re-mapping from the User’s Tab associated to the App.

No email address

If the Login Name is in the form of an email address, it will be used as the email; else, an error will occur

Change email address

Error thrown indicating an email address can not be changed.


Exceptions

Change made in SpringCM

What happens when a user gets updated in One Login

Duplicate Email Address

Error thrown indicating that the email must be unique.

Duplicate Login Name

Error thrown indicating that the username must be unique.

Role gets changed

Role currently not maintained in One Login. If the role is changed in SpringCM, this will continue to be the role.

Groups removed from the user profile  in SpringCM

Assuming the groups still exist, then whenever the user is next updated in One Login, the user profile will be refreshed (including Groups)

User login name gets changed in SpringCM

If the user gets changed in One Login, it will get changed back.

User is disabled in SpringCM

The user will get re-enabled when the user is changed in One Login.

If the user has been deleted from SpringCM.

An error will be returned indicating that you do not have access to the user.

Disassociating a user in One Login

Disassociates the SpringCM app from One Login.  This does nothing to the user in SpringCM.

Resetting a user in One Login

Clear’s users provisioning state and any further updates will result in the user being re-provisioned from scratch.

Creating a user and assigning groups at the same time.  (through rules)

This results in an error that can be resolved by reprovisioning. (error John Smith could not be provisioned in SpringCM (SCIM Test): User 4311ca11-df0c-e811-9c11-30e17155e337 does not exist or you does not have access


User Security Groups

Changes made in SpringCM

What happens in One Login

Change Group Name

If the group name has changed without refreshing entitlements, the user will still be assigned successfully.  In this case, the original name will be reflected in One Login and the correct name will be reflected in SpringCM.

Deleted Group assigned to a user in One Login

Error returned: “The following Groups are outdated: Marketing. Please check your entitlement rules. Refresh entitlements and provision the user again.”

Delete a group that has users assigned to it.

When a user is updated, a group with the unique id is created in SpringCM. (bug)

Distribution Groups

Not supported

New Groups added to user

User is updated with new groups. The current profile in One Login will be reflected in SpringCM.

Groups deleted from user

The current profile in One Login will be reflected in SpringCM.

New Group added in One Login

Groups created in One Login are not assignable to the user.


Deprovisioning Users

Change made in SpringCM

What happens when a user gets updated in One Login

Deleting a user in One Login

Will follow the pattern described earlier:

•Do Nothing: The user remains in SpringCM

•Suspend: The user is disabled in SpringCM

•Delete: The user is removed from SpringCM.

De-provisioning a user from the SpringCM App

Will follow the pattern above. For more info: see

Roles: https://support.onelogin.com/hc/en-us/articles/202123144-Roles

Mappings: https://support.onelogin.com/hc/en-us/articles/201173404-Mappings

  

 

Admin How To

Add the SpringCM app to your OneLogin account

  1. Log in to OneLogin as an Administrator.
  2. Hover over the Apps menu and click Add Apps.
  3. Type 'SpringCM' into the search bar or scroll through the list to find the SpringCM app.
  4. Click on the SpringCM app.
    There are two versions of the SpringCM app: one for the UAT environment and one for the Production environment.
  5. The app's Configuration tab opens. Leave the display name field as SpringCM.
  6. Click the Save button to save this app to your account.

Authenticate the SpringCM app

This procedure creates your connection between OneLogin and SpringCM.

  1. Click the Configuration tab.
  2. Click the Data Center dropdown under Application Details.
    If you are working with a UAT app, you do not need to immediately choose a data center.
  3. Choose the the data center to which your SpringCM account belongs.
    Your app data center MUST match your SpringCM account data center; otherwise, your user provisioning fails.
  4. Click the Save button.
  5. Connect your OneLogin account to the SpringCM API. Click the Authenticate button in the API Connection section. A Complete Authentication Process pop-up window opens.
  6. Click the SpringCM link in the pop-up window. You are redirected to your SpringCM login page.
  7. Log in to SpringCM with your Super Administror credentials.
  8. Click the Approve button on the access page to grant OneLogin full access to your SpringCM account. 
    This allows the OneLogin-SpringCM connection to manage the account's user records. You are then redirected back to OneLogin.
  9. Click the Save button to save your settings on the Configuration tab.

Enable SSO in SpringCM

You need to enable SSO in SpringCM in order to pass provisioning data back and forth between OneLogin and SpringCM.

  1. Hover over the Apps menu.
  2. Select the Company Apps option. Your company app list opens.
  3. Select the SpringCM app.
  4. Click the SSO tab.
  5. Click the View Details link under the X.509 Certificate field. The certificate page displays.
  6. Click the dropdown and select X.509 PEM.
  7. Click Download button to download the certificate.
  8. Locate the PEM file and rename the file from onelogin.pem to onelogin.cert. This satisfies SpringCM's certificate requirements.
  9. Upload the certificate to your SpringCM account.
  10. Install the certificate in SpringCM.
    1. Log in to SpringCM as a Super Administrator.
    2. Click the Admin link to open the account preferences.
    3. Click the SAML SSO link.
    4. Click the Select Issuing Certificate link under the Indentity Provider Configuration section.
    5. Select the OneLogin certificate from its saved location in SpringCM.
    6. Click the Select button to install the certificate.
    7. Copy the contents in OneLogin's Issuer URL field.
    8. Paste the Issuer URL contents into SpringCM's Issuer field.
    9. Copy the contents on OneLogin's SAML 2.0 Endpoint (HTTP) field.
    10. Paste the SAML2.0 Endpoint contents into SpringCM's Service Provider (SP) Initiated Endpoint field.
    11. Select the Enable radio option under SAML Enabled.
    12. Click the Save button to install the certificate and save your settings.

Set up provisioning preferences

  1. Click the Provisioning tab. You set your provisioning approval preferences on this tab.
  2. Check the 'Enable provisioning for SpringCM' checkbox to allow OneLogin to provision users to your SpringCM account.
  3. Check as many or as few boxes under 'Require admin approval before this action is performed in SpringCM' as you wish. 
    These options require an admin to approve provisioning steps if you check the Create user, Delete user, and/or Update user boxes. Do not check any of these options if you want your users to automatically provision once they are saved.
  4. Click the dropdown menu under 'When users are deleted in OneLogin, perform this action in SpringCM'.
  5. Choose an option from the list: Delete, Do Nothing, or Suspend. 
    SpringCM follows this option when you delete a user in OneLogin.
    • Delete deletes the user record from SpringCM.
    • Do Nothing does not change the user record's status in SpringCM.
    • Suspend disables the user record in SpringCM, preventing that user from doing any work in the platform; however, the user record still remains.
  6. Click the Save button to save your changes.

Users & Groups

Security groups need to be created ahead of time in SpringCM in order to associate users to groups from OneLogin. Groups created in OneLogin do not provision to a SpringCM user.

Create a security group in SpringCM

  1. Log in to SpringCM as a Super Administrator.
  2. Click the Address Book link in the navigation header.
  3. Click Create Security Group in the toolbar.
  4. Type a group name in the Name field.
  5. Click the Save button.
Turn off password restrictions in SpringCM

You need to turn off the 'Allow Password Login for SSO Users' setting in SpringCM if you want your OneLogin users to log in to SpringCM via their OneLogin SSO credentials.

  1. Log in to SpringCM as a Super Administrator.
  2. Click the Admin link.
  3. Click the Security link under Account Preferences.
  4. Select the No radio button for the 'Allow Password Login for SSO Users' setting under the Passwords section.
  5. Click the Save button.
Map SpringCM security groups to OneLogin

You need to import your account's app attributes in order to map the attribute values between SpringCM and OneLogin. You need to do this in order to map the security groups you have created in SpringCM. You can then assign users in OneLogin to security groups and provision them with group permissions into SpringCM.

  1. Hover over the Apps menu.
  2. Select the Company Apps option. Your company app list opens.
  3. Select the SpringCM app.
  4. Click the Provisioning tab.
  5. Click the Refresh link in the Entitlements section. 
    A small progress bar may display while OneLogin is working. This process could take several minutes depending on attribute volume and network bandwidth. You can check the Events page under the Activity menu to see when it completes if it is not immediate.
  6. Click the Save button to save your change.

Set up parameter values in OneLogin

Parameter values default for newly installed instances of the SpringCM OneLogin application. You need to manually assign values after the update if you have an existing installation of the app.

We encourage to you use the default parameters. If you want to change the SCIM Username, we suggest you use something unique like email address. This must also match the value being mapped in the SAML assertion. If you do change the SCIM username, you need to re-map users en masse and then check their provisioing statuses to ensure the connection has not entirely failed.

  1. Hover over the Apps menu.
  2. Select the Company Apps option. Your company app list opens.
  3. Select the SpringCM app.
  4. Click the Parameters tab. The mapped parameters page opens.
  5. Click on one of the rows in the list. A pop-up window opens allowing you to change the parameter configuration.
    • You have the following options:
      • Email (SCIM)
      • First Name (SCIM)
      • Groups (SCIM)
      • Last Name (SCIM)
      • NameID (SAML)
      • Phone (SCIM)
      • SCIM Username (SCIM)
      • Title (SCIM)
    • Each attribute has some combination of the following options available to declare:
      • - Macro -
      • - No Default -
      • AD ID
      • AD Username
      • Company
      • Department
      • Distinguished Name
      • Email
      • Email name part
      • External ID
      • First Name
      • Internal ID
      • Last Name
      • Ldap Uid
      • ManagerID
      • MemberOf
      • OneLogin ID
      • OpenID Name
      • Phone
      • Profile Picture
      • Title
      • User Roles
      • Username
      • userPrincipalName
Create a new user in OneLogin

Before creating users, please reference the Assigning Apps to Users article from OneLogin if you are unsure about provisioning users with multiple applications in your organization.

    1. Hover over the Users dropdown.
    2. Select the All users option. The All Users list opens.
    3. Click the New User button. The User Info page opens.
    4. Fill in the First Name, Last Name, Email, and Username fields, at minimum.
    5. Click the Save User button to save your changes.
      Note: More tabs become available once you save the user that allow you to continue with other processes.

You can choose to batch import users from a CSV into OneLogin. All users require an email and a username if you want to provision them into SpringCM, so make sure that each entry in your import includes these two fields. See the help topic from OneLogin on how to import from a CSV.

Provision a user from OneLogin to SpringCM with Admin approval

User provisioning is generally driven by the role configuration in your company's OneLogin organization. Please reference the Assigning Apps to Users article from OneLogin if you are unsure about provisioning users with multiple applications in your organization.

  1. Add a user in the SpringCM company app. (See above.)
  2. Select the SpringCM application from the Apps dropdown.
  3. Click the Users tab.
  4. Locate the user whose provisioning status is 'Provisioning.'
  5. Click on the status indicator.
  6. Click the Approve button on the admin approval pop-up window.

Once the user has successfully provisioned, add that user to a group. As default, don’t assign a value to the group on the app Params tab. Go back and add a group value after you provision.

Provision a user from OneLogin to SpringCM without Admin approval

If you do not have the 'Require admin approval before this action is performed in SpringCM' checkbox checked, your OneLogin users provision automatically based on your role configurations. Automatic user provisioning is generally driven by the role configuration in your company's OneLogin organization. Please reference the Assigning Apps to Users article from OneLogin if you are unsure about provisioning users with multiple applications in your organization. These options require an admin to approve provisioning steps if you check the Create user, Delete user, and/or Update user boxes. Do not check any of these options if you want your users to automatically provision once they are saved.

Add a OneLogin user to a SpringCM security group

Users have to be assigned to groups from within OneLogin after being provisioned to SpringCM.

  1. Add a new user to the SpringCM app in OneLogin. Once you save the user, it automatically provisions to SpringCM.
  2. Open the SpringCM app.
  3. Click the Users tab.
  4. Click on a user in the list to open his/her profile.
  5. Select a group in the "Available Values" list in the Groups section.
  6. Click the > button to move it to the "Selected Values" list.
  7. Click the Save button when you are finished.

FAQs

FAQs

What if my user gets deleted in SpringCM but not in OneLogin?

Deleting a SpringCM Full Subscriber does not delete the OneLogin record. Instead, the user authentication in OneLogin changes to a Failed status. To fix this, open the user from the Apps > Users tab and click the Reset login link. A record for this user is created in SpringCM with a new unique ID.

What if my user gets created in SpringCM first?

You can match a OneLogin user with an existing SpringCM user if the login names match.

If I modify a user's email address in OneLogin, what happens to the SpringCM user?

The user authentication in OneLogin changes to a Failed status because the profiles no longer match. To fix this, use the Reset Login link and follow the rematch login process.