OneLogin
This article contains information on how to configure the logging in process with SAML in case of the OneLogin.
Last updated
This article contains information on how to configure the logging in process with SAML in case of the OneLogin.
Last updated
Logging into GitProtect using SAML-integrated identity providers should be initiated from the GitProtect Management Service.
Remember to enable the switch for logging in using IdP authorization for existing users in the system. You can do this in the Settings -> Accounts tab.
In order to set up SAML integration on GitProtect login to your own OneLogin portal, go to "Applications" tab and click Add App button. In the search box, type "SAML Custom Connector (Advanced)" and search.
Enter a custom name for the app in the "Display Name" field and click "Save" button.
Next go to the "Configuration" tab, in this tab you need to create some values that you will use.
Reply URL - https://GitProtectManagementServiceURL/Auth/AssertionConsumerService
Logout URL - https://GitProtectManagementServiceURL/auth/SAMLLogoutResponse
where:
GitProtectManagementServiceURL - URL address to your GitProtect Management Service. URL address ends with ".com", remove everything after this phrase on the right side.
Entity ID - a custom name identifying the application on the IdP side e.g. XOPEROSAML.
Then enter the prepared values in the form on the OneLogin side.
Audience (EntityID) - Entity ID
ACS (Consumer) URL Validator* - Reply URL
ACS (Consumer) URL* - Reply URL
Single Logout URL - Logout URL
Then go to the SSO tab. Change "SAML Signature Algorithm" to SHA-256. Here, make a note of the "Issuer URL" value as you will need to use it to configure your application on the GitProtect side.
To properly handle LogOut, the private key of the entity that received the request is required. In GitProtect, you must use a file with the .pfx extension, which unfortunately cannot be downloaded directly from OneLogin. Therefore, use your own certificates or generate them for implementation.
OneLogin offers a form where you can generate a self-signed certificate: https://developers.onelogin.com/saml/online-tools/x509-certs/obtain-self-signed-certs
Save all settings. Now you can proceed to assigning permissions to the users you want to use to log in to GitProtect. Go to the "Users" tab, select a user, and in the "Applications" tab, use the (+) button to add permissions to the application.
Log into the GitProtect Web panel, go to the Settings tab and open the External Identity Providers section. Click Add new provider button and fill in the details.
At first, Name field which is your own custom name - i.e. OneLogin, then Entity ID, so in this example, it is XOPEROSAML (a custom name identifying the application prepared at the beginning).
Next, paste the "Issuer URL" into the Metadata URL (with protocol) field.
On the GitProtect side, select the .pfx file containing the private key that matches the certificate on the OneLogin side. It can be protected by a password, which should be entered in the "Add new or select password from Password manager" field.
Then select the default Language and Role and additional permissions. Now you can save the finished integration with IdP via the Save button.
Remember that with this integration method it is not possible to trigger login from the application page in OneLogin. Login to the system should be triggered via the login button on the GitProtect service side.
You can use group mapping if you have many users to whom you want to assign different permissions.
Each new login to GitProtect resets permissions to default. So if you change permissions for a user, it will only apply during the active session. After relogging the user, the permissions will return to default.
The configuration is two-track: OneLogin and GitProtect. Start by configuring the OneLogin side. In the "User" tab, then "Roles", create the roles you want to use. For example "XONE viewers" and "XONE admins". Then assign specific roles to specific users.
Then, in the "Applications" tab, edit the SAML application. Go to the "Parameters" tab. There, use the (+) icon to create a new parameter. In Field name, enter "http://schemas.xmlsoap.org/claims/Group". And check both Flags: Include in SAML assertion and Multi-value parameter. Press Save. In "Default if no value selected" select "User Roles" and Semicolon Delimited input (Multi-value output). Save the parameter using the "Save" button.
On the GitProtect side, when editing the IdP, select the "Group mapping" button. In Claim type, enter "http://schemas.xmlsoap.org/claims/Group", and in Claim value, enter the name of the role, e.g. XONE viewers. Select roles and permissions, then save. Repeat this step for each Role/Permissions you want to create.