OneLogin

Remember to enable the switch for logging in using IdP authorization for existing users in the system. You can do this in the Settings -> Accounts tab.

Configuration

In order to set up SAML integration on GitProtect login to your own OneLogin portal, go to "Applications" tab and click Add App button. In the search box, type "SAML Custom Connector (Advanced)" and search.

Enter a custom name for the app in the "Display Name" field and click "Save" button.

Next go to the "Configuration" tab, in this tab you need to create some values that you will use.

Reply URL - https://GitProtectManagementServiceURL/Auth/AssertionConsumerService

Logout URL - https://GitProtectManagementServiceURL/auth/SAMLLogoutResponse

where:

GitProtectManagementServiceURL - URL address to your GitProtect Management Service. URL address ends with ".com", remove everything after this phrase on the right side.

Entity ID - a custom name identifying the application on the IdP side e.g. XOPEROSAML.

Then enter the prepared values ​​in the form on the OneLogin side.

1. Audience (EntityID) - Entity ID

2. ACS (Consumer) URL Validator* - Reply URL

3. ACS (Consumer) URL* - Reply URL

4. Single Logout URL - Logout URL

Then go to the SSO tab. Change "SAML Signature Algorithm" to SHA-256. Here, make a note of the "Issuer URL" value as you will need to use it to configure your application on the GitProtect side.

Save all settings. Now you can proceed to assigning permissions to the users you want to use to log in to GitProtect. Go to the "Users" tab, select a user, and in the "Applications" tab, use the (+) button to add permissions to the application.

GitProtect side

Log into the GitProtect Web panel, go to the Settings tab and open the External Identity Providers section. Click Add new provider button and fill in the details.

At first, Name field which is your own custom name - i.e. OneLogin, then Entity ID, so in this example, it is XOPEROSAML (a custom name identifying the application prepared at the beginning).

Next, paste the "Issuer URL" into the Metadata URL (with protocol) field.

Then select the default Language and Role and additional permissions. Now you can save the finished integration with IdP via the Save button.

IdP login using SAML protocol

Remember that with this integration method it is not possible to trigger login from the application page in OneLogin. Login to the system should be triggered via the login button on the GitProtect service side.

Group mapping

You can use group mapping if you have many users to whom you want to assign different permissions.

The configuration is two-track: OneLogin and GitProtect. Start by configuring the OneLogin side. In the "User" tab, then "Roles", create the roles you want to use. For example "XONE viewers" and "XONE admins". Then assign specific roles to specific users.

Then, in the "Applications" tab, edit the SAML application. Go to the "Parameters" tab. There, use the (+) icon to create a new parameter. In Field name, enter "http://schemas.xmlsoap.org/claims/Group". And check both Flags: Include in SAML assertion and Multi-value parameter. Press Save. In "Default if no value selected" select "User Roles" and Semicolon Delimited input (Multi-value output). Save the parameter using the "Save" button.

On the GitProtect side, when editing the IdP, select the "Group mapping" button. In Claim type, enter "http://schemas.xmlsoap.org/claims/Group", and in Claim value, enter the name of the role, e.g. XONE viewers. Select roles and permissions, then save. Repeat this step for each Role/Permissions you want to create.