How to set up OneLogin SAML authentication for Faspex

Description

Faspex allows users to create accounts and authenticate through a SAML IdP (identity provider). OneLogin is an example of an IdP that can easily be integrated into Faspex after performing some basic configurations.

The instructions below walk you through the configurations on both the OneLogin side and the Faspex side required to establish SAML authentication for your users.

Instructions

1. Log in to your OneLogin interface and navigate to Apps > Add Apps on the main navigation menu.

2. Enter SAML in the search box and select SAML Test Connector (SP w/ signed assertion) from the results:

image.png

 

Give the Connector any name, and click Save.

3. Navigate to Apps > Company Apps from the main navigation menu and select the Connector you just saved.

4. Click the Configuration tab. Fill in the three fields in the following format, where your_faspex_server.com/aspera/faspex should be replaced with the FQDN (fully qualified domain name) of your Faspex server.

Field Value
Login URL https://your_faspex_server.com/aspera/faspex
ACS (Consumer) URL https://your_faspex_server.com/aspera/faspex/auth/saml/callback
ACS (Consumer) URL Validator ^https:\/\/your_faspex_server\.com\/aspera\/faspex\/auth\/saml\/callback$

Note: The URL Validator must escape periods and forward slashes (/) with a backslash (\).

Save your changes.

5. Click on the Parameters tab to add and configure the assertion values Faspex requires for SAML authentication. These will be defined as parameters mapped to information from your underlying directory.

Email is a pre-defined parameter that is delivered to Faspex as the NameID assertion value. This means the Email parameter will act as a user’s login name for Faspex. If your organization uses email addresses as login names, you do not have to remap the Email parameter. Otherwise, it should be mapped to the field that the underlying directory uses for account names.

Click Add parameter for each required field, and map the values as shown below:

Parameter Value                               
Email username
email Email
given_name First Name
surname Last Name

image_2_.png

Save your changes.

Note 1: All parameter names are case sensitive.

Note 2: The SAML specification does not define expected behavior for empty values in an assertion.  Because of this, optional parameters -- like id or member_of  -- should only be configured if the underlying directory can supply the necessary data. In most cases the id parameter would be mapped to, for example, the samAccountName in a MS Active Directory, while member_of would be mapped to a group field.


6. Click on the SSO tab. The values shown here and within the View Details link must be saved in Faspex to complete the process.

image_3_.png

Your should already have defined the certificate, but if not this is something you will need to configure (see this OneLogin help article).

7. Switch over to Faspex in a new window or tab and log in using the local logon URL (which allows you as an administrator to log in locally without SAML):

https://faspex.com/aspera/faspex/login/new?local=true

 

Click Server on the main navigation menu, then the Authentication tab, and finally SAML Integration on the left.

8. Select Log in using a SAML Identity Provider if you have not done so already. Here you will be configuring Faspex to use the OneLogin IdP for SAML authentication:

faspex_onelogin.jpg

 

For the IdP Single Sign-On URL field, paste in the SAML 2.0 Endpoint URL given in the OneLogin SSO parameters page. The values for IdP Certificate Fingerprint and IdP Certificate values come from the View Details link on the SSO parameter page:

 

image_4_.png

Click Update to finish.

9. Faspex is now set up to use SAML-based authentication via OneLogin.



Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk