How to set up OneLogin SAML authentication for Shares

Description

Shares allows users to create accounts and authenticate through a SAML IdP (identity provider). OneLogin is an example of an IdP that can easily be integrated into Shares after performing some basic configurations.

The instructions below walk you through the configurations on both the OneLogin side and the Shares side required to establish SAML authentication for your users.

Instructions

1. Log in to your OneLogin interface and navigate to Apps > Add Apps on the main navigation menu.

2. Enter SAML in the search box and select SAML Test Connector (SP w/ signed assertion) from the results:

image.png

 

Give the Connector any name, and click Save.

3. Navigate to Apps > Company Apps from the main navigation menu and select the Connector you just saved.

4. Click the Configuration tab. Fill in the three fields in the following format, where your_shares_server.com should be replaced with the FQDN (fully qualified domain name) of your Shares server.

Field Value
Login URL https://your_shares_server.com
ACS (Consumer) URL https://your_shares_server.com
ACS (Consumer) URL Validator ^https:\/\/your_shares_server\.com\$

Note: The URL Validator must escape periods and forward slashes (/) with a backslash (\).

Save your changes.

5. Click on the Parameters tab to add and configure the assertion values Shares requires for SAML authentication. These will be defined as parameters mapped to information from your underlying directory.

Email is a pre-defined parameter that is delivered to Shares as the NameID assertion value. This means the Email parameter will act as a user’s login name for Shares. If your organization uses email addresses as login names, you do not have to remap the Email parameter. Otherwise, it should be mapped to the field that the underlying directory uses for account names.

Click Add parameter for each required field, and map the values as shown below:

Parameter Value                               
Email username
email Email
given_name First Name
id Email
surname Last Name

shares_onelogin1.jpg

Save your changes.

Note 1: All parameter names are case sensitive.

Note 2: The SAML specification does not define expected behavior for empty values in an assertion.  Because of this, optional parameters -- like member_of  -- should only be configured if the underlying directory can supply the necessary data.  In most cases member_of would be mapped to a group field.


6. Click on the SSO tab. The values shown here and within the View Details link must be saved in Shares to complete the process.

image_3_.png

Your should already have defined the certificate, but if not this is something you will need to configure (see this OneLogin help article).

7. Switch over to Shares in a new window or tab and log in using the local logon URL (which allows you as an administrator to log in locally without SAML):

https://your_shares_server/login/new?local=true

 

Click Admin on the top right, then under Accounts click Directories. On the line for SAML Identity Provider, click edit.

image_9_.png

8. Select Log in using a SAML Identity Provider if you have not done so already. Here you will be configuring Shares to use the OneLogin IdP for SAML authentication:

image_10_.png

 

For the IdP Single Sign-On URL field, paste in the SAML 2.0 Endpoint URL given in the OneLogin SSO parameters page. The values for IdP Certificate Fingerprint and IdP Certificate values come from the View Details link on the SSO parameter page:

 

image_4_.png

Click Update to finish.

9. Shares is now set up to use SAML-based authentication via OneLogin.



Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk