OneLogin

This document provides a step-by-step introduction for configuring OneLogin to work with Keyless. In this guide Keyless will be set up as both an OpenID Connect service provider and a OpenID Connect identity provider for OneLogin

Configure Authentication Identity Provider

In order to enable your users to authenticate into OneLogin dashboard via Keyless you’ll need to configure Keyless as a trusted IdP on OneLogin.

As part of the onboarding process you’ll receive the following pieces of information from keyless to complete a Trusted IdP configuration.

Parameter

Description

Example

Can be used as the logon Icon for Keyless authentication on OneLogin Login page

https://<your-keyless-tenant>/static/keyless.svg

Issuer

OIDC issuer URI

https://<your-keyless-tenant>

Authentication Endpoint

OIDC authorization endpoint URI

https://<your-keyless-tenant>/connect/authorize

Token Endpoint

OIDC token endpoint URI

https://<your-keyless-tenant>/connect/token

User Information Endpoint

OIDC userinfo endpoint URI

https://<your-keyless-tenant>/connect/userinfo

Client Id

OIDC Client ID

52c95463e9da3d00c28071ab9

Client Secret

OIDC Client Secret

24060f8882fca7da11a6e2100fdf05334fd5c67f4f1111ce6c2f44d61720fc

The steps are as follows

Create a new Trusted IDP: Go to Authentication → Trusted IdPs → New Trust
Provide a name for the Trusted IdP configuration e.g. Keyless
Check Enable Trusted IDP
Check Show In Logon Panel, this will require you to choose an icon (default Keyless icon provided in onboarding package)
Fill in issuer URI
Check the following options:
- Sign users into OneLogin
- Sign users into additional applications
- Send Subject Name ID or Login Hint in Auth Request
On User attribute section:
- Fill in {tidp.preferred_username}
- Select Email in User Attribute Mapping
Select OIDC as authentication protocol type and fill in the following fields in OIDC Configuration section (OIDC endpoint URIs, Client ID & Secret valued are provided in Keyless onboarding package)
- Authentication Endpoint
- Select POST as Token Endpoint Authentication Method
- Token Endpoint
- User Information Endpoint
- In Scopes field type in: openid email profile
- On Client Id & Client Secret fields fill in the values provided by Keyless
Click Save and that would complete our configuration

Configure Enrollment Service Provider

To enable enrollment of your users to Keyless we’ll need to configure a client application on OneLogin. Parameters required to create the application on OneLogin are provided in your Keyless onboarding package.

The following information is provided in your onboarding package to configure OneLogin Application:

Parameter

Description

Example

OIDC Client configuration

https://<your-enrollment-server>/signin-oidc

Redirect URI

OIDC redirect URI

https://<your-enrollment-server>/signin-oidc

Post Logout Redirect URI

OIDC Logout URI

https://<your-enrollment-server>/signout/callback

Keyless Enrollment URL

URL to Keyless Enrollment page for end users

https://<your-enrollment-server>

Go to Applications → Add App
- Search OIDC on Find Applications and select OpenId Connect (OIDC)
- On Configuration screen provide a display name and uncheck Visible in portal and click Save
- Under Configuration tab provide the following parameters provided by Keyless:
  - Login Url
  - Redirect URIs (a single URI)
  - Post Logout URIs (a single URI)
Under SSO tab make note of the following 3-pieces of information that need to be sent back to Keyless for configuration on the Keyless end
- Client ID
- Client Secret
- Issuer URL
Make sure that Application Type is Web
Token Endpoint section Authentication Method is POST
Additionally on Users tab select the relevant Users/Groups to enable these users/groups to be enabled to get enrolled on to Keyless
Click Save to complete the configuration. Your users now can use the Keyless enrollment URL provided to enrol their devices with Keyless
Remember to send the following information back to Keyless to complete the configuration:
- Client ID
- Client Secret
- Issuer URL

Last updated 2 months ago

Configure Authentication Identity Provider

In order to enable your users to authenticate into OneLogin dashboard via Keyless you’ll need to configure Keyless as a trusted IdP on OneLogin.

As part of the onboarding process you’ll receive the following pieces of information from keyless to complete a Trusted IdP configuration.

Parameter

Description

Example

Can be used as the logon Icon for Keyless authentication on OneLogin Login page

https://<your-keyless-tenant>/static/keyless.svg

Issuer

OIDC issuer URI

https://<your-keyless-tenant>

Authentication Endpoint

OIDC authorization endpoint URI

https://<your-keyless-tenant>/connect/authorize

Token Endpoint

OIDC token endpoint URI

https://<your-keyless-tenant>/connect/token

User Information Endpoint

OIDC userinfo endpoint URI

https://<your-keyless-tenant>/connect/userinfo

Client Id

OIDC Client ID

52c95463e9da3d00c28071ab9

Client Secret

OIDC Client Secret

24060f8882fca7da11a6e2100fdf05334fd5c67f4f1111ce6c2f44d61720fc

The steps are as follows

Create a new Trusted IDP: Go to Authentication → Trusted IdPs → New Trust

Provide a name for the Trusted IdP configuration e.g. Keyless

Check Enable Trusted IDP

Check Show In Logon Panel, this will require you to choose an icon (default Keyless icon provided in onboarding package)

Fill in issuer URI

Check the following options:

Sign users into OneLogin
Sign users into additional applications
Send Subject Name ID or Login Hint in Auth Request

On User attribute section:

Fill in {tidp.preferred_username}
Select Email in User Attribute Mapping

Select OIDC as authentication protocol type and fill in the following fields in OIDC Configuration section (OIDC endpoint URIs, Client ID & Secret valued are provided in Keyless onboarding package)

Authentication Endpoint
Select POST as Token Endpoint Authentication Method
Token Endpoint
User Information Endpoint
In Scopes field type in: openid email profile
On Client Id & Client Secret fields fill in the values provided by Keyless

Click Save and that would complete our configuration

Configure Enrollment Service Provider

The following information is provided in your onboarding package to configure OneLogin Application:

Parameter

Description

Example

OIDC Client configuration

https://<your-enrollment-server>/signin-oidc

Redirect URI

OIDC redirect URI

https://<your-enrollment-server>/signin-oidc

Post Logout Redirect URI

OIDC Logout URI

https://<your-enrollment-server>/signout/callback

Keyless Enrollment URL

URL to Keyless Enrollment page for end users

https://<your-enrollment-server>

Go to Applications → Add App

Search OIDC on Find Applications and select OpenId Connect (OIDC)
On Configuration screen provide a display name and uncheck Visible in portal and click Save
Under Configuration tab provide the following parameters provided by Keyless:
- Login Url
- Redirect URIs (a single URI)
- Post Logout URIs (a single URI)

Under SSO tab make note of the following 3-pieces of information that need to be sent back to Keyless for configuration on the Keyless end

Client ID
Client Secret
Issuer URL

Make sure that Application Type is Web

Token Endpoint section Authentication Method is POST

Additionally on Users tab select the relevant Users/Groups to enable these users/groups to be enabled to get enrolled on to Keyless

Click Save to complete the configuration. Your users now can use the Keyless enrollment URL provided to enrol their devices with Keyless

Remember to send the following information back to Keyless to complete the configuration:

Client ID
Client Secret
Issuer URL

🏁Post Integration