Configuring SAML > OneLogin
Note: Single Sign-on may not be available in your plan. Please contact your Advocacy Coach to learn more.
This article will cover how you can configure a SAML Single Sign On setup for AdvocateHub using OneLogin as the Identity Provider. This provides your Advocates with a seamless, easy way to enter your hub using OneLogin.
Prerequisite: You need to sign up for an account with OneLogin. The free account may be enough for you but check out the packages offered by OneLogin as one of these may better suit your needs.
On your OneLogin dashboard select Apps from the navigation bar at the top of the page. From the dropdown, you then need to select Add Apps.
This should take you to a Find Applications page, in the search field, type 'Shibboleth' and then select the app called SAML Test Connector (SP Shibboleth) as highlighted below.
Now that you have created your app it is time to start configuring it. On the Info page of your app, you are given the chance to name it, in this example, we are calling it 'Influitive AdvocateHub'. We are also going to upload two logos, you can find the rectangular icon here and the square icon here. Once you have completed this, click save.
Moving on to the Configuration tab now. Fill out the fields on this tab as follows and click save:
|Audience||Influitive-AdvocateHub [This exact text must be used]|
|ACS (Consumer) URL Validator||https:\/\/ <insert your subdomain here>.influitive\.com\/saml\/consume\/|
|ACS (Consumer) URL||https://<insert your subdomain here>.influitive.com/saml/consume|
|Single Logout URL||https://<insert your subdomain here>.influitive.com/users/sign_out|
It should look something like the below:
Moving on to the next tab Parameters. This is where we set which attributes we want to bring across to Influitive upon authentication. We accept the below attributes in order for us to identify the user who is trying to log in and populate some information on their AdvocateHub profile:
- First Name (Mandatory)
- Last Name (Mandatory)
- Email Address (Mandatory)
- Company (Optional)
- Title (Optional)
To start, click the Add parameter link:
This will pop up a Field Creation wizard, make sure to check the box Include in SAML assertion:
Note: The field names must exactly match the below ie. contain no spaces:
NameID (fka Email) - You will not have to set this as it is done automatically by OneLogin as it is the unique identifier used to confirm who the user is
Finally, once you have created them you will need to click anywhere on the row of each of the attributes to set the value. It will pop up a similar wizard to before where we can pick the value from a dropdown menu.
Once you have done this for all your attributes/parameters, hit save and move to the SSO tab. Here we are going to extract the information we need to plug back into AdvocateHub in order to complete the connection. First thing we can do is to copy the SAML 2.0 Endpoint URL (HTTP) value:
Head back over to your AdvocateHub and go to Settings > System > Login/Security and scroll down to the Single Sign-On section. Paste our value into the SSO Endpoint URL field.
Back over to our OneLogin setup now where we are going to retrieve our Fingerprint. Locate the drop down menu under SAML Signature Algorithm and select SHA-256 (you can leave it on SHA-1 but we recommend SHA-256 as it is more secure:
Make sure to click Save at this point in the top-right corner of the page. Next we need to click the view details link which is under the X.509 Certificate section.
This will bring us to a new page where we need to once again choose SHA-256 under the SHA Fingerprint section and hit save. Copy the value under in the Fingerprint field:
Back again to our Single Sign-On section in the AdvocateHub where we need to paste this in the SSO Fingerprint field. There is one last piece of information we can grab from OneLogin which is the SSO SIgnout URL. This is optional but it will direct the Advocate to a URL if they choose to log out of AdvocateHub. It is up to you to choose whatever URL you would like her but for the purposes of this example you may remember we set this back on our Configuration tab of our OneLogin configuration.
Paste this value back into the AdvocateHub and we should be done and see something like the below and remember to save:
Now we should have a working Single Sign-On implementation! The final step is to add your users to your user database in OneLogin so that they can access the AdvocateHub. There are a number of ways to do this, check out the OneLogin documentation on User Management for this final piece.
If you have any other questions on how SAML works with the AdvocateHub then please reference our FAQ article.