Onelogin Example - Create an Application

You are required to create an application that Onelogin will be doing authentication on behalf of.

1. Go to Applications > Add App > Search for and choose SAML Custom Connector (Advanced).

2. Name your connector, that is, Lighthouse.

3. In the Configuration tab for your new app:

   1. Set Audience (EntityID) to lighthouse-onelogin.

   2. Set Recipient to lighthouse-onelogin.

   3. Set ACS (Consumer) URL to: https://{main lighthouse address}/api/v3.7/sessions/saml/sso/onelogin.

   4. Set ACS (Consumer) URL Validator to a regex expression that matches only all your Lighthouses' SSO addresses (IP & DNS for Primary & Secondary Lighthouses).

      1. Ensure it begins with ^ and ends with $ to match the whole URL.

      2. Recommended pattern:
         ^https:\/\/ {lighthouse addresses} \/api\/v3\.7\/sessions\/saml\/sso\/onelogin$.

      3. For example to allow Onelogin login for Lighthouse addresses 192.168.1.10 and lighthouse.example.com , you could use the following: (note the additional () around your hostnames and the | separating them:

^https:\/\/(192\.168\.1\.10|lighthouse\.example\.com)\/api\/v3\.7\/sessions\/saml\/sso\/onelogin$.

   5. Set Login URL to
      https://{main lighthouse address}/api/v3.7/sessions/saml/sp_init/onelogin.

   6. Set SAML initiator to Service Provider.

   7. Set SAML signature element to Assertion.

4. The recommended method to populate LH_Groups is with Onelogin Roles.

   1. Go to Parameters then click Add.

   2. Set Field Name to LH_Groups.

   3. Check Include in SAML assertion.

   4. Check Multi-value parameter.

   5. Click Save.

   6. Set Default value to User Roles.

   7. If you intend on filtering the Roles that are sent to lighthouse (using a Rule) set no transform otherwise set semicolon delimited.

   • An example Rule to filter roles:

   • “Set LH_Groups in” for each role with a value that matches LH_.*.

   8. Save the parameter.

5. Save the connector.

IdP Metadata

1. Open your Onelogin application.

2. Go to More Actions > SAML Metadata. This is the metadata xml file that you require to configure lighthouse.

Configure Lighthouse

1. Copy the metadata xml to your primary lighthouse.

2. Using saml-idp-metadata on your primary lighthouse, configure each of your lighthouses to use your IdP., For example
   saml-idp-metadata -p {root password} create -m /path/to/metadata.xml -P onelogin -n "My Onelogin display name" -l {LH id number}.

Roles Setup

After this initial setup, you will be able to login as a SAML user.

If you do not already have your own User Groups setup in Lighthouse:

1. Login to Lighthouse as a local user (or any non-SAML user) for example, root.

2. Create the User Groups with the Roles and Permissions that you require.

3. In Onelogin Go to Users > Roles.

4. Click New Role.

   1. Set the Role’s name to match the lighthouse group you want it to map to.

   2. Select your Lighthouse app to associate the role with.

   3. Click Save.

5. Open the newly created role.

6. Go to the Users tab on the left.

7. Search for and add your users or create a mapping to automatically add multiple users.

8. Click Save.

   1. If you used a mapping then go to Users > Mappings and run Reapply All Mappings.

9. Click Done

The assigned users are now able to login to Lighthouse with the permission levels that the Onelogin Role/Lighthouse group grants them.