Incoming SAML 2.0 Single Sign-On with OneLogin

The purpose of establishing a Single Sign-On (SSO) process with Absorb is to give your Users a single point of entry into your system while providing access to multiple independent systems. With this process, a User logs in with a single ID to access many other systems without being prompted for separate Usernames and passwords.

This article covers Incoming SAML (Security Assertion Markup Language) 2.0 SSO for clients using OneLogin. It is an abridged, focused version of our full Incoming SAML 2.0 Single Sign-On article. For the purposes of this article, the Absorb system acts as the Service Provider (SP) and your OneLogin instance acts as the Identity Provider (IdP).

Please note that SSO is an additional feature that usually involves an additional fee and technical resources on the client side to develop or configure the solution.

Disclaimer

Absorb LMS supports Incoming SAML 2.0 Single Sign-On as a feature; however, we do not officially support any specific client-side (IdP) solution. Although OneLogin is known to generally work with our implementation of SAML SSO, it is the client's responsibility to configure, develop, and maintain their side of the integration. This requires a client resource who is knowledgeable about your particular OneLogin instance. This guide is provided as a convenience only, based on our past experience working with clients who use OneLogin.

 

OneLogin Setup

The first half of the configuration takes place in the OneLogin admin portal.

  1. Log in to OneLogin and go to Apps > Add Apps.

    OneLogin Apps menu with the Add Apps option selected
     

  2. Search for Absorb LMS, then select the SAML 2.0 version.

    Absorb LMS SAML 2.0 app in the OneLogin app search results
     

  3. On the initial Configuration tab, click Save to add the app to your Company Apps and display the additional configuration tabs.

    Save button on the OneLogin Configuration tab
     

  4. On the Configuration tab, enter your portal's Assertion Consumer Service URL in the SAML Consumer URL field, replacing company.myabsorb.com with your portal URL. This value tells OneLogin where to send the SAML message in Absorb:

    https://company.myabsorb.com/api/rest/v2/authentication/saml

    SAML Consumer URL field on the OneLogin Configuration tab
     

  5. On the Parameters tab, map the Absorb user attributes to your OneLogin attributes.

    Parameters tab mapping Absorb user attributes in OneLogin
     

  6. On the Access tab, assign the OneLogin roles that should have access to Absorb and apply any app security policy you want to enforce.

    You can also go to Users > All Users to add the app to individual user accounts, then return to this app configuration page to complete SSO setup.

  7. Click Save.
  8. On the SSO tab, copy the SAML values that you will enter in Absorb. You may find it helpful to open the Absorb Admin Experience in a separate tab so you can paste each value as you complete the Absorb Setup section below.

    OneLogin SSO tab showing the SAML values to copy
     

    The SSO tab provides two values you will need:

    • X.509 Certificate: Added to the Key field in Absorb. To copy it, click View Details, then click the Copy to Clipboard icon for the X.509 Certificate.
    • SAML 2.0 Endpoint (HTTP): Added to the Login URL field in Absorb.

    X.509 Certificate Copy to Clipboard option in OneLogin
     

    To use a different certificate, return to the SSO tab, click Change, select the new certificate, and repeat the steps above. To create a new X.509 Certificate, go to Settings > Certificates and click New.

    You can also obtain these values from the IdP metadata, which is available under the Issuer URL field.

 

Absorb Setup

Log in to the Absorb Admin Experience as a System Admin and navigate to Client Settings. Open the SSO card to create a new configuration or manage an existing one. If you cannot access these settings, reach out to your Absorb Client Success Manager to discuss enabling the feature.

 

The legacy Manage SSO Settings button under Portal Settings still works, but it now redirects you to Client Settings so you can continue from the SSO card. For more on this page, see The Client Settings Page.

Manage SSO Settings button in the Absorb context menu

 

In the SSO card, click Add and complete the fields as described below:

  • Key: Enter the X.509 Certificate you copied in Step 8, ensuring nothing but the certificate value is included. Remove the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines, along with any line breaks or spaces. Alternatively, click Upload Certificate to upload the key file and have Absorb extract the value automatically.
  • ID Property: Match the Absorb attribute you mapped in Step 5, usually the user's email address. You can confirm that your choice will not block any users with Validate SSO ID Property.
  • Login URL: Enter the SAML 2.0 Endpoint value from Step 8.
  • Logout URL: Enter the page users should land on after logging out of Absorb. Leave it blank to return users to the Absorb login page.
  • Automatically Redirect: Set this according to your preference.



 

 

Testing

After both sides are configured, confirm the integration works end to end:

  1. Verify that your Absorb User has the same email address as your OneLogin account, or create a test User  that does.
  2. Make sure you are logged out of Absorb.
  3. Give yourself or your test User access to the Absorb app in OneLogin.
  4. Log in to OneLogin.
  5. Click the Absorb icon on your OneLogin dashboard.

 

If you can access Absorb, your configuration is correct.

 

References

For additional guidance on the OneLogin side of the integration, see the following resource:

OneLogin Support Center

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.