SET UP SSO VIA ONELOGIN - SINGLE SIGN-ON VIA ONELOGIN VERSION 8.0 - CREATIO ACADEMY
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Set up SSO via OneLogin Single Sign-On via OneLogin Version 8.0
This documentation is provided under restrictions on use and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this documentation, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. © 2022 Creatio. All rights reserved.
Table of Contents | 3 Table of Contents Single Sign-On via OneLogin 4 Settings on OneLogin's end 4 Settings on Creatio's end 4 © 2022 Creatio. All rights reserved.
Single Sign-On via OneLogin | 4
Single Sign-On via OneLogin
PRODUCTS: ALL CREATIO PRODUCTS
You can use OneLogin SSO portal as a single sign-on point for all your services, including Creatio. For this, you
need to configure a number of settings both on the OneLogin and Creatio's end.
Attention. In the setup example below, we use https://site01.creatio.com/ as Creatio site address and
“appid” as application id in OneLogin. During the actual setup process, replace these values with your site
address and the id of the corresponding application in OneLogin.
Settings on OneLogin's end
1. Start the procedure by logging in to OneLogin using an administrator account.
2. Click [ Apps ] and select [ Add Apps ]. Enter “Creatio” in the search bar and select the Creatio application.
3. If needed, change the value in the [ Display name ] field, modify the application icons, or clear the [ Visible in
portal ] checkbox. These settings affect the way the website is displayed on the OneLogin site.
4. Click [ Save ].
5. Go to the [ Configuration ] tab and enter your website domain name in the [ Creatio site ] field (Fig. 1). For
example, “site01.”
Fig. 1 The website configuration page
Settings on Creatio's end
If you use Creatio cloud, prepare the setup information according to the instructions below and contact Creatio
support to apply the settings.
The single sign-on setup instructions below are intended for on-site customers. We strongly recommend
© 2022 Creatio. All rights reserved.Single Sign-On via OneLogin | 5
granting Creatio support temporary access to Creatio configuration or performing setup under the guidance of a
Creatio support specialist.
Follow these steps to set up single sign-on on Creatio's end:
1. Enter the SAML provider settings.
2. Set up the SSO authentication parameters.
3. Test the basic SSO scenarios.
4. Set up Just-In-Time User Provisioning (JIT).
5. Set SSO as the default option.
To do this:
1. Fill out the SAML provider settings by specifying the data of the SAML identification provider in the
saml.config file.
a. Specify your website's FQDN in the Name parameter.
Attention. The value of the ServiceProvider Name parameter must be identical to the Identifier value
specified on the ADFS identity provider's end. This is how it verifies that the SAML Assertion was
issued specifically for your application. We recommend using the FQDN of your website. For
example, https://site01.creatio.com/Demo_161215/. The URL must match verbatim, including the “/”
at the end.
b. Specify the IdP settings in the Partner Identity Provider section. You can view these settings in the
metadata file.
WantAssertionSigned – specify “false” if an encryption certificate will not be used during SAML
Assertion data exchange.
WantAssertionSigned="false"
SingleSignOnServiceUrl – URL of the identity provider's single sign-on. You can retrieve it from the
SAML 2.0 Endpoint (HTTP) on the trusted application page.
SingleSignOnServiceUrl="https://ts-dev.onelogin.com/trust/saml2/http-post/sso/appid"
SingleLogoutServiceUrl – URL of the identity provider's single sign-off. You can retrieve it from the
SLO Endpoint (HTTP) on the trusted application page.
SingleLogoutServiceUrl="https://ts-dev.onelogin.com/trust/saml2/http-redirect/slo/appid"
2. Enable the SSO provider in Creatio. To do this, modify the web.config file in the website root folder:
a. Enable using the SSO Auth providers on login:
© 2022 Creatio. All rights reserved.Single Sign-On via OneLogin | 6
SsoAuthProvider – identity provider for the main application.
SSPSsoAuthProvider – identity provider for the customer portal.
You can enable one or both providers.Single Sign-On via OneLogin | 7
4. Set up Just-In-Time User Provisioning (JIT). The Just-In-Time User Provisioning functionality complements
the single sign-on technology. It enables not only creating a user on the first login to Creatio but also updating
the contact page data with the data received from the identification provider on every login. Learn more: Just-
In-Time User Provisioning.
a. Add the JIT settings to web.config file in the Creatio root folder:
The user type is defined by the page they use to log in. If the Identity initiated scenario is used to log in,
specify the DefUserType value:
General – general user.
SSP – portal user.
d. Map the SAML Assertion fields to Creatio columns using the [ SAML field name converter to contact field
name ] lookup. You need this to ensure Creatio populates the contact fields correctly when creating new
users via Just-In-Time User Provisioning. If the field is empty or disabled in the identity provider data, you
can fill it out with the value specified in the [ Default value ] field of the lookup. Upon the next login, Creatio
will populate the contact fields specified in the lookup with either the values received from the provider or
with the current default values.
Note. If the lookup is missing from the lookup list, register it.
5. Set SSO as the default option upon login. We recommend following this step only after you finished the
previous steps successfully and made sure the SSO works correctly. This step will enable the Service Provider
(SP) initiated SSO. The standard Service Provider (SP) initiated scenario is as follows:
a. The user navigates to Creatio, they have no active sessions on the site.
b. They are redirected to the IdP where they authorize.
c. They are redirected back to Creatio with the IdP authorization results.
To set the SSO provider as the default option:
a. Enable Single Log Out in the web.config file in the Terrasoft.WebApp folder:
b. Select the [ Default value ] checkbox in the “SSO in mobile application” (“MobileUseSSO”) system setting to
use the Single Sign-On in the mobile application.
© 2022 Creatio. All rights reserved.You can also read
