Integrating OneLogin

This documentation is a detailed guide for setting up single sign-on (SSO) through OneLogin, leveraging SAML 2.0 or OIDC.

The following procedures require copying and pasting information between OneLogin and the Delinea Platform. We recommend opening both applications before you begin, and keeping both open until you are finished.

You do not need to configure both OIDC and SAML applications for your integration. Depending on your organization's infrastructure and preferences, you can choose either OIDC or SAML.

Prerequisites

On the Delinea Platform, you need to be an Admin with federation privileges.

In OneLogin, you need admin access to create a SAML and OIDC application.

Build a OneLogin SAML Application

  1. Log in to the OneLogin Dashboard.

  2. Navigate to Applications > Add App.

  3. Search for SAML, and select SAML Custom Connector (Advanced).

  4. When prompted, update the Display Name of your application.

    • Optionally, change Visible in portal setting

    • Optionally, provide images for the application, and a description

  5. Click Save.

  6. From the left navigation, select the SSO.

  7. Update the SAML Signature Algorithm to SHA-256.

  8. Click Save.

  9. Navigate to More Actions from the top right menu.

  10. Download SAML Metadata.

  11. Navigate to Configuration and fill out the below information.

    OneLogin setting

    Delinea Platform setting

    Audience (Entity ID)

    From Advanced Settings select and use the Customize certificate issuer sent to IDP value.

    ACS (Consumer) URL Validator

    Needs to be a valid RegEx of the ACS (Consumer) URL Platform callback URL. Modify the text in the example below according to the URL string of your platform tenant ^https:\/\/example\.delinea\.app\/identity-federation\/saml\/assertion-consumer$

     

    ACS (Consumer) URL

    Platform callback URL

    https://{HOST-NAME}.delinea.app/identity-federation/saml/assertion-consumer



  12. Click Save.

  13. Go to Parameters and add the following custom attributes. For each field, make sure the Include in SAML assertion flag is selected.

SAML Custom Connector (Advanced) Field

Value

DisplayName

Name

EmailAddress

Email

NameIdentifier

OneLogin ID

UserPrincipalName

Username

Add the Provider to the Platform

  1. Log in to the Delinea Platform.

  2. Navigate to Settings > Federation providers.

Click Add Provider and select SAML. The Add Provider page opens,

Settings

In the Settings section, the first fields are automatically populated when you select the SAML provider configuration file and click Apply.

  1. SAML provider configuration: Click Select file.

  2. Navigate to and select the federation metadata XML file you downloaded. Apply appears above the right end of the SAML provider configuration field.

  3. Click Apply. The words Uploaded successfully will appear next to SAML provider configuration, and the empty fields below will be auto-populated:

    • Name: Auto-generated from metadata

    • Protocol: SAML (auto-filled)

    • Status: Disabled

    • Entity ID [example: https://sts.windows.net/808444af-4011-40d5-9b0a-a9a5c95f88e9/]

    • IDP Certificate: Click Select File, then navigate to and select the Signing Certificate file you downloaded, to populate the following fields:

      • Signature

      • Algorithm

      • Thumbprint

      • Not valid before

      • Not valid after

      • Issuer

  1. IDP Login URL: Paste in the Login URL copied from your new OneLogin SAML application.

  2. IDP Logout URL: Paste in the Logout URL copied from your new OneLogin SAML application.

  3. Platform Callback URL: https://[HOST-NAME].delinea.app/identity-federation/saml/assertion-consumer
    Copy the Platform Callback URL and paste into the appropriate field in your new Entra application.

  4. Platform Logout URL: https://[HOST-NAME].delinea.app/identity-federation/saml/logout-consumer

  5. Status: Select the box next to Enabled.

Advanced Settings

See Advanced Settings (SAML only) under Federation Management.

Attribute Mappings

In the Attribute Mappings section, update these attributes as follows:

Source

Destination

DisplayName

displayname

EmailAddress

email

NameIdentifier

sub

UserPrincipalName

upn

Also see Attribute Mappings under Federation Management.

Group Mappings

See Group Mapping under Federation Management.

User Mappings

See User Mappings under Federation Management.

Domains

  1. Click Add Domain and enter the domain from the email addresses of the users you are including in this federation.

  2. When all required fields are populated, click Add Provider.

Build a Onelogin OIDC Application

  1. Log in to the OneLogin Dashboard.

  2. Navigate to Applications > Add App.

  3. Search for OpenID Connect (OIDC).

  4. When prompted, update the Display Name of your application.

  5. Optionally, provide images for the application, and a description.

  6. Click Save.

  7. Continue with Configuration of the newly created application by updating the Redirect URI.

    OneLogin

    Delinea Platform

    Login URL

    Optional. You can set this to your tenant URL (e.g. https://example.delinea.app)

    Redirect URL

    Platform Callback URL. This value is automatically generated during the configuration of an OIDC Federation provider on the Delinea Platform. See Step 7 in the Settings section below.



  8. Next, navigate to SSO, and make note of the Client ID, Client Secret, and Issuer URL for use with your OIDC-enabled application. You would need this information when setting up Onelogin federation provider in the Delinea Platform.


  9. Continue with the SSO settings.

    Setting

    Value

    Application Type

    Web

    Token Endpoint

    POST

  10. Save the application settings.

  11. Optionally, on the Users page, add users/groups who should have access to this application.

Add the Provider to the Platform

  1. Click Settings from the left navigation, then click Federation Providers.

  2. Click Add Provider.

  3. Select OIDC from the drop-down menu. The Add Provider page opens.

Settings

  1. Name: Enter a unique name.

  2. Status: Select the box next to Enabled.

  3. Endpoint URL: This URL is based on your OneLogin tenant ID.

  4. Client ID: Paste in the Client ID from your new IdP OIDC application page.

  5. Client Secret: Paste in the Client Secret from your new IdP OIDC application page.

  6. Prompt: See Prompt for Re-authentication (OIDC only) under Federation Management.

  7. Platform Callback URL: Copy the platform callback URL and paste it into the Redirect URIs field in your new IdP application.

Attribute Mappings

Source

Destination

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

email 

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

sub

name

displayname

preferred_username

upn

Group Mappings

See Group Mapping under Federation Management.

User Mappings

See User Mappings under Federation Management.

Domains

  1. Click Add Domain and enter the domain from the email addresses of the users you are including in this federation.

  2. Optionally enable the Status of the provider.

  3. When all required fields are populated, click Add Provider.

Test Configuration

Before testing, make sure you address the following:

  • Be sure that you have a OneLogin user that you can use for testing. If not, go to the Users tab on the OneLogin dashboard and add one.

  • Make sure OneLogin user has access to the application created.

  • Navigate to your provider in platform and enable debugging in the Federation console.

  • Launch an incognito window, navigate to the Delinea Platform and login with your Onelogin user.

Known limitations

  • Onelogin does not appear to recognize the login_hint provided by the Delinea Platform for both SAML and OIDC.

  • When using OIDC and a Login URL is set in OneLogin (e.g., https://example.delinea.app), users can be redirected from the OneLogin application portal to the Platform’s login page, enabling an SP-initiated authorization flow.