Configuring SAML OneLogin

To access Secret Server using OneLogin for SAML, follow the steps below for OneLogin, then follow the steps for Secret Server.

Step One: OneLogin

  1. Navigate to your OneLogin instance and log in as an administrator.

  2. Select Administration > Apps > Add Apps.

    image-one-login-add-apps

  3. Search for SAML Test Connector (IDP) and select it, then click Save.

    image-test-connector

  4. Click on the Configuration tab and fill out the details as described below:

    image-configuration

    • RelayState can be left blank.

    • Audience is the name of the Service Provider configured in Secret Server (for instance "SecretServerServiceProvider").

    • Recipient can be left blank.

    • ACS (Consumer) URL Validator a required field that needs to be a valid RegEx of the ACS (Consumer) URL.

      Modify the text in the example below according to the URL string of your Secret Server instance:

      https:\/\/instance\.example\.com\/saml\/assertionconsumerservice\.aspx$

    • ACS (Consumer) URL like the step above, but no longer in RegEx format.

      Modify the text in the example below according to the URL of your Secret Server:

      https://instance.example.com/saml/assertionconsumerservice.aspx

    • Single Logout URL the Secret Server URL for SLO (Single Logout):

      https://instance.example.com/saml/sloservice.aspx

  5. Click Save when done.

  6. Click More Actions and SAML Metadata to download the metadata for OneLogin.

    image-one-login-saml-metadata

Step Two: Secret Server

  1. Log into your Secret Server instance, then go to Admin > Configuration > SAML tab and click Create New Identity Provider.

    image-SecretServer-create-new-saml-provider

  2. Click Import IDP from XML Metadata and select the OneLogin metadata you saved previously. If you don't see the file, you may need to change the metadata filetype to .xml

    image-SecretServer-import-idp-xml

  3. To add users to OneLogin, navigate to OneLogin and log in as an administrator once more, then click Administration > Users > New User.

    image-one-login-save-user

  4. Fill out the required information and click Save when finished.

    If you are using a Secret Server local account or Secret Server Cloud, the username will be in email format and it must be identical on OneLogin and Secret Server. For an Active Directory account, it should be the samAccountName.

  5. Click on the Applications tab, then click the plus sign (+).

    image-one-login-add-app

  6. Select SAML Test Connector (IDP), then click Continue.

    image-one-login-test-connector

  7. Enter the user's Secret Server username (email format) then click Save.

    image-one-login-username

  8. Mouse over More Actions and click Change Password to give the user a login password.

    image-one-login-change-pw2

  9. In another browser or in incognito mode, log into your OneLogin instance as the user you just created. If prompted to add OneLogin to your browser, click Skip.

  10. You should see the SAML Test Connector (IDP). Click on it to authenticate into Secret Server using the SAML workflow.

    image-test-connector