Omnilert can be configured to allow single sign-on using OneLogin's unified account management/access products (see www.onelogin.com) via Omnilert's Shibboleth / SAML connector.*
Once configured, you can assign Omnilert access through OneLogin using OneLogin's app management features. (Please see OneLogin support for details on granting your OneLogin user accounts access to apps like Omnilert.)
This setup will allow Subscribers to access Omnilert using OneLogin credentials.
This guide will walk you through the process of adding and configuring OneLogin for use with Omnilert.
OneLogin App Configuration
You will need to be an administrator for your OneLogin system to configure SSO for applications. To configure Omnilert as an "app" inside of your OneLogin system, log into OneLogin's administrative portal.
Adding the Omnilert app
Inside OneLogin's administrative portal, go to Apps > Add Apps
Then search for "Omnilert" in the search box provided.
Select Omnilert to add the Omnilet app to your OneLogin instance.
You will see a preview of the name and icon for this app. Edit the name (if re-branding) or just click Save (recommended).
Adding the 'omnilertUsername' parameter
Next, we need to edit the SAML attributes returned by OneLogin to add a special parameter for the username in Omnilert (omnilertUsername).
Click Parameters from the sub-menu and then click Add parameter
The parameter we need to add is called omnilertUsername which is a non-scoped SAML username.
Note: The name is case-sensitive and must be entered precisely as shown.
Be sure to also select Include in SAML assertion and then click Save
Configure the omnilertUsername parameter
Next, we need to link the omnilertUsername to a value from OneLogin's user record. Select whichever field you would like linked to the subscriber's username in Omnilert from the available fields. (e.g. Username, userPrincipalName, or whatever field best suits your instance.)
Click on the new omnilertUsername parameter and select Username from the Value drop-down. Then click Save.
(Note: You do not have to link omnilertUsername to Username. Select whichever field matches what you'd like to see used in Omnilert's system as the subscribers' usernames.)
OneLogin SSO Settings
In the OneLogin App configuration, click on the SSO tab and set the "SAML Signature Algorithm" to SHA-512 and then click Save
Omnilert's Shibboleth SAML settings will need two fields from OneLogin's setup SSO screen.
(See Single Sign-On: Shibboleth / SAML Settings)
From OneLogin's SSO screen, copy the Issuer URL for use as the "Entity ID" and the SLO Endpoint (HTTP) for use as the "Logout Redirect URL".
These will be used in Omnilert's settings.
Exporting the metadata for Omnilert
Next, you will need to download Onelogin's SAML metadata from and send it to Omnilert. Omnilert must have your metadata imported for Shibboleth / SAML authentication to work properly.
At the top of the app page, click More Actions and select "SAML Metadata" from the menu.
This will download an XML file containing your OneLogin metadata to your local computer.
Download an save the metadata file.Do not edit or change any content of the metadata file. Then email your metadata as an attachment to your Omnilert account manager and CC that email to support@omnilert.com with the subject "OneLogin Metadata" so that we know what it's for.
Omnilert's network team will import your OneLogin metadata for you.
(Please note that the metadata import process may take one or two business days to be completed.)
Omnilert Shibboleth / SAML Setup
Once Omnilert has received and imported your OneLogin metadata, you should be ready to configure and test the login process.
In Omnilert, open the Settings > Single Sign-On > Shibboleth / SAML settings from the main menu.
- Input the OneLogin Issuer URL as the Omnilert Identity Providers Entity ID.
- Input the OneLogin SLO Endpoint (HTTP) as the Omnilert Logout Redirect URL
Then click Update Settings to save the settings.
The page will reload with two URLs:
- Shibboleth Page Link: This will be your Single Sign-On URL for Omnilert. Use this link in production websites. When your end-users click on this link, they'll log into Omnilert using their OneLogin username/password.
- Check Attributes Link: Use this URL to test the attributes being released by OneLogin to Omnilert. This is helpful for troubleshooting. You can use this tool to see what Omnilert is provided as a username, first name, and last name without affecting production systems.
We recommend performing a quick test using the "Check Attributes Link" to make sure that login works and the proper username is being passed to Omnilert from OneLogin before going "Live".
Enabling Admin SSO via OneLogin (OPTIONAL)
Omnilert can be configured to allow administrators to log in via Single Sign-On (SSO) using OneLogin. To enable this function, you will need to modify your app on OneLogin to release an additional attribute.
In OneLogin, go to the "Omnilert" application and then go to the Parameters section and click the + icon to add a new Parameter (attribute)...
Next, name the new field omnilertMail (Please note that this setup is case-sensitive!). Select the box to "Include in SAML assertion" and then click Save
Next, set the Value as Email and click Save.
Once completed, your OneLogin system will pass the required email address to allow for admin logins in Omnilert. (See: Single Sign-On: Admin logins via Shibboleth/SAML)
*Note: Omnilert 6 or later is required for this OneLogin SAML connector.
Comments
0 comments
Please sign in to leave a comment.