New with Fonolo is the ability to integrate your SAML2 Single Sign On with the Fonolo Portal. This guide will walk you through setting up Fonolo’s SSO with OneLogin.
1. Add Fonolo as an App
After logging in as an Administrator into OneLogin, start by going to APPS (1), then click on Add Apps (2).
In the search bar at the top of the page, search for the SAML Test Connector (IdP), and select it (1). We will be using this connector in order to establish the SSO connection to Fonolo.
In the Display Name field (1), enter a name for this App. Optionally, you can also add a rectangular icon (2) and a square icon (3) for this app. Click the Save button (4) before moving on.
You can click and save the following images to use as the icons:
Next, click on the Configuration tab to continue.
Configuration Tab
On the Configuration tab, there are 6 fields, 4 of which need to be filled out with the following info, exactly as shown. The ReadyState and Single Logout URL fields can both be left blank.
- Audience (1) – https://portal.fonolo.com/saml
- Recipient (2) – https://portal.fonolo.com/saml
- ACS (Consumer) URL Validator (3) – https://portal.fonolo.com/saml/metadata
- ACS (Consumer) URL (4) – https://portal.fonolo.com/saml
Click the Save button (5) before moving on to the next tab.
Parameters Tab
On the Parameters tab, there are 5 parameters that need to be added, exactly as shown (1). Click the Add parameter button (2) to begin adding them.
Adding a New Parameter
To add the required parameters, start by entering the Field Name in the popup. There are 5 Parameters that need to be confirmed. Their Field Names are:
- FirstName
- LastName
- FonoloRole
- NameID (fka Email)
The Field Name must be entered exactly as shown, without any spaces, and the exhibited capitalization.
Pick one to start by entering it as the Field Name (1), as in the example below. Ensure you click Include in SAML Assertion (2). Then click the Save button (3).
You will then need to match the parameter to the corresponding Value in OneLogin (1), as shown below.
The FonoloRole Field Name can be mapped to any Value you prefer to use in OneLogin. Ideally, you will use a Custom User Field for this.
Again, ensure you click Include in SAML Assertion (2). Then click the Save button (3). This must be done for all 5 parameters, as shown in the initial screenshot.
The parameter NameID (fka Email) might already exist. This may be left as is, and the remaining 4 added as shown above.
Once all of the parameters have been added, click the Save button, and continue to the SSO tab. The Rules tab may be skipped as it is not needed for this setup.
SSO Tab
On the SSO tab, start by ensuring that Standard Strength Certificate (2048-bit) is selected for the X.509 Certificate (1). The SAML Signature Algorithm (2) should be set as SHA-256.
Copy and paste the Issuer URL (3) and the SAML 2.0 Endpoint (HTTP) (4) for use later in the Fonolo Portal.
Click the Save button (5) to finish setting up the App.
2. Add App to Users
Now that the App has been created, we need to add OneLogin Users to this App in order for your team members to have access to Fonolo. Start by going to Users (1), then click on All Users (2).
Next, click on the User (1) that you wish to grant SSO access to the Fonolo Portal.
On the User’s Applications tab, click the + icon (1) to select the new App that you just created.
In the popup, ensure that all of the information for the User is correct. Of special note, ensure that Show This App in the Portal is checked (1), and that the FonoloRole field contains one of the following 3 choices ONLY:
- StatsUser
- StandardUser
- AccountManager
Click the Save button (3) to complete the process. Repeat the above steps for each User you wish to provide SSO access to the Fonolo Portal.
3. Download the Certificate
Next is to download the OneLogin IdP Certificate. Start by going to Settings (1), and then click on Certificates (2).
Next click on the Standard Strength Certificate (2048-bit) (1) to open it up.
Ensure that the certificate is configured with SHA256 as the SHA Fingerprint (1), and X.509 PEM formatted RSA Certificate (2).
Fonolo is able to work with PEM or DER formatted RSA certificates. DSA certificates are not supported at this time.
Save any changes (3), and then download the certificate (4) to your computer for use in setting up SSO in the Fonolo Portal.
4. Fonolo Portal Setup
Next is to configure the Fonolo Portal for SSO. You will need to be logged in as an Account Manager in the Fonolo Portal. Start by going to Admin (1), then click on Settings (2).
Next, click on the Security Tab (1).
Then, click on Single Sign-On (1).
Start by clicking the green Add Single Sign-On Profile button (1) in the top right.
Using the example below, start by giving the SSO Profile a label (1) for reference within the Fonolo Portal. Copy the Issuer URL you had previously saved from the OneLogin Portal, and enter it in the next field (2). The SAML 2.0 Endpoint (HTTP) from the OneLogin Portal will go into the SAML Endpoint field (3) next.
Click the Browse button (4) and select the certificate that you had downloaded from the OneLogin Portal. It should upload and process automatically. Request Binding (5) should be set as HTTP Redirect.
Lastly, in the Email Domains field (6), list out the domains of the corporate email addresses that your Users will use. These should not be webmail address (gmail, hotmail, etc.) and should only include your corporate domains.
Account Creation and Account Update should checked by default, and will allow you to automatically generate and update Fonolo User Accounts during SSO login.
The Required Attributes can be left as the default settings unless further customization is needed. You can now save the profile, and SSO setup is complete.
5. Testing Login
To test out the new SSO connectivity, log in as a user in the OneLogin Portal that you have added the App to.
Click on the Fonolo Portal Login App (1), and you should be redirected in a new tab to the Fonolo Portal, logged in as the user type specified in the OneLogin Portal.