You can integrate your SAML2 Single Sign-On (SSO) with the Fonolo Portal through OneLogin. This guide will walk you through setting up the Fonolo SSO.
Add Fonolo as an App
- Log in to OneLogin as an Administrator.
- On the OneLogin home page, go to Applications.
- Select Add App.
- In the search bar at the top of the page, search for and then select SAML Test Connector (Advanced). This connector is used to establish the SSO connection to Fonolo.
- Enter a name for the App in Display Name.
- Save and then go to the Configuration tab to continue.
Configuration Tab
- Enter the application details exactly as follows. Fields that are not shown can be left as default:
Field Name Required Value Audience (EntityID) https://portal.fonolo.com/saml Recipient https://portal.fonolo.com/saml ACS (Consumer) URL Validator https://portal.fonolo.com/saml/metadata ACS (Consumer) URL https://portal.fonolo.com/saml SAML signature element Assertion - Save and then go to the Parameters tab to continue.
Parameters Tab
On the Parameters tab, there are five parameters that must be added, exactly as shown.
- Select Add Parameter. The New Field dialog opens.
- Enter the parameter in Field Name. The parameters (and their values) that must be confirmed are:
Parameter Value FirstName First Name LastName Last Name FonoloRole Title Email Email NameID value Email - For each value, make sure that the Include in SAML assertion check box is selected and then select Save. The Edit Field dialog opens.
- Match each parameter to its corresponding Value in OneLogin. Make sure that the Include in SAML assertion check box is selected.
- Save the new parameter.
- Repeat steps 9 to 13 for each parameter until all five parameters have been added and mapped to the appropriate value.
- Save and then go to the SSO tab to continue.
SSO Tab
- Make sure that X.509 Certificate is set to Standard Strength Certificate (2048-bit).
- Make sure that the SAML Signature Algorithm is set to SHA-256.
- Copy the Issuer URL and the SAML 2.0 Endpoint (HTTP) to a safe place for use later in setting up SSO in the Fonolo Portal.
- Select Save. The Fonolo app is now set up in OneLogin.
Add Users to the App
Now that the Fonolo App has been created, you must add OneLogin users so that your team members can have SSO access to the Fonolo Portal.
- On the OneLogin home page, go to Users > Users (1).
- Select the User to be given SSO access.
- Go to the Applications tab for the user.
- Select Add Application and select the Fonolo App. The Edit Login dialog opens.
- Make sure that all the information for the user is correct, including that Show this app in Portal is selected and that FonoloRole contains one of the following roles, depending on the level of access that the user needs:
- StatsUser
- StandardUser
- AccountManager
Go to Account Role Types for more information on roles and their permissions.
- Select Save.
- Repeat steps 1 to 6 for each user that needs SSO access to the Fonolo Portal.
Download the Certificate
Next, you must download the OneLogin IdP Certificate.
- On the OneLogin home page, go to Security > Certificates.
- Select Standard Strength Certificate (2048-bit). The settings dialog for the certificate opens.
- Make sure that the certificate is configured with SHA256 as the SHA Fingerprint and has an X.509 PEM formatted RSA Certificate.
- Save your changes, and then Download the certificate to a safe place for use later in setting up SSO in the Fonolo Portal.
Set Up the Fonolo Portal
Next, you must configure the Fonolo Portal for SSO.
- Log in to the Fonolo Portal as a user with the Account Manager role.
- Go to Admin > Settings > Security > Single Sign-On.
- Select Add Single Sign-On Profile. The Update SSO Profile dialog opens.
- Set up the SSO Profile:
- Enter a name for the SSO Profile in SSO Label. This name will be used within the Fonolo Portal.
- Paste the Issuer URL that was saved in the OneLogin Portal into Issuer URL.
- Paste the SAML 2.0 Endpoint (HTTP) that was saved into SAML Endpoint.
- Select Browse next to the IdP Certificate field and select the X.509 Certificate that was downloaded. The certificate uploads and processes automatically.
- In Request Binding, select HTTP Redirect.
- In Email Domains, enter the domains of the corporate email addresses your users will use to sign in. Do not enter webmail domains (gmail, hotmail, yahoo).
- Make sure that the Account Creation and Account Update check boxes are selected. This lets you generate and update Fonolo Portal user accounts during SSO login.
- Select Save Profile. The SSO setup is now complete.
Test the Login
To test out the new SSO connectivity:
- Log in as a new user in the OneLogin Portal that you have added the Fonolo app to.
- Select the Fonolo Portal Login app. The Fonolo Portal opens, with the user logged in with the role given in the OneLogin Portal.