This document explains technical steps for your organization to set up OneLogin SSO (Single Sign-On) with Pathlight. SSO will provide users with convenience as well as high security. This document will explain how you can set up a SSO-based client application in their OneLogin account to enable SSO with Pathlight.
Assumption
-
- It is assumed that SAML (Security Assertion Markup Language) based SSO will be used, as SAML is a widely-used standard for web-based applications.
- Your organization has their own OneLogin account, and your IT Admin/Engineering would have Admin access to set up the SSO client.
High-Level Procedure
The procedure consists of three major steps. First, the engineer within your company should create a SSO client application in their OneLogin account with proper configurations and user access - see the details in below in, Create an SSO Application in OneLogin. Next, the engineer should provide Pathlight with Metadata from the OneLogin application in a secure manner (Establish Trust Between OneLogin and Pathlight). Finally, Pathlight will turn on the SSO feature for your team (Enable OneLogin SSO).
Create an SSO Application in OneLogin
- The engineers should first login to their OneLogin account with Admin access, and create a SSO application for Pathlight. Once logged in, the following page displays:
- Click Administration in the top left
- Click Applications in the top menu bar
- Click Add App button in the top right
- Search for SAML Test Connector (Advanced) and select the corresponding item. A new application page will appear:
- Type in Display Name field, Pathlight for [your org name] and upload Pathlight icons (available here) This name and icons will be used for your team members to access Pathlight.com from the OneLogin website
- Click Save
- After saving, the site is redirected to the detailed configuration page. Click Configuration button in the left menu bar
- Copy & paste (adding in your organization's slug into the appropriate section) the following information to the corresponding fields in Application Details:
RelayState
https://app.pathlight.com/a/[YOUR ORG SLUG]/home
Audience (EntityID)
https://app.pathlight.com/authentication/saml2/[YOUR ORG SLUG]/metadata/
Recipient
https://app.pathlight.com/authentication/saml2/[YOUR ORG SLUG]/acs/
ACS (Consumer) URL Validator*
^https:\/\/app\.pathlight\.com\/authentication\/saml2\/[YOUR ORG SLUG]\/acs\/$
ACS (Consumer) URL*
https://app.pathlight.com/authentication/saml2/[YOUR ORG SLUG]/acs/
Single Logout URL
https://app.pathlight.com/authentication/saml2/[YOUR ORG SLUG]/ls/
Login URL
https://app.pathlight.com/login/[YOUR ORG SLUG]
SAML not valid before
3
SAML not valid on or after
3
SAML initiator
OneLogin
SAML nameID format
Email
SAML issuer type
Specific
SAML signature element
Both
Encrypt assertion
Unchecked
Send NameID Format in SLO Request
Unchecked
Generate AttributeValue tag for empty values
Unchecked
SAML sessionNotOnOrAfter
1440
Sign SLO Request
Checked
Sign SLO Response
Checked
- Save the configuration
- Next, click the Parameters menu in the left navigation bar
- Type in email in the Field name and check the Flag labeled Include in SAML assertion
- Click Save
- It will lead to another Edit Field email pop-up window, select Email from the Value's pull-down menu
- Click Save
- The Parameters page will appear and ensure that it looks like the screenshot below:
- Please save all the configurations by clicking the Save button in the top right corner
- Now, let's set up users or groups so that they can access this Pathlight for [your org] application. Navigate to Users in the top menu bar
- Click users in the list to give them access to the application. **Note that there is a More Actions pull down menu in the top right corner for a batch operation (use with caution)
- Once clicking a user (e.g., Admin [Org Name] or admin+[org slug]@pathlight.com), it leads to the User page, here you will click Applications in the left bar menu
- Click the + button in the Applications table, and then choose the Pathlight for [your org] application from the pulldown menu.
- Optional - Please create one account for Pathlight engineers for a testing purpose only. Click the New User button in the top right corner, and type in:
- Pathlight for First name
- [Org Slug] for Last name
- pathlight+[org slug]@pathlight.com for Email
- Once this user is created, please set its password to pathlight+[org slug] using More Actions Also, give it access to the application by following the Step 18 & 19 described above
Establish Trust Between OneLogin and Pathlight
Upon the application creation, OneLogin provides Metadata that contains certificates and other information. This information should be shared with Pathlight in a secure manner to establish trust.
- In order to generate Metadata, go to the Applications and click the More Actions button in the top right.
- Select SAML Metadata option in the pull down menu. Once selected, the file will be downloaded into the local machine.
- Your engineer/admin will send the Metadata file to Pathlight engineers.
Option-1: Set pathlight+[org slug]@pathlight.com account to be an administrator for the download time only.
Option-2: Hold a joint Zoom session with Pathlight engineers to share (and control) a screen to enable the download.
Option-3: Email the metadata file to Pathlight engineers.
***Option 1 and 2 are more secure (hence, preferred) than Option 3.
Enable OneLogin SSO for Your Organization at Pathlight
Once Pathlight engineer receives the metadata, the SSO feature will be enabled immediately, after testing. Your company's users can enjoy SSO in two ways:
- Pathlight-initiated SSO: Team members can login using OneLogin SSO option in the Pathlight website.
- OneLogin-initiated SSO: Users can first log in their OneLogin account and then click on the Pathlight for [your org] application (with Pathlight icon). Then, they will be automatically redirected and logged-in to Pathlight.
__________________________________________________________________________________
We hope this was helpful! Please submit a ticket here if you have any questions or need further assistance.