Skip to main content
Sign in Menu

Setting up OneLogin SSO with Pathlight

Ashley
  • Updated

This document explains technical steps for your organization to set up OneLogin SSO (Single Sign-On) with Pathlight. SSO will provide users with convenience as well as high security.  This document will explain how you can set up a SSO-based client application in their OneLogin account to enable SSO with Pathlight. 

 

Assumption 

    1. It is assumed that SAML (Security Assertion Markup Language) based SSO will be used, as SAML is a widely-used standard for web-based applications. 
    2. Your organization has their own OneLogin account, and your IT Admin/Engineering would have Admin access to set up the SSO client. 

High-Level Procedure

The procedure consists of three major steps. First, the engineer within your company should create a SSO client application in their OneLogin account with proper configurations and user access - see the details in below in, Create an SSO Application in OneLogin. Next, the engineer should provide Pathlight with Metadata from the OneLogin application in a secure manner (Establish Trust Between OneLogin and Pathlight). Finally, Pathlight will turn on the SSO feature for your team (Enable OneLogin SSO).

 

Create an SSO Application in OneLogin

  1. The engineers should first login to their OneLogin account with Admin access, and create a SSO application for Pathlight. Once logged in, the following page displays:Screenshot_2023-01-26_at_10.05.33_AM.png
  2. Click Administration in the top left
  3. Click Applications in the top menu bar
  4. Click Add App button in the top right
  5. Search for SAML Test Connector (Advanced) and select the corresponding item. A new application page will appear: Screenshot_2023-01-26_at_9.53.40_AM.png
  6. Type in Display Name field, Pathlight for [your org name] and upload Pathlight icons (available here) This name and icons will be used for your team members to access Pathlight.com from the OneLogin website
  7. Click Save
  8. After saving, the site is redirected to the detailed configuration page. Click Configuration button in the left menu bar
  9. Copy & paste (adding in your organization's slug into the appropriate section) the following information to the corresponding fields in Application Details:

    RelayState

    https://app.pathlight.com/a/[YOUR ORG SLUG]/home

    Audience (EntityID)

    https://app.pathlight.com/authentication/saml2/[YOUR ORG SLUG]/metadata/

    Recipient

    https://app.pathlight.com/authentication/saml2/[YOUR ORG SLUG]/acs/

    ACS (Consumer) URL Validator*

    ^https:\/\/app\.pathlight\.com\/authentication\/saml2\/[YOUR ORG SLUG]\/acs\/$

    ACS (Consumer) URL*

    https://app.pathlight.com/authentication/saml2/[YOUR ORG SLUG]/acs/

    Single Logout URL

    https://app.pathlight.com/authentication/saml2/[YOUR ORG SLUG]/ls/

    Login URL

    https://app.pathlight.com/login/[YOUR ORG SLUG]

    SAML not valid before

    3

    SAML not valid on or after

    3

    SAML initiator

    OneLogin

    SAML nameID format

    Email

    SAML issuer type

    Specific

    SAML signature element

    Both

    Encrypt assertion

    Unchecked

    Send NameID Format in SLO Request

    Unchecked

    Generate AttributeValue tag for empty values

    Unchecked

    SAML sessionNotOnOrAfter

    1440

    Sign SLO Request

    Checked

    Sign SLO Response

    Checked
    Screenshot_2023-01-26_at_10.10.21_AM.png
    Screenshot_2023-01-26_at_10.11.05_AM.png
  10. Save the configuration
  11. Next, click the Parameters menu in the left navigation bar
    Screenshot_2023-01-26_at_10.12.10_AM.png
  12. Type in email in the Field name and check the Flag labeled Include in SAML assertion
    Screenshot_2023-01-26_at_10.13.07_AM.png
  13. Click Save
  14. It will lead to another Edit Field email pop-up window, select Email from the Value's pull-down menu
    Screenshot_2023-01-26_at_10.14.14_AM.png
  15. Click Save
  16. The Parameters page will appear and ensure that it looks like the screenshot below:
    Screenshot_2023-01-26_at_10.14.48_AM.png
  17. Please save all the configurations by clicking the Save button in the top right corner
  18. Now, let's set up users or groups so that they can access this Pathlight for [your org] application. Navigate to Users in the top menu bar
  19. Click users in the list to give them access to the application. **Note that there is a More Actions pull down menu in the top right corner for a batch operation (use with caution)
  20. Once clicking a user (e.g., Admin [Org Name] or admin+[org slug]@pathlight.com), it leads to the User page, here you will click Applications in the left bar menu
    Screenshot_2023-01-26_at_9.55.17_AM.png
  21. Click the + button in the Applications table, and then choose the Pathlight for [your org] application from the pulldown menu.
    Screenshot_2023-01-26_at_9.56.06_AM.png
  22. Optional - Please create one account for Pathlight engineers for a testing purpose only. Click the New User button in the top right corner, and type in:
    1.  Pathlight for First name
    2.  [Org Slug] for Last name
    3.  pathlight+[org slug]@pathlight.com for Email
    4. Once this user is created, please set its password to pathlight+[org slug] using More Actions Also, give it access to the application by following the Step 18 & 19 described above

Establish Trust Between OneLogin and Pathlight

Upon the application creation, OneLogin provides Metadata that contains certificates and other information. This information should be shared with Pathlight in a secure manner to establish trust.

  1. In order to generate Metadata, go to the Applications and click the More Actions button in the top right. 
  2. Select SAML Metadata option in the pull down menu. Once selected, the file will be downloaded into the local machine.
    Screenshot_2023-01-26_at_9.57.07_AM.png
  3. Your engineer/admin will send the Metadata file to Pathlight engineers.
    Option-1: Set pathlight+[org slug]@pathlight.com account to be an administrator for the download time only.
    Option-2: Hold a joint Zoom session with Pathlight engineers to share (and control) a screen to enable the download.
    Option-3: Email the metadata file to Pathlight engineers.
    ***Option 1 and 2 are more secure (hence, preferred) than Option 3.

Enable OneLogin SSO for Your Organization at Pathlight

Once Pathlight engineer receives the metadata, the SSO feature will be enabled immediately, after testing. Your company's users can enjoy SSO in two ways: 

  1. Pathlight-initiated SSO: Team members can login using OneLogin SSO option in the Pathlight website.
    Screenshot_2023-01-26_at_9.57.59_AM.png
  2. OneLogin-initiated SSO: Users can first log in their OneLogin account and then click on the Pathlight for [your org] application (with Pathlight icon). Then, they will be automatically redirected and logged-in to Pathlight.
    Screenshot_2023-01-26_at_10.20.26_AM.png

    __________________________________________________________________________________

    We hope this was helpful! Please submit a ticket here if you have any questions or need further assistance.

Related articles

Powered by Zendesk