OneLogin SSO | Communifire Documentation

Axero supports onelogin integration for single-sign-on (SSO). This page covers information about onelogin SSO, walks you through how to configure onelogin SSO on your intranet, and provides solutions to common issues. To read about the benefits of onelogin SSO, click here.

Login Experience

Once onelogin SSO is set up on your Axero intranet, users will be re-directed to the onelogin log in page.

Logging in with Axero credentials

You can allow users to log in using their Axero credentials. To allow this, set your System Properties > EnableAutoLoginViaSaml to false. When this property is set to false, users will see the Axero login page. Users can either log in with Axero credentials or click Login via SAML to sign in using their onelogin credentials.

Mobile App Login Experience

In the mobile app, users will be re-directed to the onelogin log in page after entering the intranet site URL.

Logging in with Axero credentials

As with the web version, you can allow users to log in using Axero credentials in the mobile app. To allow this, set System Properties > EnableAutoLoginViaSaml to false. When this property is set to false, users will see the Axero login page. Users can either log in with Axero credentials or click SSO Login to sign in using onelogin credentials.

Adding Users

A user is created in Axero when the user logs into your Axero intranet for the first time. You can add users to Axero before they log in using the three methods below:

1. Bulk import users

Pre-populate users before onelogin setup or launch with Bulk Import Users . The Axero usernames you create must match the usernames in onelogin.

2. Manually Add users

Add users in Control Panel > People > Manage People > Add User . The Axero username you create must match the username in onelogin.

3. REST API Import

You can use our REST API to import users - REST API: Add User , REST API: Update User Profile Fields .

Adding Axero administrator accounts

If Axero administrator accounts are created before onelogin is set up and the Axero usernames match onelogin usernames, the administrator accounts will sync with the corresponding onelogin accounts. If not, you will need to re-configure permissions for the admin onelogin accounts and remove the previous Axero administrator accounts.

Importing Data

Any data can be imported from onelogin, as long as there are corresponding User Profile Fields in Axero. Attribute mappings must be added to Control Panel > System > Single Sign On > Data Mapping > SAML. Enter the attribute name as the property name in Axero. See the table below for common fields to import.

* The country code in onelogin must match country options in Axero exactly.

You can also use our REST API to import user data into Axero.

Syncing Data

User data is updated in Axero every time a user logs in.

Email and username change

When a user's email is changed in onelogin, the user's Axero email will be updated the next time they login. The Axero username won't be changed and must be updated manually by a site administrator.

Disabled Users

When a user's assignment is removed in onelogin, the user will be blocked from logging into Axero using onelogin.

The user's account will still be active in Axero. You can Delete User and delete their content or re-assign their content to another user or to the system anonymous user. You can also Ban User , which will retain their content.

Setup Guide

This guide walks you through how to enable onelogin SSO in Axero. Client-side setup is estimated to take 1-2 hours and Axero team setup is estimated to take 1-2 hours. The time to set up SSO can vary based on how long it takes to set up internal systems and to provide the Axero team with all required information. Our standard estimate for setting up SSO is 1-2 business days from the time a case is opened.

Once you complete the setup guide, onelogin SSO will be active on your intranet.

Configure OneLogin SSO

1. Login to the admin console in OneLogin, and navigate to the Administration section
   
   
2. Click Applications - Applications
   
   
3. Click Add App
   
   

4. Search and select SCIM Provisioner with SAML(SCIM v2 Enterprise)

   
   
   

5. Edit the Display Name if you want or leave it as default and click Save

   
   
   

6. Click Configuration and scroll down

   
   

7. Enter Application details
   
   SAML Audience URL: https://<domain_name>. Example https://yourintranet.communifire.com
   
   SAML Consumer URL: https://<domain_name>/SAML/AssertionConsumerService.aspx. This should be the same domain you used for SAML Audience URL.
   
   Under API Connection for SCIM Base URL type https://<domain_name/api/scim/v2>. Example https://yourintranet.communifire.com/api/scim/v2 

   
   
   

8. After adding SCIM Base URL, click Enable button.

   
   
   
   
   
   

9. Click SSO and copy Issuer URL, SAML 2.0 Endpoint (HTTP), and SLO Endpoint (HTTP); save for later.

   
   
   

10. Click the View Details to download X.509 Certificate file

11.  

     

    Set the SAML Signature Algorithm to SHA-256
    

     

12. Convert the .PEM file into .CER file
    Suggestion: Use OpenSSL to convert .pem to .CER file (refer to: https://medium.com/swlh/installing-openssl-on-windows-10-and-updating-path-80992e26f6a1)

    After installing OpenSSL, Go to the folder that contains the .PEM file. To convert the file, open a command line and use the command: openssl x509 -inform PEM -in onelogin.pem -outform DER -out yourfile.cer

    
    
    
    
    
    

    On the command prompt use the command: openssl x509 -inform PEM -in onelogin.pem -outform DER -out yourfile.cer

    
    

    onelogin.pem – the X.509 Certificate file you download.

    yourfile.cer – the converted file.

    
13. Open a new tab and log in to Axero. From the homepage click gear icon > Control Panel > System > Single Sign On.

14. Enter the following information:

    9. • Partner Identity Provider URL: Enter the Issuer URL you copied.

       • Single Sign On Service URL: Enter the SAML 2.0 Endpoint HTTP you copied.

       • Relying Party Trust Identifier: Enter your intranet URL.

       • Single Logout Service URL: Enter the SLO Endpoint HTTP you copied.

       • Partner Identity Certificate (CER): Upload the X.509 Certificate file. (The converted OneLogin.pem file to a .CER file).

    
    

15. Expand the SCIM User Provisioning section.

16. Copy the Bearer token:
    
    

17. Go back to OneLogin and scroll to the bottom of Configuration page and find SCIM Bearer Token. Paste the Bearer Token you just copied from Axero.
    
    

18. Click Provisioning and under Workflow check Enable Provisioning and click Save
    
    

19. Add Parameters as shown
    
    

    Email should be added on the parameters. 
    
    
    

Provisioning

To configure provisioning, see OneLogin SCIM Configuration Guide 

Configure Axero

1. In Axero, go to Control Panel > System > Single Sign On.
2. Select SAML.
3. Enter the following information:
   
   • Partner Identity Provider URL: Enter the Issuer URL you copied.
   • Single Sign On Service URL: Enter the SAML 2.0 Endpoint HTTP you copied.
   • Relying Party Trust Identifier: Enter your intranet URL.
   • Single Logout Service URL: Enter the SLO Endpoint HTTP you copied.
   • Partner Identity Certificate (CER): Upload the X.509 Certificate file. (Convert the onelogin.pem to a .CER file).
     
     Example:
     
     
4. Click Update.
5. Click Data Mapping.
6. For Type, select SAML.
7. Add attribute mappings. The Property Name should match the attribute name you entered in Attribute Statements in onelogin.
   Example:
   
   
8. Click Update.
9. Submit a private case to have our team provide you with a valid Service Provider Certificate (PFX) and Certificate Password.

For more information or assistance from the Axero team, submit a private case.