SAML based SSO - Login with OneLogin
Organimi has implemented SAML based SSO for Premium account holders … this document will walk you through the steps to set up Organimi with OneLogin
Note: Downloadable PDF for this help document is available at the end of the article.
Step 1
Go to your OneLogin dashboard and click “Add App” from the Applications tab
Search for “saml custom connector” and click on the highlighted application in the below screenshot … “SAML Custom Connector (Advanced)”
Step 2
Under Configuration, enter Display Name as “Organimi”, upload Organimi’s logo and click Save (you can download the Organimi logo at: Organimi_LogoOnly.png)
Step 3
Click on SSO and enter the following information
- RelayState: {"company":"YOUR-COMPANY-ALIAS"}
- Note: Replace the placeholder with your company name. This name will also be required later on the Organimi side of the setup. And anyone who wishes to login using this IDP, will be asked to enter this name when signing in from the Organimi Login Page.
- Audience (EntityID): https://app.organimi.com
- Only for EU customers specifically set up on the EU server - https://eu.app.organimi.com
- Only for AU customers specifically set up on the AU server - https://au.app.organimi.com
- ACS (Consumer) URL Validator: https://app.organimi.com/api/v7/auth/login/saml/callback
- Only for EU customers - https://eu.app.organimi.com/api/v7/auth/login/saml/callback
- Only for AU customers - https://au.app.organimi.com/api/v7/auth/login/saml/callback
- ACS (Consumer) URL: https://app.organimi.com/api/v7/auth/login/saml/callback
- Only for EU customers - https://eu.app.organimi.com/api/v7/auth/login/saml/callback
- Only for AU customers - https://au.app.organimi.com/api/v7/auth/login/saml/callback
(Note: Please ensure all the values are mapped correctly as per the screenshots)
Leave all other configuration settings as it is, to the default value (screenshots attached below for reference).
In order for a user to log into Organimi, we require the following three attributes of the user from OneLogin. Configure them under “Attribute Statements (optional)”. The names should be all lowercase, and the value should be matched accordingly.
- firstname
- lastname
Once all the users are assigned and configured, click Save at the top-right.
Step 4
Now that the Organimi App is set up at the OneLogin side, we now have to configure this IDP in Organimi.
Click on “More Actions” for the Organimi app in OneLogin and select “SAML Metadata” and save the downloaded file to a place you can find it easily … you will be using the downloaded file in step 6 on the Organimi app setup.
Step 5
Visit https://app.organimi.com (for EU customers - https://eu.app.organimi.com and for AU customers - https://au.app.organimi.com), login to your account using any social login, or username/password. Click “My Account” and select the “SSO Settings” tab.
Note: if you don’t see the “SSO Settings” tab or it shows that SSO is not enabled for your account ? Please contact Organimi at support@organimi.com to have SSO enabled for your account. A premium account is required to enable SSO
Step 6
Click on the “Configure IDP” button and enter:
- Company Alias: Enter your company name. It should match exactly with the name entered for step 3.1 in place of the “YOUR-COMPANY-ALIAS” placeholder.
- IDP Metadata: Drag and drop the file that was downloaded in step 4 in to the “drop area” as highlighted below (click in the gray box and then paste)
- Click the SAVE button
Step 7
Your Identity Provider should show the OneLogin Entity ID that you just set up, which means IDP configuration is accepted.
Note: If you do not reach to this point and see an error message on clicking the “SAVE” button, Contact Organimi support @ support@organimi.com
Now it's time to test logging in with your configured IDP. First logout from your account. Then login by clicking “Sign in with SSO”. In the next screen, type in the company name matching from step 3.4 & 6.1 and then click login.
You should be redirected to your OneLogin IDP where you can get authenticated. Once successful, you will be redirected back to Organimi and will be logged in.
And you are in. If you click the Change Account link on the Organimi screen you will see that you are logged in with SAML SSO
Step 8
You can also enable “Force-SSO” from the configuration tab. Which will require everyone using this account (including you), to login using your configured IDP only, in order to access resources under this account. Other login methods (social & username/password) will not be allowed access to the account.
Note: As the account owner, It's recommended that you test logging in with your IDP first before turning on this setting, as you will not be able to access the account via any other login methods after you enable the “Force-SSO” option.
If you were logged into Organimi with you SSO IDP Account then you will just see that the switch is now on for “Force SSO”
If, however, you were logged in to Organimi with your social login or username/password your access to the account will be immediately disabled and you will be taken to the Account Selection Screen and you will see that your access to the account is locked. You could disable the “Force SSO” (only available to account owners) … but normally you would just logout from Organimi and log back in from your SSO IDP Account.
Default share settings for IDPs:
Alternatively users can be invited from the charts as editors or viewers by enabling default sharing settings for SSO IDP. This will not send any email invites to these users. They can login directly using the shared idp. These permissions can be changed, as needed.
SSO Login does not imply chart will remove the access
SSO login can view this chart will assign viewer permissions to the users logging in the SSO IDP
SSO login can edit this chart will enable Editor permissions to the users logging in with the SSO IDP
Please Note …
If default sharing is not enabled as described above … in addition to provisioning the application to users in OneLogin you will also need to invite users to one or your Organizations or Charts or in Organimi … if the user has not been invited and granted access to any Organizations or Charts in Organimi they will be greeted with a message telling them they do not have access to any accounts in Organimi … if this happens then simply invite them to the Organization as an Admin or to one of the Charts as an Editor or Viewer or enable default sharing.
Thank you for being an Organimi customer and please contact us at support@organimi.com if you run into any issues or have any questions that are not covered in this document or are beyond the scope of this document.
Comments
0 comments
Please sign in to leave a comment.