All Cerby users are able to configure a default Identity Provider (IdP) such as OneLogin to leverage the single sign-on (SSO) authentication feature to securely authenticate using a single set of credentials.
OneLogin supports a Security Assertion Markup Language (SAML) application to integrate with other service providers easily. In this case, the integration is with Amazon Cognito, and the SAML application is customized and points to a specific Cerby workspace.
This article describes how to configure OneLogin as the primary IdP to enable SSO with the Cerby platform using a SAML integration.
Supported features
The following are the supported features of configuring SSO in Cerby with OneLogin:
Control who has access to Cerby from OneLogin.
Service provider-initiated authentication flow. This authentication flow occurs when users attempt to log in to the application from Cerby.
Automatic user account creation in Cerby. This provisioning flow in Cerby occurs automatically on the initial SSO.
Requirements
The following are the requirements to configure SSO in Cerby with OneLogin:
A user account in OneLogin with admin privileges to configure an application
You must have received an invitation from Cerby Support via email to create a workspace.
IMPORTANT: If you have not received an invitation, send an email to support@cerby.com with your request
Configure SSO in Cerby with OneLogin
To configure SSO in Cerby with OneLogin, you must complete the following main steps:
The following sections describe each main step.
1. Set up a workspace in Cerby
To set up a workspace in Cerby, complete the following steps:
Click the Create your Workspace button from the invitation email. The Welcome to Cerby page is displayed, as shown in Figure 1.
Figure 1. Welcome to Cerby page
Click the Continue with Generic SAML button. The Create your workspace page is displayed, as shown in Figure 2.
Figure 2. Create your Workspace page
Enter the name of your workspace in the Workspace name field.
NOTE: Remember the workspace name that you have entered. You need it later.Click the Create workspace button. The Configure SSO through Your Generic SAML App page is displayed, as shown in Figure 3. This page contains information to configure the Cerby application in your OneLogin tenant.
Figure 3. Configure SSO through Your Generic SAML App page
IMPORTANT: Keep the Configure SSO through Your Generic SAML App page open because it contains the required values that you must provide to OneLogin and Cerby to complete the configuration.
The next step is 2. Add a SAML-based application to OneLogin, which you must complete from OneLogin.
2. Add a SAML-based application to OneLogin
To add a SAML-based application to OneLogin, complete the following steps:
Log in to OneLogin as an administrator.
Select the Applications options that appear when hovering over the Applications tab. The Applications page is displayed, as shown in Figure 4.
Figure 4. Applications page in OneLogin
Click the Add App button located at the top right. The Find Application page is displayed.
Enter SCIM in the search bar. A list of applications is displayed.
Select the SCIM Provisioner with SAML (SCIM v2 Core) option. The Add SCIM Provisioner with SAML (SCIM v2 Core) page is displayed, as shown in Figure 5.
Figure 5. Add SCIM Provisioner with SAML (SCIM v2 Core) page in OneLogin
(Optional) Update the name for your OneLogin SAML application in the Display Name field.
Click the Save button. A success message is displayed.
The next step is 3. Configure SAML for Cerby in OneLogin, which you must complete from OneLogin.
3. Configure SAML for Cerby in OneLogin
To configure OneLogin to provide SSO for Cerby using SAML, complete the following steps:
Select the Configuration option from the left menu. The configuration details page is displayed, as shown in Figure 6.
Figure 6. Configuration details page in OneLogin
Enter the following information in the Application details section using the values from the browser tab you left open when completing step 1. Set up a workspace in Cerby:
SAML Audience URL: Copy and paste the Entity ID value.
SAML Consumer URL: Copy and paste the ACS URL value.
Enter https://api.cerby.com/v1/scim/v2 in the SCIM Base URL field of the API Connection section.
Click the Save button. A success message is displayed, and the Info details page activates.
Select the Parameters option from the left menu. The parameters details page is displayed, as shown in Figure 7.
Figure 7. The parameters details page in OneLogin
Map the user identity SAML attributes by completing the following steps using the values listed in Table 1:
Click the plus (
) icon. The New Field dialog box is displayed, as shown in Figure 8.
Figure 8. New Field dialog box in OneLogin
Copy and paste the URI from Table 1 into the Field name field. For example,
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSelect the Include in SAML assertion option.
Click the Save button. The Value field is displayed.
Copy and paste the attribute from Table 1 into the Value field, then select the matching option that appears in the drop-down list.
Click the Save button. The dialog box closes.
Repeat steps a to f for each attribute listed in Table 1.
Update the attribute assigned to the scimusername field by completing the following steps:
Click the scimusername field. The Edit Field scimusername dialog box is displayed, as shown in Figure 9.
Figure 9. Edit Field scimusername dialog box in OneLogin
Select the Email option from the Value drop-down menu.
Click the Save button. The dialog box closes.
Click the Save button. A success message is displayed, and the Info details page activates.
Click the More Actions menu located at the top right. A drop-down menu is displayed.
Select the SAML Metadata option. An XML metadata file is automatically downloaded to your computer.
The next step is 4. Assign users to the application, which you must complete from OneLogin.
4. Assign users to the application
You can assign users to the newly created application in the following ways:
Manually assigning apps to individual users. For instructions, read the official OneLogin documentation Manually Assigning Apps to Users.
Assigning apps to users in batches. The most efficient way to assign apps to users is to batch-apply them in collections, using roles and mappings. For instructions, read the official OneLogin documentation Roles.
The next step is 5. Finish the workspace creation in Cerby, which you must complete in Cerb
5. Finish the workspace creation in Cerby
To finish the workspace creation in Cerby, complete the following steps from the Configure SSO through Your Generic SAML App page that you left open:
Upload the XML file that you downloaded recently in the 2. Upload the metadata information section. The name of the file is displayed below the Metadata XML file field when it is uploaded.
TIP: You can drag the file from another window or click the button below the Metadata XML file field to look for the file on your computer.Select the I have already assigned users or groups to the application option located in the 3. Assign People or Groups section.
Click the Finish Configuration button located at the bottom of the page. The Your Workspace page is displayed confirming that your workspace has been created successfully.
Click the Login button. Your new Cerby workspace is displayed.
Now you are done.
NOTE: After completing the SSO setup in this guide, you can also configure automatic user provisioning via SCIM between OneLogin and Cerby.
To enable automatic creation, updates, and deactivation of user accounts in Cerby based on user assignments in OneLogin, see the article Configure automatic user provisioning with OneLogin via SCIM.
Table 1. User identity SAML attributes
The following table shows the user identity SAML attributes you must configure in OneLogin as part of step 3. Configure SAML for Cerby in OneLogin:
URI | Attribute |
| Name |
| Last Name |
| |
| First Name |
Table 1. User identity SAML attributes