OneLogin For Samanage Configuration Instructions

Document created by Joseph Brown Employee on Aug 29, 2018Last modified by Joseph Brown Employee on Aug 30, 2018
Version 2Show Document
  • View in full screen mode

OneLogin is the smart and simple way to eliminate passwords and automate user management for Samanage!

If you don't already have OneLogin, start by navigating to the OneLogin homepage and proceed to the OneLogin free trial at http://www.onelogin.com/partners/app-partners/samanage. At this point, you should be re-directed back into your account and have selected a password. Once you're within your OneLogin account, lets get started on setting up Samanage.

Adding Samanage to OneLogin

To add Samanage to your OneLogin account, start at your dashboard portal and proceed to Apps > Add Apps and search for Samanage. Look for the connector that says SAML2.0, browser extension, and provisioning next to it, and select that one. Once inside the connector page, select the SAML2.0 - user provisioning  under Connector and then select Save to add Samanage to your account.

Setting up Single Sign-On

From the connector page, you will be taken immediately to the Info tab. Instead, proceed to the adjacent Configuration tab where you'll be inputting your organization's custom Samanage account URL in the Account Name field. When your page resembles the example below, select Save to confirm your settings.

2014-10-28_10-19-28png
Next proceed to the Parameters tab. First you'll want to ensure that Credentials are set to Configured by admin, and that User Attribute fields are set to the value mappings specified in left column. When your page resembles the example below, select Save to confirm your configuration.

2014-10-28_10-23-06png
Here's a quick list of the required mappings you'll be needing within the User Fields section:

Department
-No value-

Role
-No value-

Site
-No value-

Title
-No default-

Username
Email

Note: These are the default mappings. Based upon your circumstances,there might be other mappings that you wish to associate with your users.

Next, navigate over to the SSO page. Here you'll be copying down the SAML 2.0 Endpoint. Then, proceed to View Details under the associated X.509 Certificate to view that certificate's page. Select the clipboard icon on the top-right of the certificate string to copy it. Both the certificate and endpoint URL will be placed within the Samanage dashboard to confirm the SAML SSO connection.

2014-10-28_10-24-52png

Once within the Single Sign-On configuration page of Samanage, proceed down to the Login using SAML section, and begin by selecting Enable Single Sign-On with SAML, which will open the rest of the SAML options.

Proceed to fill in the page with the information on the left until your page resembles the example below. When you've finished, select Update at the bottom of the page to confirm your settings.

2014-10-28_10-26-59png

2014-10-28_10-28-38png

With that, your users should be able to successfully log into their Samanage accounts via SAML through their individual OneLogin dashboard portal!

Here's a quick list of the required fields in the SAML configuration page and what you should fill them in with:

Identity Provider URL


Login URL
-Field is pre-filled-

Logout URL
https://app.onelogin.com/client/apps

Error URL
-blank-

X.509 Certificate


If you're looking to test the functionality of the connection, log completely out of Samanage and OneLogin, log back into OneLogin and select the Samanage application on your dashboard. This should take you immediately to your account page in Samanage.

Another potential issue is a mismatching of account emails between Samanage and OneLogin. This can be remedied by navigating to Users > Account Owner and then from there to the Applications tab. Select Samanage to open the Edit Login pane where you can overwrite the default fields for your Samanage login and insert the correct information to match your OneLogin credentials with your Samanage credentials.

Mapping Samanage to Users

With SAML successfully enabled and single sign-on properly configured, lets allocate Samanage to a group of users. Roles are the key component of OneLogin that grant users access to an application. In many cases, Roles are linked to a security group in the corporate directory and members of that group are then granted access to apps in OneLogin.

Proceed to Users > Roles > New Role and give your role a name and associate it with Samanage. For simplicity I will use a Role named Samanage and the Security Group named Samanage in Active Directory.

2014-10-28_10-50-12png
Now with the Role established, lets generate that custom mapping that will assign the the Role of Samanage to everyone within the Group of Samanage. Proceed to Users > Mappings, and seeing as we have no mapping that includes Samanage, go ahead and select New Mapping.

In the Custom Mapping page, you can name a mapping and give it actions, and a condition to execute that action; here we're making a simple group for Samanage, a Role we've generated to give a group of users Samanage based on their active directory grouping. When you've created your mapping, select Save to proceed.

2014-10-28_10-55-59png

You can always check what users are going to be affected by your mapping by selecting More Actions > Preview All Mapped Users or Preview All Mapped Users.

Once you're back in the Mappings page, select Reapply All Mappings to confirm and refresh the mapped entitlements to all users.

At this point, you and your users should have full access to Samanage and be able to login to their accounts via single sign-on!

Rule Provisioning

Samanage can be provisioned to users via mappings discussed previously, but can also be provisioned through Rules within the connector itself. Proceed to the Provisioning tab within the Samanage connector page and begin by selecting Enable provisioning for Samanage.

You may also configure which provisioning actions require administrator approval to execute, while deselecting an action will allow it to execute automatically. Settings for defining what occurs in Samanage when a User is Deleted from OneLogin are also found here.

When you've configured your settings, select Refresh Entitlements (which should be done whenever settings are changed) and then select Save to confirm your configuration. Moving forward, remember to always refresh entitlements whenever additional Sites, Departments, or Roles are included.

2014-10-28_10-58-53png

Proceed now to the Rules tab. Here we'll create the mapping that associates various attributes within Samanage to a user or group of users. Select New Rule to bring up the New Mapping pane. Here, the example below shows  a user with the name of JoshAmes being mapped to the Role of Administrator within Samanage.

2014-10-28_11-03-01png

Note how when the Conditions = DistinguishedName > equals > Josh Ames, Perform these actions = Set Roles >Administrator, it's saying that If provisioning encounters a User named Josh Ames, assign him into the Samanage Role of Administrator.

Along with Usernames, Titles, and Managers, OneLogin can provision RolesDepartments, and Sites into Samanage through rule mappings. Samanage Roles have been pre-defined for provisioning which you can find under Actions > Roles in a newly generated Rule mapping, while Title is a native OneLogin user field that can be defined in Users > All Users > Specific User.

The Department and Site fields contain no native values in OneLogin, but are populated by user object values from Samanage. These fields can be created and edited by proceeding to Setup > Organizations in Samanage. Remember to Refresh Entitlements in the Provisioning tab after editing any fields.

2014-10-28_11-06-44png
Here's a quick list of the relationship between fields within OneLogin and Samanage:

Department
Samanage into OneLogin, Rule Configurable

Site
Samanage into OneLogin, Rule Configurable

Role
Samanage into OneLogin, Rule Configurable

Title
OneLogin into Samanage, Cannot Disable

Manager
OneLogin into Samanage, Cannot Disable

Proceeding back into OneLogin's Samanage Parameters tab, you can now select values for Department and Site fields. Remember to enable Include in User Provisioning before you save the field mapping if you intend to pass the value over when the user is provisioned.

2014-10-28_11-10-15png

With the desired fields configured, we now have access to said field values if we are to proceed to Rules > New Rules. Notice that previously, Departments was a field with no configurable value possible, but is now taking the configured fields directly from Samanage for mapping to users during provisioning

2014-10-28_11-11-21png

You can select Show Affected Users to see which users will be affected by your configuration before you commit to any mappings. And as always, be sure to Refresh Entitlements in the Provisioning tab whenever you change any settings.

Just In Time Provisioning

If you are a OneLogin account holder that doesn't allow for true provisioning, Samanage allows for Just-In-Time Provisioning. This method of provisioning utilizes the SAML assertion to create users on the fly instead of needing to generate accounts ahead of time.

For example, if you're adding a new employee in Samanage, their account doesn't need to be manually generated for them. Instead, when they log in via single sign-on, their Samanage account is automatically generated for them, nullifying any need for user on-boarding.

To enable this, return back to the Single Sign-On section of Samanage and proceed to the bottom of the page, below the X.509 certificate you input earlier and enable Create users if they do not exist in Samanage.

This should successfully enable Just In Time provisioning, giving your users access to Samanage accounts on the fly!

Adding Your Directory

OneLogin easily integrates with all major user and corporate directories, and linking them to your accounts is incredibly easy.

Start by going to Users > Directories to select the directory you wish to integrate and then select it.

2014-10-28_11-13-38png

Attachments

    Outcomes