OneLogin SSO Setup

Updated 5 months ago by Amy Tranter

If you use OneLogin as your Single Sign-On provider, here are the steps you or your IdP admin need to complete in order to create an integration between your OneLogin and Criteria accounts.

Create a OneLogin SAML application

  1. On the OneLogin portal page (https://your-new-domain.onelogin.com/portal/), choose Administration.
  2. At the top of the Administration page click on Applications and then click on Add App at the top left.
  3. In the search bar under Find Applications, enter saml, and then choose OneLogin SAML Test (IdP) to open the Add OneLogin SAML Test (IdP) page.
  4. For Display Name enter Criteria.
  5. Choose Save.

Edit your OneLogin application configuration

  1. Choose Configuration.
  2. On the Configuration page, do the following:
    1. For Audience, enter urn:amazon:cognito:ap-southeast-2_htcOeRF9C
    2. Leave Recipient blank.
    3. For ACS (Consumer) URL Validator, enter https://app-au.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponse
    4. For ACS (Consumer) URL, enter https://app-au.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponse
    5. Leave Single Logout URL blank.
  3. Edit your OneLogin application's parameter
    1. Choose Parameters(Note: One parameter (NameID (fka Email)) is already listed—this is expected.)
  4. Choose Add parameter to create a new, custom parameter.
    1. In the New Field dialog, for Field name, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
    2. For Flags, select the Include in SAML assertion check box.
    3. Choose Save.
  5. For Value, choose UUID from the list.
  6. Choose Save.
  7. Do the same for the following and make sure to select Include in SAML assertion like above:
    1. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress with value Email
    2. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname with value First Name
    3. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname with value Last Name
  8. The parameters should look like the image below:

Copy the IdP metadata for your OneLogin application

  1. Choose SSO
  2. Under Issuer URL, copy the URL and send to Criteria Corp.
  3. Choose Save to save all your changes to your OneLogin application.

Click here for the next steps in the SSO integration setup process.

Parameters Needed

Here is a recap of the parameters required to set up an integration between OneLogin and Criteria.

Criteria Provided Parameters
  1. Entity ID (Audience URI): urn:amazon:cognito:ap-southeast-2_htcOeRF9C
  2. Assertion Consumer Service URL: https://app-au.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponse
  3. First-Time Sign-On URL/BookMark: https://app-au.criteriacorp.com/?companyAccountId=<companyAccountId>
  4. Our Required SAML Attributes
    1. Idp Immutable Global Unique Identifier (Varies by Idp)
    2. First Name
    3. Last Name
    4. Email Address
  5. Optional Recommended SAML Attribute
    1. Job Title
Customer Provided Parameters
  1. Federation Metadata Document endpoint URL (Can also be an XML Document but URL preferred)


How did we do?