Setting up single sign-on within Onelogin
The integration process starts in Onelogin before it can be finalized in Forecast. Make sure to login as administrator in both systems to perform the integration setup.
To set up the Single-Sign on in Onelogin
- Log in to Onelogin as administrator.
- Click on Applications.
- Click on Add App.
- Click on the App named "OpenId Connect (OIDC)".
- Name the app "Forecast OIDC".
- Click Save.
- Click the Configuration tab.
- Fill out the following details:
- Login Url: https://app.forecast.it/one-login?iss=ONELOGIN_COMPANY_DOMAIN where ONELOGIN_COMPANY_DOMAIN is your company's Onelogin Domain. Your company's Onelogin Domain is found in the Onelogin URL of your company (https://ONELOGIN_COMPANY_DOMAIN.onelogin.com/).
- Redirect URI: add https://graphql.forecast.it/onelogin/oauth/
- Click on Users on the left side bar.
- Add the users who should be allowed to login to Forecast with single sign-on.
- Click on SSO on the left sidebar.
- Copy the Client ID and Client Secret tab. You will need this information later on.
- Access the Onelogin integration page in Forecast.
- Click on Admin in the top bar.
- Select Integrations from the dropdown.
- Click Onelogin under the Security and single-sign on (SSO) section.
- Click Activate.
- Enter the company's Onelogin Domain, the client ID and the client secret that you copied from Onelogin, in the Forecast setup page.
- Click Save.
- Under Require SSO in the integrations page, enable the toggle to make single-sign on mandatory, in order to require login via Onelogin and disable logging in via email and password. We recommend selecting at least one Admin user in case any issue arises with the single sign-on provider, so that the exempted user can access and disable the Single Sign on requirement for the rest of the users.
Setting up user provisioning in Onelogin
Once the single sign-on setup in Onelogin is complete, it is also possible to go implement user provisioning through the Onelogin integration. The user provisioning needs to be setup in Onelogin by a system administrator. User provisioning offers the following features:
- Push New Users - New users created through Onelogin will also be created in Forecast.
- Push Profile Updates - Updates made to the user's profile through Onelogin will be pushed to Forecast.
- Push User Deactivation/reactivation - Deactivating the user or disabling the user's access to the application through Onelogin will deactivate the user in Forecast.
- Import New Users - New users created in Forecast will be downloaded and turned in to new AppUser objects, for matching against existing Onelogin users.
To configure user provisioning
- Log in to Onelogin as admin.
- Click on Applications.
- Click on Add App.
- Click on the App "SCIM Provisioner with SAML SCIM v2 Core and Enterprise".
- Click on the App.
- Name it "Forecast SCIM".
- Click Save.
- Click on the Configuration tab.
- Enter "https://api.forecast.it/scim/v2" into the SCIM Base URL field and insert the SCIM Bearer Token in the field of the same name.
- Press the Enable button.
- Now click on the Parameters tab.
- Ensure that the "NameID" field maps to the value of "First Name" and that the "SCIM Username" field maps to the value of "Email".
- Click on the Provisioning tab.
- From the same tab enable provisioning. The configuration is now complete and provisioning can be done, for individual users who need access to Forecast, directly under the Users tab in Onelogin.
Custom permission profiles provisioning
For custom permission users, when a user is provisioned, Forecast searches for a “Permission Profile” with the same name as the user type sent from the single-sign-on platform. This check is just comparing names case insensitive. If it doesn’t find a match, it will default to the profile called ‘Collaborator’. If that doesn’t exist either, the provisioning of the user will fail.
Switching authentication types
If a user is not included in the Onelogin database to login via Single Sign-On and single sign-on isn't required in Forecast, the user will still be able to log into Forecast with their regular Forecast email and password.
If you are looking to switch to another single sign-on provider, contact Forecast Support to disable the existing SSO integration to avoid system conflicts.
Comments
0 comments
Article is closed for comments.