It is possible to configure Single Sign-On and Multi-Factor Authentication with OneLogin within Forecast.
What's covered in this article:
OneLogin & Forecast
The integration with OneLogin allows users to use OneLogin as the Single Sign-On and Multi Factor Authentication service for accessing Forecast. This integration adds and additional layer of security to your Forecast account. Please keep in mind that in order to use this integration, users must have the same email in Forecast and OneLogin. You can set your email manually in Forecast or you can create Forecast users in OneLogin by provisioning.
The article below will walk you through setting up the integration and how you can use provisioning.
Setting up OneLogin Single Sign On (SSO)
1. Go to Apps > Add App
2. Click the app named "OpenId Connect (OIDC)"
3. Name the app "Forecast OIDC" and click SAVE
4. Go to the Configuration tab
Add "https://app.forecast.it/one-login?iss=ONELOGIN_COMPANY_DOMAIN" in the Login Url field, where ONELOGIN_COMPANY_DOMAIN is your company's OneLogin Domain. Your company's OneLogin Domain is found in the OneLogin URL of your company (https://ONELOGIN_COMPANY_DOMAIN.onelogin.com/).
Then, add "https://graphql.forecast.it/onelogin/oauth/" under Redirect URI's
5. Under the Users, tab add the users who should be allowed to use SSO on Forecast
6. Go to the SSO tab. Then, copy the Client ID and Client Secret tab, and enter them on the OneLogin Forecast page.
7. Enter your company's OneLogin Domain on the OneLogin Forecast page.
Setting up provisioning
The following provisioning features are supported:
- Push New Users - New users created through OneLogin will also be created in Forecast
- Push Profile Updates - Updates made to the user's profile through OneLogin will be pushed to Forecast
- Push User Deactivation/reactivation - Deactivating the user or disabling the user's access to the application through OneLogin will deactivate the user in Forecast
- Import New Users - New users created in Forecast will be downloaded and turned in to new AppUser objects, for matching against existing OneLogin users
1. Repeat steps 1-3 from Setting up SSO for an app named "SCIM Provisioner with SAML (SCIM v2 Core/Enterprise)"
2. Name the app "Forecast SCIM" and press SAVE
3. On the Configuration tab enter "https://api.forecast.it/scim/v2" into the SCIM Base URL field and insert the SCIM Bearer Token in the field of the same name. Then press the Enable button
4. On the Parameters tab, ensure that the "NameID" field maps to the value of "First Name" and that the "SCIM Username" field maps to the value of "Email"
5. Under the Provisioning tab, enable provisioning
6. Users to be provisioned can be controlled from the Users tab