The Onelogin integration maximizes the user provisioning process and allows users access to Single Sign-on (SSO). Integrate Forecast and Onelogin and manage users from a single place, ensuring security and compliance.
The Onelogin integration also improves login troubleshooting and decreases potential hacking by allowing maintenance from one platform by adding another level of security to your Forecast account.
This article includes:
Setting up Single-Sign on (SSO) in Onelogin
The integration process starts in Onelogin before it can be finalized in Forecast.
To set up the Single-Sign on in Onelogin
- Log in to Onelogin.
- Click on Applications.
- Click on Add App.
- Click on the App named "OpenId Connect (OIDC)".
- Name the app "Forecast OIDC".
- Click Save.
- Click the Configuration tab.
- Add, "https://app.forecast.it/one-login?iss=ONELOGIN_COMPANY_DOMAIN" in the Login Url field, where ONELOGIN_COMPANY_DOMAIN is your company's OneLogin Domain. Your company's OneLogin Domain is found in the OneLogin URL of your company (https://ONELOGIN_COMPANY_DOMAIN.onelogin.com/).
- Then add, "https://graphql.forecast.it/onelogin/oauth/" under Redirect URI's.
- Click on the Users tab.
- Add the users who should be allowed to use single-sign on, on Forecast.
- Click on the SSO tab.
- Copy the Client ID and Client Secret tab.
- Access the OneLogin integration page in Forecast.
- Click on Admin in the top bar.
- Select Integrations from the dropdown.
- Click Onelogin under the Security and single-sign on (SSO) section.
- Click Activate.
- Enter the company's OneLogin Domain, that you copied from Onelogin, on the OneLogin Forecast page.
- Click Save to finalize the process.
Setting up user provisioning in Onelogin
Once the single sign-on setup in Okta is complete, it is also possible to go implement user provisioning through the Onelogin integration. User provisioning offers these features.
- Push New Users - New users created through OneLogin will also be created in Forecast.
- Push Profile Updates - Updates made to the user's profile through OneLogin will be pushed to Forecast.
- Push User Deactivation/reactivation - Deactivating the user or disabling the user's access to the application through OneLogin will deactivate the user in Forecast.
- Import New Users - New users created in Forecast will be downloaded and turned in to new AppUser objects, for matching against existing OneLogin users.
Configuring user provisioning
The user provisioning needs to be setup in Onelogin by a system administrator.
To configure user provisioning
- Log in to Onelogin.
- Click on Applications.
- Click on Add App.
- Click on the App "SCIM Provisioner with SAML SCIM v2 Core and Enterprise".
- Click on the App.
- Name it "Forecast SCIM".
- Click Save.
- Click on the Configuration tab.
- Enter "https://api.forecast.it/scim/v2" into the SCIM Base URL field and insert the SCIM Bearer Token in the field of the same name.
- Press the Enable button.
- Now click on the Parameters tab.
- Ensure that the "NameID" field maps to the value of "First Name" and that the "SCIM Username" field maps to the value of "Email".
- Click on the Provisioning tab.
- From the same tab enable provisioning. The configuration is now complete and provisioning can be done, for individual users who need access to Forecast, directly under the Users tab in Onelogin.
Custom permission profiles provisioning
For custom permission users, when a user is provisioned, Forecast searches for a “Permission Profile” with the same name as the user type sent from the single-sign-on platform. This check is just comparing names case insensitive. If it doesn’t find a match, it will default to the profile called ‘Collaborator’. If that doesn’t exist either, the provisioning of the user will fail.
Note: Please note that in case a user wishes to deactivate their active single-sign-on integration so that they can enable a different one, it is necessary, to contact Forecast. Please reach out to support@forecast.app.
Comments
0 comments
Article is closed for comments.