Skip to main content

Help Center

What can we help you with?

Integrating Onelogin with Forecast (Plus only)

Alexander P.
  • Updated
The Onelogin integration maximizes the user provisioning process and allows users access to Single Sign-on (SSO). Integrate Forecast and Onelogin and manage users from a single place, ensuring security and compliance.
The Onelogin integration also improves login troubleshooting and decreases potential hacking by allowing maintenance from one platform by adding another level of security to your Forecast account.
 
This article includes:

Setting up Single-Sign on (SSO) in Onelogin

The integration process starts in Onelogin before it can be finalized in Forecast.

To set up the Single-Sign on in Onelogin

  1. Log in to Onelogin.
  2. Click on Applications.
    OneLogin1.png
  3. Click on Add App.
  4. Click on the App named "OpenId Connect (OIDC)".
    OneLogin_2.png
  5. Name the app "Forecast OIDC".
  6. Click Save.
    OneLogin3.png
  7. Click the Configuration tab.
  8. Add, "https://app.forecast.it/one-login?iss=ONELOGIN_COMPANY_DOMAIN" in the Login Url field, where ONELOGIN_COMPANY_DOMAIN is your company's OneLogin Domain. Your company's OneLogin Domain is found in the OneLogin URL of your company (https://ONELOGIN_COMPANY_DOMAIN.onelogin.com/).
  9. Then add, "https://graphql.forecast.it/onelogin/oauth/" under Redirect URI's.
    OneLogin4.png
  10. Click on the Users tab.
  11. Add the users who should be allowed to use single-sign on, on Forecast.
    OneLogin5.png
  12. Click on the SSO tab.
  13. Copy the Client ID and Client Secret tab.
    OneLogin6.png
  14. Access the OneLogin integration page in Forecast.
    1. As an admin, click on the profile icon in the right hand corner of the Forecast platform from anywhere. 
    2. Click on Admin.
    3. From the admin panel, click on the Integrations tab.
    4. Scroll until you come across the Security and single-sign on (SSO) section.
    5. Click on Onelogin.
    6. Click Activate.
    7. Enter the company's OneLogin Domain, that you copied from Onelogin, on the OneLogin Forecast page.
      onelogin7.PNG
    8. Click Save to finalize the process.

 

Setting up user provisioning in Onelogin

Once the single sign-on setup in Okta is complete, it is also possible to go implement user provisioning through the Onelogin integration. User provisioning offers these features.

  • Push New Users - New users created through OneLogin will also be created in Forecast.
  • Push Profile Updates - Updates made to the user's profile through OneLogin will be pushed to Forecast.
  • Push User Deactivation/reactivation - Deactivating the user or disabling the user's access to the application through OneLogin will deactivate the user in Forecast.
  • Import New Users - New users created in Forecast will be downloaded and turned in to new AppUser objects, for matching against existing OneLogin users.

Configuring user provisioning

The user provisioning needs to be setup in Onelogin by a system administrator.

To configure user provisioning

  1. Log in to Onelogin.
  2. Click on Applications.
  3. Click on Add App.
  4. Click on the App "SCIM Provisioner with SAML SCIM v2 Core and Enterprise".
    SCIM_1.png
  5. Click on the App.
  6. Name it "Forecast SCIM".
  7. Click Save.
    SCIM_2.png
  8. Click on the Configuration tab.
  9. Enter "https://api.forecast.it/scim/v2" into the SCIM Base URL field and insert the SCIM Bearer Token in the field of the same name.
  10. Press the Enable button.
  11. Now click on the Parameters tab.
  12. Ensure that the "NameID" field maps to the value of "First Name" and that the "SCIM Username" field maps to the value of "Email".
  13. Click on the Provisioning tab.
  14. From the same tab enable provisioning. The configuration is now complete and provisioning can be done, for individual users who need access to Forecast, directly under the Users tab in Onelogin.

Custom permission profiles provisioning

For custom permission users, when a user is provisioned, Forecast searches for a “Permission Profile” with the same name as the user type sent from the single-sign-on platform. This check is just comparing names case insensitive. If it doesn’t find a match, it will default to the profile called ‘Collaborator’. If that doesn’t exist either, the provisioning of the user will fail.

 

Note: Please note that in case a user wishes to deactivate their active single-sign-on integration so that they can enable a different one, it is necessary, to contact Forecast. Please reach out to support@forecast.app.

Related articles

Comments

0 comments

Article is closed for comments.