Note: SAML Single Sign-On is not enabled in the Auvik trial.
1. Configuring SAML in Auvik and OneLogin
Before you begin, you’ll need to have the SAML 2.0 endpoint (HTTP),issuer URL, and X.509 certificate from OneLogin.
Obtaining SAML configuration information and certificate from OneLogin
First, you need the SAML 2.0 Endpoint (HTTP), Issuer URL, and X.509 Certificate from OneLogin.
- From the OneLogin app catalogue, search and add the Auvik SAML Application.
- In the configuration panel, set the display name for the application in the portal.
- Click Save.
- Click the SSO tab in the left-hand menu.
- Copy the Issuer URL and SAML 2.0 Endpoint (HTTP). You will need this information when configuring SAML in Auvik (step 14).
- Under X.509 Certificate tab, click View details.
- Set the SHA fingerprint to SHA-256.
- Under X.509 certificate, set the format to X.509 PEM.
- Click Download. You will need this in step 13 in Auvik.
- Change the SAML Signature Algorithm to SHA-256.
The Auvik application from the OneLogin catalog comes with most of the parameters preconfigured. You’ll only need to change a few parameters described below.
Configuring SAML in Auvik
Next steps are to configure SAML within Auvik:
- In Auvik, go to the dashboard for the site you wish to configure.
- Click Settings in the Auvik navigation menu.
- Click the Authentication tab.
- Click Browse on the IdP signature certificate field and upload the X.509 certificate file you downloaded from OneLogin.
- Enter the OneLogin issuer URL in the IdP issuer URI field, and the OneLogin SAML 2.0 endpoint (HTTP) in the IdP Single Sign-On URL field. Keep this tab open as you’ll need to copy items from here and paste them during steps 16 and 17.
Note: If you have configured SAML at the wrong site, simply delete the SAML configuration and restart at the correct site.
Completing SAML configuration in OneLogin
Finally, we’ll complete the configuration back in OneLogin:
- In OneLogin, click the Configuration tab in the left-hand menu.
- Enter the domain prefix for the site you want to add in the Auvik domain prefix field, or a root tenant to add all of the sites under it.
- Enter your full ACS URL from the Auvik Authentication settings page into the Auvik ACS URL field. Enter your full Audience URI from the Auvik Authentication settings page in the Auvik Audience URI field. In the Info tab in the left hand menu, make sure “Visible in portal” switch is turned on.
- Click Save.
2. Testing your SAML configuration
Once SAML configuration is complete in Auvik and OneLogin, you’ll need to test the configuration in Auvik. SSO will be temporarily enabled for the test user in Auvik.
Note: Testing SAML configuration in Auvik is only available for SAML configurations that aren’t in use.
- In OneLogin, grant your test user access to the Auvik SAML application:
- Log in to the OneLogin administrator dashboard.
- Go to Users and select All Users.
- Select the test user.Optionally, you can create a new role with your test user and assign the Auvik application to the new role.
- Click the Applications tab.
- Click Add (plus icon).
- Select Auvik.
- In Auvik, go to the dashboard for the site you configured above.
- Click on Settings in the Auvik navigation menu.
- Click on the Authentication tab.
- Click Test SSO.
- Select the test user.
- In an incognito browser window, log into Auvik with your test user using your test user’s OneLogin credentials. You must complete the test within 30 minutes, or Auvik will automatically restore the previous settings.
- In Auvik, click to confirm whether the test user was able to log in.
For additional instructions, see OneLogin documentation on how to assign applications to users and how to assign applications to roles.
3. Granting your users access to Auvik in OneLogin
Users whose accounts have been migrated to SSO can only log in using their OneLogin credentials. Please ensure all users that you want using SSO in Auvik are also registered in OneLogin, and are configured to have access to the Auvik application.
To grant other users access to the Auvik application in OneLogin:
- Log in to the OneLogin administrator dashboard.
- Go to Users and select All Users.
- Select the desired users.
- Optionally, you can create a new role with your desired users and assign the Auvik application to the new role.
- Click the Applications tab.
- Click Add (plus icon).
- Select Auvik.
For additional instructions, see OneLogin documentation on how to assign applications to users and how to assign applications to roles.
4. Enabling SSO and migrating your users to SSO in Auvik
Select the authentication method for users on your site:
- In Auvik, go to the dashboard for the site you configured above..
- Click Settings in the navigation menu.
- Click the Authentication tab.
- Select the desired Authentication Method:
- Password, Google account, and Microsoft account
- Single sign-on for selected users
- Single sign-on for all users
- Click Save.
Users whose accounts have been migrated to SSO can now only log in through their OneLogin credentials. Please ensure all users that you want using SSO in Auvik are also registered in OneLogin and are configured to have access to Auvik.
Currently, Auvik SSO does not support just-in-time provisioning. You must invite the user to Auvik.
If Single sign-on for selected users is selected, this will start the user migration wizard to let you select the users that you want to migrate to SSO. There are three options:
- All users that belong to this site
- All users that belong to an email domain
- Select individual users
After selecting the users to migrate, you’ll be asked to confirm your selection and to start the migration. You can migrate more users to SSO at any time by editing the user. You can also specify that a user must use SSO when you invite them.
If Single sign-on for all users is selected, this will start the user migration wizard to confirm the selected users that will be migrated to SSO. Any users that weren’t migrated will lose authorization to the site. Selecting this option will prevent you from inviting new users that already have an Auvik account—for example, consultants—because they’ll be using a conflicting authentication method. In this scenario, select Single sign-on for selected users.
If your browser tab or window is closed while the migration is in progress, you can view the progress from the Authentication Method pane.
- Go to the desired site dashboard.
- Click Settings in the Auvik navigation menu.
- Click the Authentication tab. Under Authentication Method, click the See Status link.