SAML Setup Guide (OneLogin)

Step 1 - Get Service Provider (SP) information from Workstars

  • Login to your Workstars administrator account (must be the primary account or technical user)
  • Click on Settings at the top
  • Then click Sign On from the left-hand menu
  • Click the Setup button next to the Single Sign On (SAML) option
  • Select OneLogin
  • From the Service Provider section save a copy of the ACS URL, ACS URL Validator and Entity ID as you will need these in the Step 2.

Step 2 - Add Workstars app to OneLogin

  • Login to OneLogin as an administrator
  • Click Administration in the top right
  • On the main navigation click Applications
  • Click the Add App button
  • In the search box enter “SAML Test” and in the results select SAML Test Connector (Advanced)
  • You should see the Configuration screen
  • In the Display Name box enter the name you want to show your users
  • Upload an appropriate logo for the Rectangular Icon and Square Icon
  • Optionally, add an appropriate description
  • Click Save to continue
  • You should see the Info screen
  • On the left hand side, click the Configuration tab
  • In the Audience box enter our Entity ID from Step 1
  • In the Recipient box enter our ACS URL from Step 1
  • In the ACS (Consumer) URL Validator box enter our ACS URL Validator from Step 1
  • In the ACS (Consumer) URL box enter our ACS URL from Step 1
  • Set the SAML nameID format to “Unspecified”
  • Set the SAML signature element to “Assertion”
  • Click Save to continue
  • You should see the Info screen again
  • On the left hand side, click the SSO tab
  • Set the SAML Signature Algorithm to “SHA-256”
  • Click Save to continue
  • You should see the Info screen again
  • On the left hand side, click the SSO tab again
  • Save a copy of the Issuer URL, SAML 2.0 Endpoint (HTTP) and SLO Endpoint (HTTP) as you will need them in Step 3
  • In the X.509 Certificate field click View Details
  • Save a copy of the X.509 Certificate as you will need it in Step 3

Step 3 - Configure Sign On to use OneLogin

  • Log back in to your Workstars administrator account:

  • In the top bar select Settings

  • On the left hand navigation select Sign On

  • Click Setup next to the Single Sign On (SAML) option

  • Select OneLogin

  • In the SAML SSO URL box enter the SAML 2.0 Endpoint (HTTP) value you copied in Step 2

  • In the Identity Provider Entity ID box enter the Issuer URL value you copied in Step 2

  • In the x509 Certificate box enter the X.509 Certificate value you copied in Step 2. It should be in PEM format which looks like the following:

    -----BEGIN CERTIFICATE-----
    MIIDjDCCAvWgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgjELMAkGA1UEBhMCREUx
    DDAKBgNVBAgTA05SVzESMBAGA1UEBxMJU3RlaW5mdXJ0MRcwFQYDVQQKEw5TcGVu
    bmViZXJnLmNvbTEUMBIGA1UEAxMLUm9vdENBIDIwMDMxIjAgBgkqhkiG9w0BCQEW
    E3JhbGZAc3Blbm5lYmVyZy5uZXQwHhcNMDMwNDMwMDYwODU2WhcNMDQwNDI5MDYw
    ODU2WjCBgjELMAkGA1UEBhMCREUxDDAKBgNVBAgTA05SVzESMBAGA1UEBxMJU3Rl
    aW5mdXJ0MRcwFQYDVQQKEw5TcGVubmViZXJnLmNvbTEUMBIGA1UEAxMLVlBOLUdh
    dGV3YXkxIjAgBgkqhkiG9w0BCQEWE3JhbGZAc3Blbm5lYmVyZy5uZXQwgZ8wDQYJ
    KoZIhvcNAQEBBQADgY0AMIGJAoGBAMU7nDY6GWyp8rrp0u2EMzZIB7KjLVmSsIZM
    gSzqXO3zuusXTrM6zLdbXcqzBO37WTzFJT7z/7AiEPvecgruQkua0yfTtvvpiBDI
    R7cmT3FA5HXEwO5rh7hvyV5mz7vnrXJouG39j0wfOqINQyUGuZLnIGyGFaDrf/cL
    mpldFIibAgMBAAGjggEOMIIBCjAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1P
    cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUy1wZm+aKiv4O
    xP1e3/e/PagYfAgwga8GA1UdIwSBpzCBpIAUAbvGM771ml6wDF29Qel4bFStZo6h
    gYikgYUwgYIxCzAJBgNVBAYTAkRFMQwwCgYDVQQIEwNOUlcxEjAQBgNVBAcTCVN0
    ZWluZnVydDEXMBUGA1UEChMOU3Blbm5lYmVyZy5jb20xFDASBgNVBAMTC1Jvb3RD
    QSAyMDAzMSIwIAYJKoZIhvcNAQkBFhNyYWxmQHNwZW5uZWJlcmcubmV0ggEAMA0G
    CSqGSIb3DQEBBAUAA4GBAG+JK5Wv8Y1Nt9/obfeS+0iMxBpDaGWXAYemhLWhOL1i
    dHDbnngZ2QyvGK0Td1Z9Pxlh2rp0MI7FUA7j6/+VzY3WfsMOq1s0lLwWD+/c3kC7
    fbqiuF35dOcoWHWgZtKNhbo4gggQM+++KckxnWOp9+CZ6qfttrUzGxxKpAVAbkB7
    -----END CERTIFICATE-----
    
  • In the Remote Logout URL box enter an appropriate URL (we suggest you use your OneLogin URL e.g. https://<YourCompany>.onelogin.com). This is where you would like the user to be redirected when they logout. If you want your users to be logged out of OneLogin when they logout of our application enter the SLO Endpoint (HTTP) value you copied in Step 2.

  • Leave the NameID as the default Email. We also support EmployeeID but configuring OneLogin is outside the scope of this document, please contact support.

  • Click Confirm to save the settings

Step 4 - Test & Enable

The setup is now complete but it is NOT yet visible for employees on the login page.

Note

Please ensure you have an account in OneLogin which has the new App assigned to it and you have an account in our system with the same email address.

When you are ready you must enable it:

  • On the Sign On page, click the Enable button next to Single Sign On (SAML)
  • Copy the test link
  • Open a Incognito/InPrivate browser tab and paste in the link
  • You should be redirected to the OneLogin login page
  • If you login, you should be redirected back to our system and automatically logged in

Note

If you haven’t already done so, we recommend that you log back in to OneLogin and assign all your users and groups.

  • If the test worked, go back to the other browser window and click the Enable button
  • If you experience any errors please check the settings are correct. If you need further assistance please capture any error message screens and contact support

You have now enabled Single Sign On (SAML) for all employees, to check the login is working:

  • Visit your login URL (not the test one), it should be something like: https://<your-sub-domain>.workstars.com. You should be redirected to the OneLogin login page and asked to login. If you are already logged in, you should be redirected back and logged into our system.
  • Employees can also login directly from the OneLogin portal. To test this, login to the OneLogin portal and click the app. You should be redirected to our site and logged in.

Troubleshooting

Below are a few possible errors and how to resolve them.

On our login page it says “Sorry we could not find your account, please contact your HR Team”

Strictly speaking this isnt an error. The reason is that you have tried to login via SAML but the account you have used does not have a matching account in our system. To resolve it simply create an account in our system with the same details. If you are not using email as the nameID please check that the alternative is the same in both systems (e.g. employeeID, extnernaID, etc.) and that it is being correctly sent in the SAML request.

On our login page it says “There is a problem with Single Sign On please contact your IT department.”

This is a general error and means that there is something wrong with the setup. Please check it is setup as described above, if you have followed a different guide (some providers also have their own guides) please start again using this document as a guide. If you have checked everything and cannot find any issues please contact support and we will help you resolve the problem.

I can login from the Identity Providers portal but when I try and login from the Workstars login page it redirects me to a message that says “page not found” or another error

This is usually because you have entered an incorrect SAML SSO URL, please check it is correct. If you have checked and cannot find any issues please contact support and we will help you resolve the problem.