Configuring Single Sign-on with OneLogin
Important: This tutorial applies to organizations in either our Growth tier, or higher tiers. If you are on another plan, please contact support.
Overview
If your organization uses OneLogin as an identity management and access platform, you can now set up Single Sign-on for your professionals using SAML 2.0. With our SSO integration you also get:
-
Automatic provisioning of all new users
-
Mapping of user attributes from OneLogin to Clearview Social
-
Login to Clearview Social using your SSO domain
The following tutorial will show you step-by-step how to create a new connection in OneLogin, and how to configure that connection to allow your users to login.
Important: You must be an administrator both for OneLogin, and for your Clearview Social organization to complete this tutorial!
Step 1: Create the application in OneLogin
-
Go to the Administration section of your OneLogin account
-
Go the Applications administration page, located in the top menu bar
-
Click the “Add App” button to create a new application
-
Type “SAML” in the search bar, and select the “SAML Custom Connector (Advanced)” application:
-
Change the name to “Clearview Social Login”
-
Click “Save” to add the application
Step 2: Configure the application in Clearview Social
Important: This step assumes you already have an x.509 certificate created within OneLogin. If you do not yet have an x.509 certificate, please first complete the “Creating a Certificate” guide for OneLogin.
-
After creating the application, click the SSO menu item in the left-hand navigation
-
With this page open, in a separate browser tab go to: https://app.clearviewsocial.com/org/settings/sso
-
Copy the following items from the OneLogin SSO configuration page, into the Clearview Social SSO Settings page:
-
Right-click “View Details” under the x.509 certificate to open the certificate details page in a new tab. Click the “Copy to Clipboard” button to copy the x.509 Certificate section of the certificate details. (Note: This section starts with
-----BEGIN CERTIFICATE-----and then has a bunch of characters under it). In the Clearview Social tab, paste the certificate under “Your Public Certificate”. Then you can close the certificate details page. Keep SSO Configuration and SSO Settings open! -
Click the “Copy to Clipboard” button next to “Issuer URL”, and in the Clearview Social tab, paste the URL under “Issuer URL”
-
Click the “Copy to Clipboard” button next to “SAML 2.0 Endpoint (HTTP)”, and in the Clearview Social tab, paste the URL under “Single Sign-In URL”
-
Click the “Copy to Clipboard” button next to “SLO Endpoint (HTTP)”, and in the Clearview Social tab, paste the URL under “Single Logout URL”
-
-
After copying these values, go to the Clearview Social SSO Settings tab, and enter the following:
-
Under “Valid Domains”, enter any valid email domains you use for your corporate login. Note: These will always be corporate domain names, for example clearviewsocial.com, or yourfirmname.com. Gmail, Yahoo, Outlook.com are not valid domains for SSO!
-
Under “SSO Platform”, select “OneLogin”
-
-
On the Clearview Social SSO Settings tab, click “Save”
Step 3: Configure the connection in OneLogin
-
Once you have saved the SSO Settings in Clearview Social, scroll to the bottom of the page. You’ll see the “Provider SSO Settings”.
-
In the OneLogin tab, click the “Configuration” menu item in the left-hand navigation.
-
Copy the following values from the Clearview Social SSO Settings page into the OneLogin Application Configuration page:
-
“Our SSO URL” should be copied under the “Recipient” label
-
“Our SLO URL” should be copied under the “Single Logout URL” label
-
“Our Entity ID” should be copied under the “Audience (EntityID) label
-
-
After copying these values, go to the OneLogin Application Configuration tab, and enter the following:
-
If you want SP-initiated login, enter the same value you entered for “Recipient” into “Login URL”, but remove “/callback” from the end of the URL path
-
Under “ACS (Consumer) URL”, enter the same value you entered for “Recipient”
-
Under “ACS (Consumer) URL Validator”, enter
.* -
Select the “SAML Initiator” – if you want to login only through Clearview Social, select “Service Provider”, otherwise keep “OneLogin”
-
Use “Email” as the SAML nameID Format
-
Keep other dropdown values as their defaults
-
Keep other options set to their defaults
-
-
Click the “Save” button at the top of the screen to save these settings
Step 4: Configure Encryption for Assertions (Recommended)
Important: If you do not wish to encrypt your assertions, skip this step and go to Step 5. While it is not required to encrypt assertions, doing so is highly recommended.
-
In the Application Configuration page of OneLogin, find and click the “Encrypt assertion” checkbox
-
Scroll to the bottom of the page, you should see a box to enter a certificate as follows:
-
In the SSO Settings page of Clearview Social, copy out the public certificate under the section “Our Public Certificate”, and paste it into the “Public Key” above. “Our Public Certificate” should look something like the following:
-
Click the “Save” button at the top of the screen to save these settings
Step 5: Configure Attributes in OneLogin
Important: The values used here are going to be highly dependent on the setup of your identity store. The suggested values below assume a user pool created in OneLogin. What’s more important here is that the suggested attributes are named to our specifications:
-
Once you have saved Application Configuration, click the “Parameters” menu item in the left-hand navigation. You should see something like the following, with the default NameID value of “Email”:
Note: When saving values, you should see a modal that looks like the following:
-
To complete this setup, click the “+” icon to add attributes, and add the following attributes (for each attribute, click the checkbox for “Include in SAML assertion”):
-
“First Name” which should map to a value of “First Name”
-
“Last Name” which should map to a value of “Last Name”
-
“MemberOf” which should map to a value of “MemberOf”
-
-
When completed, your parameter configuration should look like the following:
Step 6: Add Users to your Application in OneLogin
Important: This step is highly dependent on your Identity Provider setup. If you need assistance on getting users added to an application in OneLogin, please reach out to our support team for assistance. For our example, we will add users that were already created within OneLogin:
-
In the OneLogin Administration section, click on the “Users” item in the top menu bar
-
Click on the user from the list that you would like to add
-
From the User Details page, click the “Applications” item in the left-hand navigation
-
Click the “+” icon to add a new application for the user
-
Select the “Clearview Social Login” application
-
Add any user attributes specific to the application here. Note: the “NameID value”, “First Name” and “Last Name” should already be filled in. If you want to add groups, add the names of any groups in the “MemberOf” field, and click “Save”
Step 7: Test Your Login
Important: If you were logged into Clearview Social already to complete the previous steps, log out of Clearview Social before testing the connection!
-
At this point, you should be able to log into Clearview Social using the OneLogin portal. Go to your OneLogin user portal, and find the “Clearview Social Login” app.
-
Click the “Clearview Social Login” app to complete login through Clearview Social
-
You should be successfully logged into Clearview Social with your OneLogin user. If the OneLogin user was not previously in Clearview Social, you should see an activation screen, and you will receive an email to activate your account.
Any Further Questions?
If you have any further questions about setting up SSO for your organization, please use the chat bubble within Clearview Social, or reach out to support to learn more!
