Set up single sign-on

Set up single sign-on with SAML

After you've enabled SAML (by building a SAML server or using one of the SAML services), all authentication will be handled outside your MRI OnLocation. This can be paired with our Active Directory Sync feature to automatically add/change/delete users in your OnLocation account.

The only user data that is stored in OnLocation is the user name and email address. However, you can also choose to sync the following user data: phone, location, given name, surname, and role. You do this by adding these attributes to your SAML assertion code.

How SAML for OnLocation works

SAML for OnLocation works the same way it does with all other service providers. The typical use case is that your users belong to a corporation, and all user authentication is managed by your corporate authentication system (for example, Active Directory or LDAP), which is referred to generically as an identity provider (IdP).

The service provider (SP) establishes a trusting relationship with the IdP, allowing the external IdP to authenticate users and seamlessly log them into OnLocation. In other words, a user logs in at work and then has automatic access to many other corporate applications, such as email, your CRM, and so on, without having to log in separately to those services. Aside from the convenience this provides users, all user authentication is handled internally by a system you have complete control over.

After you've enabled SAML as the type of single sign-on (SSO) for your OnLocation, users who visit your OnLocation and attempt to log in are redirected to your SAML server for authentication. Your users' identities can be stored either on the SAML server or validated by an identity directory such as Microsoft Active Directory or LDAP. Once authenticated, users are redirected back to your OnLocation and automatically logged in.

Configuring your SAML implementation

When considering a SAML service, you have several options, including building an in-house SAML server (for example, OpenAM) or choosing a SAML service such as Okta, OneLogin, and PingIdentity.

To set up SAML in your OnLocation, you'll need the following:

  • A SAML server with provisioned users or connected to an identity repository such as Microsoft Active Directory or LDAP
  • The Remote Login URL for your SAML server (sometimes called SAML SSO URL)
  • The SHA1 fingerprint of the SAML certificate from your SAML server

After properly configuring your SAML server, you can configure SAML within your OnLocation using the remote login URL and the SHA1 fingerprint.

Enabling SAML SSO in OnLocation

With your SAML server configured and the information you need to set up SAML in OnLocation ready, log in to OnLocation. You will need the IT Support or Account Owner user role to access these settings:

  1. Go to Tools > Account.
  2. Select Employee Access from the left-side menu.
  3. In the Employee Access tab, select Yes next to Single sign-on with SAML.

    Single_sign-on.png
  4. To enable SAML, fill out the following options:

SAML SSO URL

This is the URL that OnLocation will invoke to redirect users to your Identity Provider.

Remote logout URL

This is the URL that OnLocation will return your users to after they log out.

Certificate Fingerprint

The SHA1 fingerprint of the SAML certificate is obtained from your Identity Provider.