Search

OneLogin Single Sign-On (SSO) Integration Guide

Gretchen
Gretchen
  • Updated

This guide explains how to set up OneLogin Single Sign-On (SSO) so your users can access Emtrain with their existing login credentials, rather than a separate login process. 

Requirements

These are the requirements for using the OneLogin/Emtrain SSO integration: 

  1. An active Emtrain account.
  2. A unique email address for every user.
  3. An active OneLogin account.
  4. A valid email address for all users of OneLogin.
  5. The API key for your account. Obtain your API key by navigating to Site Config from the Manage menu. Select the Integrations tab and then the option to Enable SSO.

Each of your users’ email addresses in Emtrain must match their primary email address in OneLogin.

The SSO integration uses the SAML 2.0 protocol. Setup of the integration consists of creating a custom SAML connector in OneLogin, taking the SAML endpoint and X.509 certificate generated for the custom SAML connector and entering these into the SSO configuration form on the Emtrain account.

Once you save the integration, username and password authentication will be disabled on your Emtrain account. This means that when you or your team members go to access your Emtrain account, you'll be redirected to complete the SSO authentication process instead of entering a username and password.
This change happens immediately after you complete the integration setup, so make sure your team is prepared for the new login process.

Creating the Custom SAML Connector 

  1. In the Administration section of your One Login account, select the Applications menu in the top nav bar, select Applications.
    onelogin_01.png
  2. Select the Add App button.
    onelogin_02.png
  3. In the Find Applications section, search for SAML Test Connector. Select on the SAML Test Connector (Advanced) item to start creating the SSO application.
    onelogin_03.png
  4. Enter Emtrain in the Display Name field. This is the name that is displayed in your learner’s One Login portal.
    onelogin_04.png
  5. Upload an Emtrain logo for the Rectangular Icon and/or Square Icon.  
  6. Select the Save button.

Configuration

In the Configuration section, enter the following URLs into the corresponding text fields. To create the URLs for your account using the examples below, replace the “example” subdomain with your account’s subdomain in all 4 example URLs (below). Additionally, replace the example API_KEY value (shown as all zeros here) in the ACS URL and ACS URL Validator with your account’s API key.

  • ACS (Consumer) URL: https://yourcompany.ai-api.emtrain.com/authentication/saml?API_KEY=00000000000000000000000000000000
  • ACS (Consumer) URL Validator: https://yourcompany.ai-api.emtrain.com/authentication/saml?API_KEY=00000000000000000000000000000000
    For more information on the ACS (Consumer) URL Validator, refer to this OneLogin support article.
  • RelayState: https://yourcompany.app.emtrain.com/saml
  • Audience (EntityID): https://yourcompany.app.emtrain.com
    onelogin_05.png

Leave all other settings in this section set to the default values or blank.

Parameters

  1. For the Parameters section, create the following 4 custom SAML fields. Note: The field names are case-sensitive.
    • Name: API_KEY
      Value: Select -Macro-, then paste your account’s API key into the text field.
      Include in SAML assertion: Yes
    • Name: Email
      Value: Select Email from the list of available fields.
      Include in SAML assertion: Yes
    • Name: FirstName
      Value: Select First Name from the list of available fields.
      Include in SAML assertion: Yes
    • Name: LastName 
      Value: Select Last Name from the list of available fields.
      Include in SAML assertion: Yes
  2. Select the + icon to create a new custom SAML field.
    onelogin_06.png
  3. In the New Field dialog box, enter the name of the SAML field in the Field Name field. Check the Include in SAML assertion checkbox. Select the Save button to create the field.
    onelogin_07.png
  4. In the Edit Field dialog box, select the Value menu, and select the corresponding value for the field.
    Note: The API_KEY field will require you to enter your account’s API key in a second text field after selecting the -Macro- option. The other 3 custom SAML fields are standard OneLogin user fields.
    onelogin_08.png
  5. When completed, the Parameters section should appear as shown below. Select the Save button.
    onelogin_09.png

SSO

The SSO section of your SAML Custom Connector contains some information that you or your Emtrain account administrator will need to enable SSO on the Emtrain account. 

  1. Copy the SAML 2.0 endpoint (HTTP) URL.
    onelogin_10.png
  2. Copy the X.509 Certificate by selecting the View Details link beneath the X.509 Certificate section and selecting the Copy to Clipboard button located next to the certificate.
    onelogin_11.png onelogin_12.png

Enabling SSO in Your Emtrain Account

For the next steps, log in to your Emtrain AI account as an Account Administrator user and navigate to Site Config via the Manage menu.

  1. Select the Integrations tab.
  2. In the Single Sign On (SSO) section, check the Enable SSO box, then select OneLogin as the SSO provider.
    onelogin_13.png
  3. Paste the contents of the certificate in the Certificate text field.
    Note: Include only the certificate values. Do not include the “Begin” and “End” content:
    ---BEGIN CERTIFICATE--- and ---END CERTIFICATE---
  4. Paste the SAML 2.0 Endpoint value into the SSO Entry Point text field.
  5. Optionally, if you wish to redirect your users to a specific URL when they log out of Emtrain, enter that URL in the SSO Logout Redirect URL text field. If this field is left blank, users will be redirected to an Emtrain Logged Out page upon logging out.
  6. Select the Save button to finalize the integration.
    onelogin_14.png

We offer Just-in-Time (JIT) provisioning, which works with SSO. This enables automatic user profile creation the first time a user logs into Emtrain via SSO. Learn about Just-in-Time Provisioning with SSO.

Testing SSO

  1. In OneLogin, add the application to the test user(s).
  2. In Emtrain, create user(s) with the same email address as the test user(s). The email address is used as the identifier to match the email address on the SAML assertion to a user on the Emtrain account and must match in both platforms.
  3. The test user should test the application tile in their OneLogin portal and verify that they are logged in to Emtrain as their test user.
  4. The test user should open a new Incognito/private browsing session and visit the Emtrain account login URL. The user should be redirected to the SAML 2.0 Endpoint URL and prompted to log in to their OneLogin account. The login form should state Connecting to Emtrain above the Username text field.
    onelogin_15.png
  5. After logging into OneLogin, the user should be redirected to their Emtrain learner profile.

How Users Log into Emtrain

Be sure to assign the Emtrain app to all users via OneLogin. We recommend working with your IT team to assign access just before you deploy training (for example, fewer than 12 hours prior) to prevent users from exploring Emtrain too soon.

As long as users are signed into your SSO, they can access Emtrain:

  • Through the Emtrain tile in your Single Sign-On access panel.
  • Via links in notification emails.
  • From your account URL.

If a user isn’t yet signed into SSO, they’ll be redirected to your SSO login.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request