Configure SSO JIT Provisioning on OneLogin

OneLogin configuration

1. In OneLogin, in the Applications tab, add your app.

2. In the Users tab, add relevant users (previously configured).

3. In the CloudGuard portal, navigate to the Roles page in the Settings menu.

4. Create a new role.

5. In OneLogin, navigate to Users -> Roles.

6. Create a new role, with the same name as the role created in CloudGuard above.

7. Edit the new role.

8. Create a new app SAML Test Connector (IdP).

9. Select Apps in the menu, and click Add App

10. Search for the newly created app (SAML Test Connector (IdP))

11. Set the name and click Save.

12. In the Configuration tab, set the following:

    • CloudGuard-onelogin-SSO - set to the SSO Single Sign-On (SSO) - A session/user authentication process that permits a user to enter one name and password in order to access multiple applications. account ID configured in CloudGuard

    • RelayState - https://secure.dome9.com

    • Audience - https://secure.dome9.com

    • Recipient - https://secure.dome9.com/sso/saml/CloudGuard-onelogin-SSO

    • ACS URL - https://secure.dome9.com/sso/saml/CloudGuard-onelogin-SSO

13. In the Parameters tab, click Add parameter.

14. In the name field, enter memberOf (or another name).

15. Click Save.
    

16. Navigate to the Security & Authentication page in the Settings menu.

17. In the SSO section, click Enabled.

18. Enter these details for the SSO configuration:

    • "Account ID" - enter the Value that you entered instead of "Name-up-select"

    • "Issuer" - enter the "Issuer URL" from OneLogin.

    • "Idp endpoint url" - enter the Identity Provider Single Sign-On URL from OneLogin.

    • "X.509 Certificate" - enter the X.509 Certificate from OneLogin.

19. Select the Just-in-time provisioning for the account option.

20. In Attribute name in SAML for just-in-time role, add the name that you entered instead of the member Of, above (step 14).

21. Click Save.

    

22. Navigate to the Roles page in the Settings menu.

23. Create a role with the same name as the name of the Role that you created in OneLogin.

24. If the mail address user for OneLogin is already known in CloudGuard, add another user in OneLogin, with the role from the previous step.

    Note - JIT Provisioning is created for a user who does NOT exist in CloudGuard, but belongs to a CloudGuard SSO account.