OneLogin

Prerequisites

  • Administrator access to the Harmony SASE Administrator Portal.

  • Administrator account with the Identity Provider Management Portal.

High-Level Procedure

Step 1 - Configure the OneLogin Management Portal

  1. Log in to OneLogin Management Portal. If you don’t have an account, create one.

  2. Go to Applications > Applications.


  3. Select Add App.

  4. Search for saml test, and select SAML Test Connector (IdP).

  5. Change the Display Name to Harmony SASE and click Save.

  6. Go to the SSO tab, and copy these values:

    • SAML 2.0 Endpoint (HTTP) - You need to use this value in the Sign In URL field while configuring Harmony SASE Administrator Portal.

    • SLO Endpoint (HTTP).

  7. Select the View Details link at the X.509 Certificate field.

  8. Download the X.509 certificate onelogin.pem.

  9. Go to the Configuration tab.

  10. Enter these values into the appropriate fields:

    • Audience:

      • US-based platform: urn:auth0:perimeter81:{{WORKSPACE}}-oc

      • EU-based platform: urn:auth0:eu-sase-checkpoint:{{WORKSPACE}}-oc

      • AU-based platform: urn:auth0:au-sase-checkpoint:{{WORKSPACE}}-oc

      • IN-based platform: urn:auth0:in-sase-checkpoint:{{WORKSPACE}}-oc

       

      For example: acme.perimeter81.com workspace should translate to urn:auth0:perimeter81:acme-oc

    • Recipient:

      • US-based platform: https://auth.perimeter81.com/login/callback?connection={{WORKSPACE}}-oc

      • EU-based platform: https://auth.eu.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc

      • AU-based platform: https://auth.au.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc

      • IN-based platform: https://auth.in.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc

    • ACS (Consumer) URL:

      • US-based platform: https://auth.perimeter81.com/login/callback?connection={{WORKSPACE}}-oc

      • EU-based platform: https://auth.eu.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc

      • AU-based platform: https://auth.au.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc

      • IN-based platform: https://auth.in.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc

    • ACS (Consumer) URL Validator:

      • US-based platform: https://auth.perimeter81.com/login/callback?connection={{WORKSPACE}}-oc

      • EU-based platform: https://auth.eu.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc

      • AU-based platform: https://auth.au.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc

      • IN-based platform: https://auth.in.sase.checkpoint.com/login/callback?connection={{WORKSPACE}}-oc

  11. On the Parameters tab, select the + sign to Add Parameter.


  12. In the popup, set a name for your new custom attribute using the Field name text box. Make sure you check the Include in the SAML assertion flag. Select Save.

  13. The new attribute you created is displayed. Select the Value field, which is currently displaying - No default.

  14. Change the No default value to Macro.

  15. Add these properties to the Macro:

    Field Name

    		 Macro Text Box Value

    SAML Assertion Flag

    email

    {email}

    Checked

    given_name

    {firstname}

    Checked

    family_name

    {lastname}

    Checked

  16. Click Save.

Step 2 - Configure the Harmony SASE Administrator Portal

  1. Log in to the Harmony SASE Administrator Portal with a administrator account.

  2. Go to Settings > Identity Providers.

  3. Click Add Provider.

    The Add identity provider pop-up appears.

  4. Select SAML 2.0 Identity Providers and click Continue.

  5. In the Sign in URL field, enter the Identity Provider Sign-in URL from your SAML Identity Provider.

    Identity Provider

    Sign in URL

    Generic SAML

    Identity Provider Sign in URL

    Active Directory Federation Services (AD FS)

    https://{{Your ADFS Domain}}/adfs/ls

    Auth0

    Auth0 login URL

    OneLogin

    SAML 2.0 Endpoint (HTTP) value

    PingOne

    https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid={{idpid}}

    PingFederate

    https://sso.{{Your PingFederate Domain}}.com/idp/SSO.saml2

    Rippling

    Rippling IdP Sign-in URL.

    JumpCloud

    JumpCloud IDP URL

    Okta

    Okta Sign on URL

    Google Applications

    SSO URL

  6. In the Domain Aliases field, enter the business domain names separated by commas or space.

  7. In the X509 Signing Certificate field, enter the X.509 signing certificate for the application from the SAML Identity Provider.

    If you have the signing certificate as PEM/CERT file, click Upload PEM/CERT File and select the file.

  8. Click Done.

Note - After the first successful authentication of a member with SAML, Harmony SASE does this:

  • Assigns the member with the appropriate role.

  • Adds the member to the groups related to Identity Provider.

  • Applies the relevant configuration profiles to the member.