Introduction
Dozuki sites support single sign-on (SSO) through the SAML 2.0 protocol. Use this guide to set up a SAML2 connection with OneLogin.
-
-
Log in to the Onelogin admin portal for your organization.
-
If you do not have an internal login page, login from: https://app.onelogin.com/login
-
Click on Administration.
-
Click on Applications from the Applications list.
-
-
-
Click on Add Application.
-
Search for saml.
-
Choose SAML Test Connector (Advanced)
-
-
-
Type a display name for your Dozuki site into the Display Name field.
-
For customers with a single Dozuki site, we recommend using Dozuki as the display name.
-
Click Save.
-
-
-
Open the management console of your Dozuki site in another browser window.
-
From the Configuration section in the sidebar menu, select Security.
-
Download the SAML
`metadata.xml`
file. -
Open this file with a text editor.
-
-
-
Under the Configuration Tab in Onelogin:
-
Enter the ACS (Consumer) URL .
-
Refer to the AssertionConsumerService Location value in the SAML
`metadata.xml`
file. -
Enter the Single Logout (URL).
-
Refer to the SingleLogoutService Location value in the SAML
`metadata.xml`
file. -
Enter the ACS (Consumer) URL Validator setting.
-
This should be formatted with your Dozuki site domain as shown in the image:
^https://\/\/
the Dozuki site domain, followed by\/.*
. Additionally add a\
before every.
-
Under Login URL, enter the URL of the page on your Dozuki site that you want your users to reach once signing in.
-
-
-
Scroll down and set SAML initiator to Service Provider
-
Click the Save to save all changes.
-
-
-
Under the Parameters Tab in Onelogin:
-
Click the + button to add SAML Test Connector (Advanced) Fields.
-
Enter
email
into the Field Name. -
Under Flags verify Include in SAML assertion is checked.
-
Click the Save button.
-
Confirm the Value is set to -No default-.
-
Click the Save button to add the field.
-
-
-
Click the + button again to add an additional SAML Test Connector (Advanced) Fields.
-
Enter
role
into the Field Name. -
Under Flags verify Include in SAML assertion is checked.
-
Click the Save button.
-
Confirm the Value is set to -No default-.
-
Click the Save button to add the field.
-
-
-
Click the + button to add SAML Test Connector (Advanced) Fields.
-
Enter
userid
into the Field Name. -
Under Flags verify Include in SAML assertion is checked.
-
Click the Save button.
-
Confirm the Value is set to -No default-.
-
Click the Save button to add the field.
-
-
-
Click the + button to add SAML Test Connector (Advanced) Fields.
-
Enter
username
into the Field Name. -
Under Flags verify Include in SAML assertion is checked.
-
Click the Save button.
-
Confirm the Value is set to -No default-.
-
Click the Save button to add the field.
-
-
-
From the page header, Click on Users and select Users or Groups from the dropdown list.
-
Select the User or Group you to want to assign to the application.
-
Click the Applications tab.
-
Click the + button and add your Dozuki application.
-
-
-
Select the Dozuki application.
-
Click the Continue button.
-
Fill out the required user fields.
-
Only lowercase should be used when filling out the user fields.
-
If you are adding a user that has an existing user account on your Dozuki site, the email field must match the Dozuki site user's email. If they do not match, a new user will be created upon logging in.
-
Click the Save button to save all entries.
-
You can read more about adding and assigning users in Onelogin.
-
-
-
Select Applications from the Applications list in OneLogin.
-
Select the Dozuki application.
-
Click on the SSO tab.
-
Copy the Issuer URL.
-
-
-
Open the management console of your Dozuki site in another browser window.
-
From the Configuration section in the sidebar menu, select Security.
-
Under the Authentication heading section, paste the Issuer URL into the SAML 2.0: Identity Provider ID text field in your Dozuki site.
-
Click the Save button to save your changes.
-
-
-
From the OneLogin site, click View Details of the X.509 Certificate.
-
Copy the X.509 Certificate.
-
-
-
Open the management console of your Dozuki site.
-
Under the Authentication heading section of the Dozuki Security page, click on SAML: Identity Provider X.509 Certificate.
-
The certificate should be formatted similar to the example shown under the Authentication section.
-
Paste the certificate into the text field.
-
Click the Save button to save your changes.
-
-
-
Click on the SAML: Logout URL heading under Authentication.
-
Under the SSO tab in Onelogin, click on the Copy icon next to SLO Endpoint (HTTP).
-
Paste the SLO Endpoint into the SAML: Logout URL text field in your Dozuki site.
-
Click the Save button to save your changes.
-
-
-
Click on the SAML: Identity provider URL heading under Authentication.
-
Under the SSO section in Onelogin, click on the Copy icon next to SAML 2.0 Endpoint .
-
Paste the SAML 2.0 Endpoint into the Test a SAML identity provider URL text field in your Dozuki site to test the SSO connection.
-
We recommend testing the SAML connection through your Dozuki site before enabling SAML 2.0 as the authentication mechanism. Testing the connection from within Dozuki will prevent disruption to your active site and current users.
-
-
-
Once the connection test succeeds, paste the SAML 2.0 Endpoint into the SAML: Identity provider URL field.
-
Click the Save button to save your changes.
-
-
-
Click on the Single sign on heading under Authentication.
-
Click on the Single Sign On type dropdown menu.
-
Select SAML 2 from the dropdown menu.
-
Click the Save button to save your changes.
-
-
-
Once SSO is enabled on your Dozuki site, you have the option to add a role attribute prefix. This helps when syncing to third-party IdPs and will allow roles to be passed as `dozuki-<role>` (`dozuki-admin`, `dozuki-author`, etc.)
-
Dozuki defined roles (admin, author, user, etc.) cannot be customized.
-
Click Edit.
-
Add your desired role attribute prefix.
-
Click Save.
-
Your role attribute prefix will be displayed.
-
-
-
Once Single Sign On is enabled, SSO auth for signoffs & approvals will appear in the Authentication section of the Security settings.
-
This feature allows users to enter their SSO authentication for Signoffs and Approvals instead of a separate Dozuki password.
-
SSO auth for signoffs & approvals is enabled by default when you enable SSO authentication.
-
Only disable SSO authentication for signoffs & approvals if you want your users to enter a separate Dozuki password for signoffs and approvals.
-
Cancel: I did not complete this guide.
One other person completed this guide.