Some CentreStack tenants may already be using OneLogin and wish to use their OneLogin credentials for single sign-on to CentreStack. This article describes how a CentreStack tenant can be federated with OneLogin such that OneLogin is the Security Assertion Markup Language (SAML) Identity Provider (IdP) and CentreStack will be the SAML Service Provider (SP) (aka Relying Party (RP)).
- Sign into the CentreStack server's management portal as a cluster or tenant administrator.
- Click on the CentreStack tenant to be associated with OneLogin. Click on Group Policy:
- Click Accounts & Login:
- Click Single Sign-On:
- Enable the check box in the Enable SAML Authentication section. Select the text under the Access service provider meta data using the following link, and copy the URL text to the clipboard:
In this example the service provider metadata URL was: https://cstackjjr.hadroncloud.com/portal/saml2.aspx?sso=522pl7jg
- Paste the service provider metadata URL into a text editor. In a later step in this document, OneLogin will refer to the first part of this URL as CentreStack Domain. This first portion of the example URL is shown selected below:
The last part of this URL OneLogin refers to as CentreStack SSO ID. The last portion of the example URL is shown selected below:
You may want to update the text in your editor similar to the screenshot below, to be clear about these OneLogin fields:
Save the text in the text editor to a file. It will be used later when configuring OneLogin.
- Continuing the CentreStack Single Sign On settings, disable the Add SSO link to login page:
- The Force SAML login for AD users is typically disabled (this is an advanced setting and outside the scope of this document):
- You may want to have some descriptive text for the Display text for SSO link:
- You may want to enable the Create User when User Doesn't Exist setting. This useful for auto-provisioning new users in CentreStack:
- Set the SSO Provider to other:
- Leave the CentreStack portal page open as there will be Azure AD settings that will need to be configured in this page.
- In another browser tab sign into onelogin.com as an administrator
- Click Applications:
- Search for CentreStack, a pre-defined application in OneLogin, then click on the app:
- The app configuration will be displayed:
- Update the Display Name, icons and Description as you see fit then click the Save button in the upper right:
- Click on the Configuration node, the Application details will be displayed:
- Use the values described in step 6 above for the CentreStack Domain and CentreStack SSO ID. For example:
Then click the Save button in the upper right.
- The application is already configured for the Parameters (SAML assertion properties) required by CentreStack:
- Click on the SSO node, then copy the SAML 2.0 Endpoint (HTTP) to the clipboard:
- Back in the CentreStack Single Sign-on UI, paste the SAML 2.0 Endpoint (HTTP) into the IdP End Point URL
- Set the IdP Email Parameter to Email:
- Set the IdP Given Name Parameter to First Name:
- Set the IdP Surname Parameter to Last Name:
- Back in the OneLogin UI, click on the SSO node, then copy the Issuer URL to the clipboard:
- Paste this URL into the address bar of the browser and navigate to the site. A metadata XML document will be downloaded.
- Open the downloaded metadata XML document in a text editor. Select all of the text and copy it to the clipboard:
- Back in the CentreStack cluster manager UI, paste the XML metadata into the IdP Meta Data text box:
- There are two methods to sign into CentreStack. The first is Identity Provider (IdP) initiated.
- In a web browser, navigate to the OneLogin Applications URL for your tenant (in our example, https://gladinet-dev.onelogin.com/apps .
- The application you created will be listed. Click on the application and you should be redirected to your CentreStack web site:
- If you watch the address bar you will see some redirects but eventually you should be signed into the correct tenant in the CentreStack portal without being prompted for credentials.
- The second method is Relying Party (RP) initiated.
- Navigate to the first URL displayed in the CentreStack Single Sign On settings page:
- You will see some redirects if you watch the address bar, including the URL of your OneLogin tenant. If you are using the same browser, you won't be prompted for credentials because your browser already has the token from the previous sign in to OneLogin. You should see the CentreStack portal page.
Install the Windows client as usual, that is, first sign into the web portal using the OneLogin application (IdP initiated sign on), then download the CentreStack Windows client software. After installation, the Windows client will use the security token from the web browser to sign the user in the first time. If the Windows Client signs out or the token expires, the Windows Client will display the OneLogin sign in:
See this article: Troubleshooting SAML single sign on