|
Setting up OneLogin in Therefore |
Scroll |
How do I configure an OIDC application to be used with Therefore™?
1.Before OneLogin can be set up inside Therefore™, a new application needs to be created in the OneLogin Administration portal.
2.Add a new Application
3.Search for the “OpenId Connect” application from OneLogin and select it.
4.The application can be renamed to “Therefore” now, to make it clear what this OIDC application is used for:
5.Optionally images and description can be added. Click ‘Save’ when done. Once the application has been saved, the ‘Configuration’ section allows you to specify the redirect URLs needed by Therefore. Please be aware that they are case sensitive.
For On-Premise (single tenant), the URLs need to follow this pattern:
The first URL is needed for the Therefore™ installed Client and is just a placeholder, as the redirect is not actually executed. The second URL is needed for the Therefore™ Classic Web Client. The third URL is for the Therefore™ Dynamic Web View. The URLs needs to be adjusted to match your tenant + TFO-Domain, or on-premise URL.
6.In the ‘Parameters’ section, it will already hold a ‘Groups’ field, but it has to be adjusted to return roles instead of groups.
7.The default value has to be changed to “User Roles” with “Semicolon Delimited input (Multi-value output)”. If this is set up correctly, Therefore™ will get the user roles directly from the authentication, without the need for additional API requests.
8.In the SSO section, the ‘Application Type’ and ‘Authentication Method’ can both be left on their defaults “Web” and “Basic”. The Client ID will be needed in the next step when configuring the external directory provider in Therefore™.
9.To grant users access to this new application, go to the ‘Access’ section and apply a role. All users with this role will be able to use this application. Alternatively access can also be granted for specifically per user, but not through the ‘Users’ section of the application, but the Users menu entry by editing a user’s applications.
10. On the ‘Applications’ menu entry, your new application will be displayed and the amount of users that are allowed to us it will be shown.
How do I create API credentials in OneLogin to be used with Therefore™?
1.Therefore™ requires API access for querying user and role information from OneLogin. Go to the OneLogin administration portal under Developers a API Credentials and click on ‘New Credential’. Selecting ‘Read users’ is sufficient for Therefore™.
2.Once you click ‘Save’, Client ID and Client Secret will be generated and displayed. Both values need to be specified when configuring OneLogin in Therefore™.
How do I add OneLogin directory in the Therefore™ Designer?
1.Go to External User Directories and add a new OneLogin directory. 2.Under the 'Add' button, select 'OneLogin'.
Domain: Your OneLogin domain e.g. (e.g. therefore.onelogin.com) Therefore™ Client ID: The Client ID of your OIDC application that was configured in the first step. API Settings – Domain:
The API URL varies by region, depending on where your OneLogin account resides in.
API Settings –Client ID / Client Secret: Client ID / Client Secret from the API Credentials configured in the second step. |
|---|
How do I implement Connection Settings for Therefore™ Installed Client?
