PrevailHQ Knowledge Base

OneLogin

Updated March 10, 2024

OneLogin

Overview

The setup of OneLogin is relatively straightforward. The overall process is as follows:

  1. Create your company account at PrevailHQ. The user that does this will be the administrator of the account and can perform the actions needed here.
  2. Ensure PrevailHQ staff has configured your account to enable SAML. Open a ticket at support@prevailhq.com if this has not been discussed and completed.
  3. Follow the setup instructions in this document
  4. Your users should now be able to enter PrevailHQ from your portal.

1. OneLogin Application Setup

Create a new application using the "SAML Test Connector (Advanced)" application template.

Give the application a name like "PrevailHQ" and click save.

2. Application Configuration

Once created, click on Configuration and fill in the following values obtained from the SAML Integration page within PrevailHQ:

OneLogin Field NamePrevailHQ Field Name
Audience (Entity ID)Entity ID
ACS (Consumer) URL ValidatorReply URL
ACS (Consumer) URLReply URL
Single Logout URLSign out URL
Login URLSign on URL

Example:

Parameters

To have complete profiles in PrevailHQ, parameters need to be configured in your OneLogin Application. The following describes what is needed. Click on "Parameters" in One Login.

Example configuration:

Note, that OneLogin supports simple named parameters. However, PrevailHQ requires a fully namespaced "claim". Please copy the desired claim names from PrevailHQ's SAML Integration page. When creating each parameter, ensure that "Include in SAML assertion" is checked. Otherwise, the value will not be sent to PrevailHQ.

4. PrevailHQ Setup

From OneLogin, copy the following info from the "SSO" section in OneLogin and paste it into the "SAML IdP Information" section in PrevailHQ:

Thumbprint & Cert: From the SSO section, click on "View Details" under the X.509 Certificate. Copy the Fingerprint value into the Thumbprint field in PrevailHQ. Copy the X.509 Certificate into the Certificate field in PrevailHQ.

OneLogin Field NamePrevailHQ Field Name
SAML 2.0 Endpoint (HTTP) -> Copy the guid out of the URL: [https://appname.onelogin.com/trust/saml2/http-post/sso/[abce-4c75-481d-ae7a-4d1bd5662b]](https://cleartogo-dev.onelogin.com/trust/saml2/http-post/sso/791d861e-4c75-481d-ae7a-4d1bd591662b)Tenant ID -> [[abce-4c75-481d-ae7a-4d1bd5662b]](https://cleartogo-dev.onelogin.com/trust/saml2/http-post/sso/791d861e-4c75-481d-ae7a-4d1bd591662b)
SAML 2.0 Endpoint (HTTP)Login URL
SLO Endpoint (HTTP)Logout URL

5. PrevailHQ Role Mapping

To assign users to the proper security level, Security Groups are mapped to Roles in PrevailHQ. This is done by setting the OneLogin Group name on the Role in PrevailHQ. Do this by opening the drop down under your name in the upper right corner. Choose Roles.

Find the Role you wish to map and click Edit. Paste the Object ID into the "Mapped To" field:

It is recommended you test with at least one user from each role type to ensure the role they are assigned in PrevailHQ is what is expected.