SSO with OneLogin
Configure single sign-on (SSO) with OneLogin as an identity provider.
Prerequisites
Before you start, do the following:
- Submit a ticket to SAP LeanIX Support to request setting up SSO for your organization. If you're an SAP customer, submit a request from the SAP for Me portal.
- Learn about the SSO configuration process in SSO Configuration Process.
For more information about configuring SSO with OneLogin, visit the OneLogin website.
Step 1: Create a SAML Application
Follow these steps:
-
In the OneLogin admin dashboard, in the Applications section, click Add App.
Adding an Application in OneLogin
-
On the page that appears, search for and select SAML Custom Connector (Advanced).
Searching for SAML Custom Connector (Advanced)
-
Enter a name for your application and adjust other settings as needed.
Entering Basic Details for a SAML Application
Step 2: Configure SAML Settings
In the Configuration section of the application settings, enter the following:
- Audience (EntityID):
https://{SUBDOMAIN}.leanix.net/Shibboleth.sso - Recipient:
https://{SUBDOMAIN}.leanix.net/Shibboleth.sso/SAML2/POST - ACS (Consumer) URL Validator:
^https:\/\/{SUBDOMAIN}\.leanix\.net\/Shibboleth\.sso\/SAML2\/POST$ - ACS (Consumer) URL:
https://{SUBDOMAIN}.leanix.net/Shibboleth.sso/SAML2/POST - Login URL:
https://{SUBDOMAIN}.leanix.net/customdomain
Note
Replace
{SUBDOMAIN}in the URLs with your custom subdomain that you specified in the SSO request form (for example,https://your-company.leanix.net).
Configuring SAML Settings
Step 3: Configure Attribute Mapping
In the Parameters section of the application settings, specify attributes to be added to the SAML assertion as shown in the following table. Set all attributes as required. All fields are case-sensitive.
| Attribute | Required | OneLogin Mapping |
|---|---|---|
firstname | Required | First Name |
lastname | Required | Last Name |
mail | Required | |
uid | Required |
Configuring Attribute Mapping
If you want to manage user roles within OneLogin and not within SAP LeanIX, configure additional role attributes specified in the following table. To learn more about managing user roles, see Managing User Roles with SSO.
| Attribute | Required | OneLogin Mapping |
|---|---|---|
role | Required only if you manage user roles within OneLogin | User Roles |
customerRoles | Required only if you manage user roles within OneLogin | User Roles |
To configure role attributes, follow these steps:
-
In the OneLogin admin dashboard, navigate to the Users section.
-
In the Roles section, create application roles.
Creating Application Roles
-
In the Mappings section, map the application roles that you created to user groups.
Mapping an Application Role to a User Group
To verify your SSO configuration, first, access your workspace at https://{SUBDOMAIN}.leanix.net, then navigate to the SAML session page at https://{SUBDOMAIN}.leanix.net/Shibboleth.sso/Session.
The following screenshot shows a SAML session page with a list of required user attributes that appear under Attributes. The role attribute is optional and may not apply to your setup.
SAML Session Page
Updated 20 days ago