OneLogin Configuration
First, you need to add Kron PAM to OneLogin as an application. To add Kron PAM as an application, perform the following configuration steps in OneLogin:
- Go to the Applications section in OneLogin.
- Click Add App and search for SAML Custom Connector (Advance).
- Enter a display name (such as Kron PAM) and then click Save.
- Navigate to the Configuration tab of the created Kron PAM App.
- Fill in the following parameters related to Kron PAM:
Parameter Name | Kron PAM Parameter | Example Value |
|---|---|---|
Audience (EntityID) | ||
Recipient | ||
ACS (Consumer) URL Validator* | .* | .* |
ACS (Consumer) URL* | ||
Single Logout URL |
The Email (SAML NameID) should be the same as the Kron PAM username.
- After saving the configurations above, go to the SSO tab of the added application to extract some information for filling the Kron PAM SAML configuration.
Parameter Name | Example Value |
|---|---|
Issuer URL | |
SAML 2.0 Endpoint (HTTP) | |
SLO Endpoint (HTTP) | |
X.509 Certificate | -----BEGIN CERTIFICATE----- MIIEMjCCAxqgAwIBAgIUG2HXQgRMpy/pUehFqTqzw0YaelAwDQYJKoZIhvcNAQEF BQAwYTEsMCoGA1UECgwjS3JvbiBUZWxla29tdW5pa2FzeW9uIEhpem1ldGxlcmkg QXMxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEaMBgGA1UEAwwRT25lTG9naW4gQWNj hkQm6mlNsRnfCipDrtz1lqf2VKgc9g== -----END CERTIFICATE----- |
After adding Kron PAM as an application in OneLogin, you need to set additional configurations in Kron PAM.
Step 1: Define the required parameters in Kron PAM.
- Navigate to Administration > System Config. Man.
- Open the SAML Config tab.
- Fill in the following parameters related to OneLogin:
Parameter Name | Description | Example Value |
|---|---|---|
Enable SAML | It must be enabled to use SAML authentication. |  |
SAML Entity ID | SAML Test Connector Issuer URL from the OneLogin Portal. | |
SAML Logout URL | SAML Connector SLO Endpoint (HTTP) URL from the OneLogin Portal | |
SAML Remote URL | Personal Portal URL | |
SAML URL | SAML Connector SAML 2.0 Endpoint (HTTP) URL from the OneLogin Portal | |
SAML X509 Cert. Key | SAML Connector X.509 Certificate from the OneLogin Portal. | *-----BEGIN CERTIFICATE----- MIIEMjCCAxqgAwIBAgIUG2HXQgRMpy/pUehFqTqzw0YaelAwDQYJKoZIhvcNAQEF BQAwYTEsMCoGA1UECgwjS3JvbiBUZWxla29tdW5pa2FzeW9uIEhpem1ldGxlcmkg QXMxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEaMBgGA1UEAwwRT25lTG9naW4gQWNj hkQm6mlNsRnfCipDrtz1lqf2VKgc9g== *-----END CERTIFICATE----- |
Enable Service Provider Login | This aims to enable the Service Provider initiator for the Login Page. |  |
Service Provider Name | If the Service Provider is enabled, the Provider Name must be filled as free text. | OneLogin |
Icon File | Service Provider Icon | Upload a 64*64 jpeg logo |
Step 2: Add TomcatCorsFilter to the Tomcat configuration file. After setting the required configuration in Step 1, you need to TomcatCorsFilter in the tomcat configuration:
- Open the web.xml file under the following directory. /u01/netright-tomcat/conf
- Find the TomcatCorsFilter part and add the Onelogin URL, as shown below in bold.
<filter-name>TomcatCorsFilter</filter-name> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class> <init-param> <param-name>cors.allowed.origins</param-name> <param-value>10.20.42.27,https://single.onelogin.com</param-value> </init-param>