OneLogin is an identity and access management provider. Zeplin SAML SSO is confirmed to work with OneLogin.
Before you begin
OneLogin does not process metadata files, which is how we supply the Zeplin configuration values needed by OneLogin. Contact us at firstname.lastname@example.org to have us manually generate and supply your specific SSO URL and SP EntityID.
Configure OneLogin from the OneLogin Administration Console (https://<yourorg>.onelogin.com/admin)
Log in to Zeplin (https://app.zeplin.io) as an Owner or Admin for your Zeplin Organization
Select Apps from the banner menu, and choose Add Apps
In the “search...” box, type SAML, and choose SAML Test Connector (Advanced)
Give this Connector a name, then select “Save”
On the Configuration tab:
- Enter the SP EntityID we gave you into the OneLogin field Recipient
- Enter the string ^https:\/\/.* into the OneLogin field ACS (Consumer) URL Validator. This text string is a simple wildcard that is used to ensure the ACS format is valid - your local site policies may require a more specific string.
- Enter the SSO URL we gave you into the OneLogin field ACS (Consumer) URL
On the Parameters tab, click “Add parameter”
- Field Name: email. Click “Save” to configure the Parameter details
- Value: Email
- Include in SAML assertion: Yes
Click the “SAVE” at the top of the screen to save the Connector
Click the “SSO” tab to display the values you need to configure Zeplin.
From the Organization Dashboard, click the settings button on the top right to access Settings, and select the AUTHENTICATION tab
In the SAML 2.0 section, click on the “Enable” button
In the Zeplin popup:
- Copy the string from the OneLogin field Issuer URL into the Zeplin field IDP Issuer
- Copy the string from the OneLogin field SAML 2.0 Endpoint (HTTP) into the Zeplin field IdP SAML 2.0 Endpoint
- Under the OneLogin header X.509 Certificate, click on View details. Copy the contents of the box labelled X.509 Certificate into the Zeplin field IdP Public Certificate
Click on the “Enable” button
Confirm everything works!
Go to the Zeplin login page, and click on the Login with SSO link (or go directly to https://app.zeplin.io/login/sso). Enter the email address of an existing Zeplin user. You should redirect to your OneLogin IdP to authenticate, then back to that user's Project page.
Your company's identity management policies may require you to first assign this application to your users. Usually, this is via an existing OneLogin Policy or Role. Examine the Policies under the Access tab in the OneLogin console. Select the appropriate Policy, and assign the Zeplin application and specific users if required.
Extra information for OneLogin users
When it is confirmed users can log in with SAML, you can restrict login to be via via SAML only for all users by selecting this option from the AUTHENTICATION tab in Zeplin. For safety, the Owner will still be able to log in using their username/password after this option is set.
OneLogin sends a session duration value in its SAML assertion. Zeplin will expire and attempt session re-authentication at the shorter of this interval, or the value chosen in the Zeplin setting Session Timeout, on the AUTHENTICATION tab in Zeplin’s Organization settings. The default session duration value sent by OneLogin in the SAML assertion is 24 hours.
OneLogin can sign either the Assertion or Response. Zeplin will enforce a valid signature against the OneLogin-generated IdP Public Certificate.
By default, OneLogin does not encrypt the Assertion. Zeplin will accept unencrypted assertions, and also assertions encrypted with the Zeplin-generated x.509 certificate (available from Zeplin Support, and copied into the SAML Encryption field on OneLogin's Configuration tab). Zeplin can decrypt all of the ciphers that OneLogin supports.