OneLogin is an identity and access management provider. Zeplin's SAML SSO and user provisioning with SCIM are confirmed to work with OneLogin.
Before you begin
OneLogin does not process metadata files, which is how we supply the Zeplin configuration values needed by OneLogin. Contact us at firstname.lastname@example.org to have us manually generate and supply your specific SSO URL and SP EntityID.
Note for SCIM Compatability: OneLogin supports SCIM, but only if you initially choose a SCIM-capable custom app. Even if you do not intend to use SCIM today, be sure to select a SCIM-capable custom app in OneLogin, rather than a purely SAML one, to have the option to enable SCIM in the future.
Configure OneLogin from the OneLogin Administration Console (https://<yourorg>.onelogin.com/admin)
Log in to Zeplin (https://app.zeplin.io) as an Owner or Admin for your Zeplin Organization
Select Apps from the banner menu, and choose Add Apps
In the “search...” box, type SAML, and choose SCIM Provisioner with SAML (SCIM v2 Enterprise)
Give this Connector a name, then select “Save”
On the Configuration tab:
- Enter the SP EntityID we gave you into the OneLogin field SAML Audience URL
- Enter the SSO URL we gave you into the OneLogin field SAML Consumer URL
On the Parameters tab, click “Add parameter” (or the + sign)
- Field Name: email.
- Include in SAML assertion: Yes
Click “Save”, then configure the Parameter details
- Value: Email
Click the “SAVE” at the top of the screen to save the Connector
Click the “SSO” tab to display the values you need to configure Zeplin.
From the Organization Dashboard, click the settings button on the top right to access Settings, and select the AUTHENTICATION tab
In the SAML 2.0 section, click on the “Enable” button
In the Zeplin popup:
- Copy the string from the OneLogin field Issuer URL into the Zeplin field IDP Issuer
- Copy the string from the OneLogin field SAML 2.0 Endpoint (HTTP) into the Zeplin field IdP SAML 2.0 Endpoint
- Under the OneLogin header X.509 Certificate, click on View details. Copy the contents of the box labelled X.509 Certificate into the Zeplin field IdP Public Certificate
Click on the “Enable” button
Confirm everything works!
Go to the Zeplin login page, and click on the Login with SSO link (or go directly to https://app.zeplin.io/login/sso). Enter the email address of an existing Zeplin user. You should redirect to your OneLogin IdP to authenticate, then back to that user's Project page.
Your company's identity management policies may require you to first assign this application to your users. Usually, this is via an existing OneLogin Policy or Role. Examine the Policies under the Access tab in the OneLogin console. Select the appropriate Policy, and assign the Zeplin application and specific users if required.
When it is confirmed users can log in with SAML, you can restrict login to be via SAML only for all users in your domain by setting Require SSO on the AUTHENTICATION tab in Zeplin.
- Don't Require: Users can continue to log in with username/password or SSO
- Require for All Members: Users in your domain who try to log in with username/password will be redirected to your IdP instead.
For safety, the Owner will still be able to log in using their username/password even if this option is set to Require.
You can specify a Session timeout. Zeplin will check with your IdP at the shorter period of this setting and the Session Duration as sent by your IdP (if it sends one) to verify the user is still authenticated.
You can choose to Allow inviting users from different domains. If not ticked, only users with an email address in your domain will be permitted to be invited to the Workspace.
User Provisioning with SCIM
OneLogin can autoprovision users in Zeplin using the SCIM protocol. See the article User Provisioning With SCIM for configuration information. In OneLogin, the SCIM integration is configured Configuration tab, and it is enabled on the Provisioning tab.
Extra information for OneLogin users
OneLogin sends a session duration value in its SAML assertion. Zeplin will expire and attempt session re-authentication at the shorter of this interval, or the value chosen in the Zeplin setting Session Timeout, on the AUTHENTICATION tab in Zeplin’s Organization settings. The default session duration value sent by OneLogin in the SAML assertion is 24 hours.
OneLogin can sign either the Assertion or Response. Zeplin will enforce a valid signature against the OneLogin-generated IdP Public Certificate.
By default, OneLogin does not encrypt the Assertion. Zeplin will accept unencrypted assertions, and also assertions encrypted with the Zeplin-generated x.509 certificate (available from Zeplin Support, and copied into the SAML Encryption field on OneLogin's Configuration tab). Zeplin can decrypt all of the ciphers that OneLogin supports.