Skip to main content

Privacera Documentation

Table of ContentsTable of Contents

Set up portal SSO for Privacera Platform with OneLogin using SAML

The Privacera portal uses OneLogin's Portal for SAML authentication. OneLogin must be configured with SAML to integrate with the Privacera portal.

To set up portal SSO with OneLogin using SAML, follow these steps:

Configure SAML in OneLogin

To configure SAML in the OneLogin application:

  1. Go to https://{company-name}.onelogin.com/

  2. Log in to your OneLogin account.

  3. From the menu, select Applications. > Applications.

  4. Click Add App.

  5. Search for SAML, and then select SAML Custom Connector (Advanced) from the list.

  6. In the Display Name field, enter the display name (i,e., Privacera Portal SAML), and then click Save.

  7. From the navigation menu, select Configuration, and enter the following details in the fields:

    • Audience(EntityID): privacera-portal

    • Recipient: https://{portal_hostname}:{PORT}/saml/SSO

    • ACS (Consumer) URL Validator: https://{yourhostname.com}/*

      Note

      The source URL is validated by OneLogin. If the source URL matches the regex expression, we respond to it.

      If it does not match, OneLogin logs a warning event and responds to the existing ACS (Consumer) URL value.

      Consider the ACS (Consumer) URL is https://serviceprovider.com/saml/consume/

      A secure ACS (Consumer) URL Validator regular expression is ^https:\/\/serviceprovider\.com\/saml\/consume\/$

      ^ and $ are an essential anchors in the regular expression.

    • ACS (Consumer) URL: https://{portal_hostname}:{PORT}/saml/SSO

    • Single Logout URL: https://{portal_hostname}:{PORT}/login.html

  8. Click Save.

  9. From the navigation menu, select Parameters and then click +.

  10. Add the following attribute mapping:

    • User.login: Username

      Note

      If you enter an email address in User.login, the domain name is removed to create a username. For example: john.joe@company.com becomes john.joe.

    • Select the Include in SAML assertion checkbox.

      You can also add the following attributes mapping:

      • user.email: Email

      • user.firstName: FirstName

      • user.lastName: LastName

    • Click Save.

  11. Open the More Actions drop-down and select SAML Metadata.

    The XML metadata will download (i.e., onelogin_metadata_{id}.xml. Rename it to privacera-portal-aad-saml.xml.

Configure privacera-portal-aad-saml.xml

You now need to configure Privacera Portal using privacera-manager to use privacera-portal-aad-saml.xml.

  1. Run the following commands:

    cd ~/privacera/privacera-manager/
    cp config/sample-vars/vars.portal.saml.aad.yml config/custom-vars/
  2. Edit the vars.portal.saml.aad.yml file:

    vi config/custom-vars/vars.portal.saml.aad.yml
  3. Add the following properties:

    SAML_ENTITY_ID: "privacera-portal"
    SAML_BASE_URL: "https://{{app_hostname}}:{port}"
    PORTAL_UI_SSO_ENABLE: "true"
    PORTAL_UI_SSO_URL: "saml/login"
    PORTAL_UI_SSO_BUTTON_LABEL: "Single Sign On"
    AAD_SSO_ENABLE: "true"
  4. Copy the privacera-portal-aad-saml.xml file to the following folder:

    ~/privacera/privacera-manager/ansible/privacera-docker/roles/templates/portal/common/conf
  5. Edit the vars.portal.yml file:

    cd ~/privacera/privacera-manager/
    vi config/custom-vars/vars.portal.yml
  6. Add the following properties and assign your values.

    SAML_EMAIL_ATTRIBUTE: "user.email"
    SAML_USERNAME_ATTRIBUTE: "user.login"
    SAML_LASTNAME_ATTRIBUTE: "user.lastName"
    SAML_FIRSTNAME_ATTRIBUTE: "user.firstName"
  7. Run the following to update privacera-manager:

    You can now use Single Sign-on with Privacera using OneLogin.