idemeum Passwordless MFA integrates with OneLogin to enable:
- Remote identity verification - digitally verify identity of employees to make every login trusted. Right from the mobile app, verify email, phone number, or government ID. idemeum app is not just an authenticator, it is an employee owned identity that you can trust.
- Passwordless onboarding - employees are onboarded into organization without any passwords. No need to send credentials over email or chat, employees simply install mobile application and create digital identity.
- Passwordless access - employees access any corporate application with biometrics. Every login is protected by Multi-Factor authentication - biometrics (something you are) and certificates (something you have).
High-level architecture overview
idemeum integrates with OneLogin in minutes - no need to synchronize users or deploy any connectors or servers. Just federate with OneLogin using SAML and connect idemeum to your user source system.
In the diagram above, we see the deployment where OneLogin is deployed as a primary IDP and all applications are federated directly with OneLogin. When user is trying to authenticate to a corporate application, the sign in request is sent first to OneLogin, and is then subsequently redirected to idemeum. idemeum performs Passwordless Multi-Factor authentication and returns necessary user information to OneLogin, which in turn forwards that user information to federated application. As a result users can access application without any passwords.
Upon the very first login, idemeum onboards and verifies employee information with user source system. idemeum can use personal email address, phone number, or ID document to onboard new employees. You can learn more about onboarding here.
In order to integrate idemeum with OneLogin you will first need to obtain SAML metadata parameters for your idemeum tenant. Specifically you will need:
- Identity Provider SSO URL
- Identity Provider Entity ID
- Public X509 certificate (PEM format)
Instructions for how to obtain these SAML metadata parameters are below.
Create Trusted IdP
- Access your OneLogin admin dashboard and navigate to Authentication -> Trusted IdPs
- Click New Trust to create an integration
- First give Trusted IdP a name
- Scroll down to the configurations section. In the Issuer field enter Identity Provider Entity ID that you obtained in the prerequisites section.
- Make sure you enable Sign users into OneLogin checkbox
- Now scroll down to SAML configurations section. In the IdP Login URL paste Identity Provider SSO URL that you obtained in the prerequisites section.
- Also copy SP Entity ID value as you will need it for idemeum configuration
- Now scroll down to Trusted IdP Certificate. In the X.509 Certificate field paste the Public X509 certificate (PEM format) that you obtained in the prerequisites section.
- You can now scroll all the way back up and Enable Trusted IdP
- Save the configuration
Enable Trusted IdP for users
You have several options for how to enable Trusted IdP for your OneLogin users depending on how you want to roll out passwordless across your organization.
- You can make Trusted IdP a default authenication for all users
- You can enable Trusted IdP only for users that match certain mappings
- You can offer sign in with Trusted IdP on a login page as an option
Default Trusted IdP
In this option every user will automatically be redirected to idemeum for authentication when they access OneLogin portal.
- Navigate to Authnetication -> Trusted IdPs
- Choose Trusted IdP that you want to make default
- Click on More actions -> Set as default Trusted IdP
Use mappings for Trusted IdP
In this option only users matching certain criteria will be authenticated using idemeum.
- Navigate to Users -> Mappings
- Click Add new mapping
- Choose your criteria for selecting users and enable Trusted IdP that you configured for these users
- Click Save
- Reapply all mappings after saving configuration
In this option login with idemeum will be available as an option on OneLogin screen.
- Navigate to Authentication -> Trusted IdPs
- Edit Trusted IdP that you configured
- Scroll to Login Options
- Enable Show in Login panel checkbox
- Specify URL for icon that you want to use. If you want to use idemeum logo you can use the following URL https://idemeum.com/wp-content/uploads/2021/10/Logo-Icon@2x.png
- Click Save
Configure log out URL
When the user logs out of OneLogin we also need to make sure the user is logged out from idemeum. For that to happen we need to configure logout URL.
- Navigate to Settings -> Account settings
- Click Login in the left menu
- Scroll down to the bottom. Enter the following URL into the Logout URL field -> https://<your idemeum tenant>/api/logout-redirect
- Save settings
Connect to user source system
- As a first step you need to connect your idemeum tenant to your user source system. You can leverage our integrations portal to find detailed guides for each user source that we support.
Configure user onboarding
- You also need to decide how you would like to onboard your new employees into passwordless MFA. You can use personal email address, phone number, or ID document.
- Navigate to Security settings in your idemeum portal to configure onboarding
You can learn more about passwordless onboarding in our documentation section.
Set up OneLogin app
- Navigate to Applications in idemeum admin portal and choose OneLogin
- Click SAML
Now you will be using SAML values obtained from OneLogin when setting up a Trusted IdP
- Enter your OneLogin tenant URL in the form https://<your domain>.onelogin.com
- Paste SP Entity ID that you obtained from OneLogin configuration into Audience URI
- Save configuration
Test Passwordless MFA
- Open incognito browser window and navigate to your OneLogin tenant URL. In case of default Trusted IDP configuration you will be immediately redirected to idemeum. You will see the QR code that you will need to scan with the idemeum application.
- Once you scan the QR code with idemeum application and approve the sign in, you will be redirected to OneLogin application catalog.