Set SSO JIT Provisioning on OneLogin

In this topic:

    OneLogin configuration:

      1. Add a role (in both OneLogin and Dome9)
        • In the Applications tab , add your app
        • In the Users tab, add relevant users (previously configured)
        • In Dome9, add a new role.
        • In OneLogin, go to Users -> Roles
        • Add a new role with the same name
        • Edit the new role
      2. Create new app “SAML Test Connector (IdP)” - On the menu go to Apps - Add App
      3. Search for “SAML Test Connector (IdP)”
      4. Set name and click save.
      5. Configure new app in configuration tab:
      6. In the Parameters tab:
        • Click Add parameterץ
        • Enter ‘memberOf’ (or any othere name that you choose) in the Field name.
        • Click Save.

        1. Login to Dome9 and select Account Settings.
        2. Select the SSO tab.
        3. Click Enable.
        4. Click Enable and add the following data in the relevant fields:
          • In the "Account ID" enter the Value that you enterd instead of "Name-up-select"
          • In the "Issuer" enter the "Issuer URL"from OneLogin.
          • In the "Idp endpoint url" enter the Identity Provider Single Sign-On URL from OneLogin.
          • In the "X.509 Certificate" enter the X.509 Certificate from OneLogin.
          • Click on the "Just-in-time provisioning for the account" checkbox.
          • In the "Attribute name in SAML for just-in-time role" add the name that you entered instead of the "member Of"
          • Click Save.
        5. Assign the group that you created before.
          • Select the Roles menu.
          • Create a role with the same name as the name of the Role that you created in OneLogin.
      7. If the mail address user for OneLogin is already known in Dome9, add another user in OneLogin, with the role from the previous step.
        (JIT Provisioning is created for a user who does NOT exist in Dome9, but belongs to a Dome9 SSO account.)