1. Help Center
  2. Integrations
  3. Security and Single Sign-On (SSO)

OneLogin Integration

Single Sign-On and Multi-Factor Authentication with OneLogin

Time to read: 5 minutes


Main Takeaways:

  • The integration with OneLogin lets you use OneLogin as your Single Sign-On and Multi-Factor Authentication service for accessing Forecast
  • This integration adds an extra layer of security for our enterprise customers
  • For users to be able to login to Forecast with their OneLogin account, they need to be created in Forecast with the same email address as their OneLogin user. This can be set up manually in Forecast or provisioning can be used to automatically create users in Forecast from OneLogin
  • NOTE: This integration is available for Enterprise Customers only 

Setting up SSO

 Step 1: Go to Apps > Add App

okta the app window


Step 2: Click the app named "OpenId Connect (OIDC)"
2020-07-27 (5)


Step 3: Name the app "Forecast OIDC" and click SAVE

2020-07-27 (8)


Step 4: Go to the Configuration tab

Add "https://app.forecast.it/one-login?iss=ONELOGIN_COMPANY_DOMAIN" in the Login Url field, where ONELOGIN_COMPANY_DOMAIN is your company's OneLogin Domain. Your company's OneLogin Domain is found in the OneLogin URL of your company (https://ONELOGIN_COMPANY_DOMAIN.onelogin.com/).

Then, add "https://graphql.forecast.it/onelogin/oauth/" under Redirect URI's

2020-07-27 (10)

Step 5: Under the Users, tab add the users who should be allowed to use SSO on Forecast

2020-07-27 (13)-1


Step 6: Go to the SSO tab. Then, copy the Client ID and Client Secret tab, and enter them on the OneLogin Forecast page.
2020-07-27 (15)

Step 7: Enter your company's OneLogin Domain on the OneLogin Forecast page.

Setting up provisioning


The following provisioning features are supported:

  • Push New Users - New users created through OneLogin will also be created in Forecast
  • Push Profile Updates - Updates made to the user's profile through OneLogin will be pushed to Forecast
  • Push User Deactivation/reactivation - Deactivating the user or disabling the user's access to the application through OneLogin will deactivate the user in Forecast
  • Import New Users - New users created in Forecast will be downloaded and turned in to new AppUser objects, for matching against existing OneLogin users

Configuration Steps

Step 1: Repeat steps 1-3 from Setting up SSO for an app named "SCIM Provisioner with SAML (SCIM v2 Core/Enterprise)"
2020-07-27 (17)


Step 2: Name the app "Forecast SCIM" and press SAVE

2020-07-27 (20)


Step 3: On the Configuration tab enter "https://api.forecast.it/scim/v2/" into the SCIM Base URL field and insert the SCIM Bearer Token from the OneLogin Forecast page in the field of the same name. Then press the Enable button


Step 4: On the Parameters tab, ensure that the "NameID" field maps to the value of "First Name" and that the "SCIM Username" field maps to the value of "Email"


Step 5: Under the Provisioning tab, enable provisioning


Step 6: Users to be provisioned can be controlled from the Users tab