1. Help Center
  2. API & Integrations
  3. Security and Single Sign-On (SSO)

OneLogin Integration

Single Sign-On and Multi-Factor Authentication with OneLogin

Please note: This integration is available for Plus Customers only 

Main Takeaways:

OneLogin & Forecast

The integration with OneLogin allows you to use OneLogin as your Single Sign-On and Multi Factor Authentication service for accessing Forecast. This integration adds and additional layer of security to your Forecast account. Please keep in mind that in order to use this integration, users must have the same email in Forecast and OneLogin. You can set your email manually in Forecast or you can create Forecast users in OneLogin by provisioning.

The article below will walk you through setting up the integration and how you can use provisioning.

Setting up SSO

 Step 1: Go to Apps > Add App

okta the app window


Step 2: Click the app named "OpenId Connect (OIDC)"
2020-07-27 (5)


Step 3: Name the app "Forecast OIDC" and click SAVE

2020-07-27 (8)


Step 4: Go to the Configuration tab

Add "https://app.forecast.it/one-login?iss=ONELOGIN_COMPANY_DOMAIN" in the Login Url field, where ONELOGIN_COMPANY_DOMAIN is your company's OneLogin Domain. Your company's OneLogin Domain is found in the OneLogin URL of your company (https://ONELOGIN_COMPANY_DOMAIN.onelogin.com/).

Then, add "https://graphql.forecast.it/onelogin/oauth/" under Redirect URI's

2020-07-27 (10)

Step 5: Under the Users, tab add the users who should be allowed to use SSO on Forecast

2020-07-27 (13)-1


Step 6: Go to the SSO tab. Then, copy the Client ID and Client Secret tab, and enter them on the OneLogin Forecast page.
2020-07-27 (15)

Step 7: Enter your company's OneLogin Domain on the OneLogin Forecast page.

Setting up provisioning


The following provisioning features are supported:

  • Push New Users - New users created through OneLogin will also be created in Forecast
  • Push Profile Updates - Updates made to the user's profile through OneLogin will be pushed to Forecast
  • Push User Deactivation/reactivation - Deactivating the user or disabling the user's access to the application through OneLogin will deactivate the user in Forecast
  • Import New Users - New users created in Forecast will be downloaded and turned in to new AppUser objects, for matching against existing OneLogin users

Configuration Steps

Step 1: Repeat steps 1-3 from Setting up SSO for an app named "SCIM Provisioner with SAML (SCIM v2 Core/Enterprise)"
2020-07-27 (17)


Step 2: Name the app "Forecast SCIM" and press SAVE

2020-07-27 (20)


Step 3: On the Configuration tab enter "https://api.forecast.it/scim/v2" into the SCIM Base URL field and insert the SCIM Bearer Token in the field of the same name. Then press the Enable button


Step 4: On the Parameters tab, ensure that the "NameID" field maps to the value of "First Name" and that the "SCIM Username" field maps to the value of "Email"


Step 5: Under the Provisioning tab, enable provisioning


Step 6: Users to be provisioned can be controlled from the Users tab