Single Sign-On and Multi-Factor Authentication with OneLogin
Time to read: 5 minutes
- The integration with OneLogin lets you use OneLogin as your Single Sign-On and Multi-Factor Authentication service for accessing Forecast
- This integration adds an extra layer of security for our enterprise customers
- For users to be able to login to Forecast with their OneLogin account, they need to be created in Forecast with the same email address as their OneLogin user. This can be set up manually in Forecast or provisioning can be used to automatically create users in Forecast from OneLogin
- NOTE: This integration is available for Enterprise Customers only
Setting up SSO
Step 1: Go to Apps > Add App
Step 2: Click the app named "OpenId Connect (OIDC)"
Step 3: Name the app "Forecast OIDC" and click SAVE
Step 4: Go to the Configuration tab
Add "https://app.forecast.it/one-login?iss=ONELOGIN_COMPANY_DOMAIN" in the Login Url field, where ONELOGIN_COMPANY_DOMAIN is your company's OneLogin Domain. Your company's OneLogin Domain is found in the OneLogin URL of your company (https://ONELOGIN_COMPANY_DOMAIN.onelogin.com/).
Then, add "https://graphql.forecast.it/onelogin/oauth/" under Redirect URI's
Step 5: Under the Users, tab add the users who should be allowed to use SSO on Forecast
Step 6: Go to the SSO tab. Then, copy the Client ID and Client Secret tab, and enter them on the OneLogin Forecast page.
Step 7: Enter your company's OneLogin Domain on the OneLogin Forecast page.
Setting up provisioning
The following provisioning features are supported:
- Push New Users - New users created through OneLogin will also be created in Forecast
- Push Profile Updates - Updates made to the user's profile through OneLogin will be pushed to Forecast
- Push User Deactivation/reactivation - Deactivating the user or disabling the user's access to the application through OneLogin will deactivate the user in Forecast
- Import New Users - New users created in Forecast will be downloaded and turned in to new AppUser objects, for matching against existing OneLogin users
Step 1: Repeat steps 1-3 from Setting up SSO for an app named "SCIM Provisioner with SAML (SCIM v2 Core/Enterprise)"
Step 2: Name the app "Forecast SCIM" and press SAVE
Step 3: On the Configuration tab enter "https://api.forecast.it/scim/v2/" into the SCIM Base URL field and insert the SCIM Bearer Token from the OneLogin Forecast page in the field of the same name. Then press the Enable button
Step 4: On the Parameters tab, ensure that the "NameID" field maps to the value of "First Name" and that the "SCIM Username" field maps to the value of "Email"
Step 5: Under the Provisioning tab, enable provisioning
Step 6: Users to be provisioned can be controlled from the Users tab