Single Sign-On and Multi-Factor Authentication with OneLogin
The integration with OneLogin lets you use OneLogin as your Single Sign-On and Multi-Factor Authentication service for accessing Forecast. This adds an extra layer of security for our enterprise customers.
For users to be able to login to Forecast with their OneLogin account, they need to be created in Forecast with the same email address as their OneLogin user. This can be setup manually in Forecast or provisioning can be used to automatically create users in Forecast from OneLogin.
Guide to setting up SSO
- Go to the Administration page of your companies domain.
- Go to Apps > Add Apps
- Click the app named "OpenId Connect (OIDC)"
- Name the app "Forecast OIDC" and click SAVE
- Go to the Configuration tab and add "https://graphql.forecast.it/onelogin/oauth/" under Redirect URI's and "https://app.forecast.it/one-login?iss=ONELOGIN_COMPANY_DOMAIN" in the Login Url field, where ONELOGIN_COMPANY_DOMAIN is your company's OneLogin Domain. Your company's OneLogin Domain is found in the OneLogin URL of your company (https://ONELOGIN_COMPANY_DOMAIN.onelogin.com/).
- Under the Users tab add the users who should be allowed to use SSO on Forecast.
- Copy the Client ID and Client Secret from the "SSO" tab and enter them on the OneLogin Forecast page.
- Enter your company's OneLogin Domain on the OneLogin Forecast page.
Guide to setting up provisioning
The following provisioning features are supported:
- Push New Users - New users created through OneLogin will also be created in Forecast.
- Push Profile Updates - Updates made to the user's profile through OneLogin will be pushed to Forecast.
- Push User Deactivation/reactivation - Deactivating the user or disabling the user's access to the application through OneLogin will deactivate the user in Forecast.
- Import New Users - New users created in Forecast will be downloaded and turned in to new AppUser objects, for matching against existing OneLogin users.
Before you configure provisioning or SSO for Forecast, make sure you contact the Forecast Success Team and have them enable the OneLogin integration on your account.
- Repeat steps 1-3 from Guide to setting up SSO for an app named "SCIM Provisioner with SAML (SCIM v2)"
- Name the app "Forecast SCIM" and press SAVE
- On the Configuration tab enter "https://api.forecast.it/scim/v2/" into the SCIM Base URL field and insert the SCIM Bearer Token from the OneLogin Forecast page in the field of the same name. Then press the Enable button.
- On the Parameters tab, ensure that the "NameID" field maps to the value of "First Name" and that the "SCIM Username" field maps to the value of "Email"
- Under the Provisioning tab, enable provisioning.
- Users to be provisioned can be controlled from the Users tab.