How-to set up HCP SAML SSO setup with OneLogin Identity Provider

Avatar
Deepika Ranganatha
  • Updated

Introduction

This page is designed to assist customers or test the setup of SAML SSO with the OneLogin identity provider.

Configure SSO

Organization owners and admins can set up SSO. To start setting up SAML SSO on HCP 

  1. Log in to the HCP portal.
  2. Select the organization you wish to set up SSO for, then go to Organization Settings.
  3. Click on View Configuration Instructions.
  4. Select SAML and click Next.
  5. On the Configure SAML page, enter your email domain name and ensure it is verified.

Verify Your Domain

You need a DNS record (secret value to set as TXT) to prove ownership of a domain. HCP uses the domain to match the email addresses for SSO. You must use different SSO domains for each HCP organization. If you try to reuse a domain name, the DNS connection request will fail.

To verify your domain:

  1. Copy the verification TXT record from the HCP SSO configuration to the DNS records of any email domains your organization uses.
  2. Return to the HCP Settings page and add your email address domains.
  3. Click Verify domains.
  4. If the verification is successful, you can continue configuring SSO. If the request fails, your changes to the DNS records may not have propagated yet. It can take up to 72 hours.

Initiate SAML Integration

You must add information from the Initiate SAML Integration section in HCP to the SAML configuration for the OneLogin Identity Provider.

To add the required integration information in OneLogin:

  1. Log in into OneLogin with your domain.  
  2. Navigate to Applications > Applications > Add Apps in the OneLogin Administration dashboard. Search for SAML Custom Connector (Advanced) and select the first result from the search results.
  3. Set the Display Name under the Info tab.
  4. In the Configuration tab, add the following fields:
    • Audience (EntityID): This value comes from the HCP Configure SAML, Step 2 (Entity ID).
    • ACS (Consumer) URL: This is from the HCP Configure SAML, Step 2 (SSO Sign-On URL).
    • ACS (Consumer) URL Validator: Convert the SSO Sign-On URL to regex format and paste here. You can use an online tool for this.
  5. Go to the next tab, Parameters, and click the + next to SAML Custom Connector (Advanced).
  6. For the Field Name, copy the Email Attribute Assertion Name from the HCP portal (Step 2) and set the Value as Email, then click Save.

Finalize SSO Settings

To finish configuring SSO:

  1. Obtain the SAML IDP Single Sign-On URL from your IdP (OneLogin):
    • Navigate to Applications > SSO > SAML 2.0 Endpoint (HTTP) and paste the URL into HCP SAML IDP Single Sign-On URL.
    • Note: Ensure the URL contains SSO, which confirms it's the correct link to use.
  2. For the SAML IDP Certificate:
    • Go to OneLogin > SSO > X.509 Certificate > View Details.
    • Copy the certificate, ensuring there are no spaces after END CERTIFICATE, then paste it into HCP SAML IDP Certificate.

Now, users can sign in to your organization via OneLogin

Testing SAML configuration :

To test, please use the HCP portal login page, as HCP SSO is SP-initiated, not IdP-initiated. If you attempt to test the SAML app directly from OneLogin, you'll encounter an 'Oops. Something went wrong' message, which is expected.

Articles in this section

See more

Related articles