How to set up Single Sign-On with OneLogin

Targetprocess supports most of the SAML 2.0 compatible providers including Okta, OneLogin, Bitium and ADFS 2.0.

Integrating with OneLogin involves the following four steps: 

1. Adding Targetprocess as an application in OneLogin
2. Configuring OneLogin details in Targetprocess
3. Assigning Targetprocess Application to Users in OneLogin
4. Testing SSO in Targetprocess

Detailed steps are provided below.

1. Adding Targetprocess as an application in OneLogin

• Log in to your OneLogin Admin account, select 'Apps' and then choose ‘Add apps’ in dropdown menu. Use "OneLogin SAML Test (IdP)" application

  Set application name, e.g. “Targetprocess” and click “Save” to proceed to profile settings

• Now you need to log in as administrator to your Targetprocess account and get out your “Single sign on URL” for OneLogin. In Targetprocess its called “Assertion Consumer URL” and can be found at Settings > Authentication and Security > Single Sign-On.

• Copy the URL. e.g. “https://your_account.tpondemand.com/api/sso/saml2” and paste into ““ SAML Consumer URL” in OneLogin.

• Paste same value into “ACS URL Validator”

• Select “Email” on “Parameters” tab as shown below.

 Now select “SSO” tab in OneLogin.

2. Configuring OneLogin details in Targetprocess

On the ‘SSO’ tab of your application in OneLogin copy "SAML 2.0 Endpoint (HTTP)" and paste it into “Sign-on URL” field in Targetprocess SSO settings.

• Click on 'View details' under X.509 certificate, copy certificate and paste in Targetprocess into “Certificate” field

Note: You need to create certificates in OneLogin before using them, please find additional details in OneLogin "Multiple SAML certificates" guide

• Next you can enable JIT PRovisioning, disable native Targetprocess login form and some users to SSO exceptions list if needed. More information about these settings can be found in “Single Sign-On in Targetprocess” guide.

Targetprocess settings overview:

3. Assigning Targetprocess Application to Users in OneLogin

• After completing the configurations in Targetprocess you need to ensure that users are assigned to Targetprocess application. OneLogin provide various ways to assign users, for testing purposes we can assign a single user under "USers" > "All Users" > [click on user name] > "Applications tab". Click on '+' sign to assign your testing user to Targetprocess application.

  Additional information about assigning users to applications in OneLogin can be found in "Assigning Apps to Users"

4. Testing SSO in Targetprocess

• Logout from Targetprocess (click on avatar picture and choose “Logout”)
• Open your Targetprocess URL in browser - https://YOUR_ACCOUNT.tpondemand.com/. Now two scenarios are possible:
  • if you have disabled Targetprocess login form - browser will redirect you to OneLogin login page and then to Targetprocess UI
  • if you have mixed mode enabled - you’ll have to to click “Login with SSO” on Targetprocess login page.

Troubleshooting.

There are following common problems with SSO:

• Error 404 Not found - this means incorrect URL either in Targetprocess SSO settings or in OneLogin application settings. Please double-check your settings in OneLogin and Targetprocess to make sure URLs are valid

• You’re getting “Sorry, you can't access Targetprocess because you are not assigned this app in OneLogin” error. To resolve this problem make sure that your user is assigned to Targetprocess application on step 3 and you’re using correct account to login to Targetprocess.

 Other problems are less common and we'd recommend you to check your OneLogin events log to find out more details or look into Targetprocess System log