Introduction
Kepion provides simple but secure access through single sign-on (SSO) with OneLogin. This article walks system admins through setting up SSO with this identity provider.
Tip: You can also set up SSO with Windows or Azure AD.
Step 1: Configure OneLogin
You need to configure an app for Kepion in OneLogin, which you'll later use to establish a secure connection with Kepion.
Add app
1. Sign in to OneLogin.
2. Select Administration.
3. On the top navigation, go to Applications > Applications.
4. Select Add App.
5. Search for and select SAML Custom Connector (Advanced).
6. Enter Kepion in the Display Name field and select Save.
Tip: You can add a description and change the thumbnail if desired.
The left navigation should be populated with the rest of the configuration tabs.
Configure app
With the app created, you can now configure it and obtain the necessary information for SSO integration with Kepion.
Note: Save after you're done with each tab.
Configuration
You need to define the ACS (Consumer) URL, which directs your IdP where to send its SAML Response after authenticating a user.
1. Go to the Configuration tab.
2. Enter values in the following fields:
- ACS (Consumer) URL Validator: Copy the following string and paste it into the field.
[-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)
- ACS (Consumer) URL: Copy the Callback URL from Kepion and paste it into the field.
Parameters
You now need to create two parameters for user identification: FullName and DisplayName.
1. Go to the Parameters tab and select the plus (+) icon.
2. Enter FullName and select the Include in SAML assertion checkbox.
3. Select Save.
4. Select Name from the Value dropdown and then select Save.
5. Repeat steps 1 to 4 but set the field name to DisplayName.
Access
Go to the Access tab to assign the OneLogin roles that should have access to Kepion.
You can also go to Users > All Users to add the app to individual user accounts.
Copy app metadata
You need to copy the SAML metadata that you must provide to Kepion to complete the integration.
Tip: Ensure you have a text editor open to paste the metadata into.
1. Go to the SSO tab and select View Details.
2. Under X.509 Certificate, select Download.
3. Return to the SSO tab and select the Copy to Clipboard button for the Issuer URL and SAML 2.0 Endpoint (HTTP) fields.
Step 2: Configure Kepion
This step involves configuring Kepion to securely connect with your OneLogin app.
Tip: Have the Issuer URL, SSO URL and certificate from OneLogin ready.
Add identity provider
1. Go to the System module > Identity Providers.
2. Select Add.
3. Enter OneLogin and select OK.
Configure identity provider
Once an identity provider is created for OneLogin, you can start configuring it.
1. Go to OneLogin and select Edit.
2. Select Enable for sign-in.
3. Configure the following fields using the app metadata copied from OneLogin:
- Issuer URL
- Certificate
- SSO URL
4. (Optional) Enter a number in hours for Session Timeout. If left empty, the session timeout is set to 168 hours (7 days).
Tip: Enter decimals if you need to set the session timeout to smaller units than hours (e.g., 7.5 hours for 7 hours and 30 minutes).
5. Select Save.
Next steps
You're all done! Ensure users test their Kepion access to verify you've configured SSO correctly.