Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add OneLogin entity descriptor URL instructions
Closes #24803 Show how to include the entity descriptor URL for OneLogin when configuring the authentication connector. In `tctl sso configure`, the flag is the same if you are using a URL or a local file. The current guide includes a separate H3 for downloading the XML file. This change uses a single set of numbered steps to make the instructions easier to follow.
- Loading branch information
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -25,69 +25,76 @@ to define policies like: | |
|
|
||
| ## Step 1/3. Create Teleport application in OneLogin | ||
|
|
||
| 1. In the OneLogin control panel's main menu navigate to **Applications** -> | ||
| **Add App**. Using the search box, select "SAML Custom Connector (SP | ||
| Shibboleth)": | ||
|
|
||
|  | ||
|
|
||
| 1. Define the new application: | ||
|
|
||
|  | ||
|
|
||
| You can find Teleport icons to upload from the following links: | ||
|
|
||
| - [Square Icon](../../../img/sso/onelogin/teleport.png) | ||
| - [Rectangular Icon](../../../img/sso/onelogin/[email protected]) | ||
|
|
||
| 1. From the application's **Configuration** page, set the following values: | ||
|
|
||
| <Admonition type="tip"> | ||
| Set <Var name="teleport.example.com:443" description="Your Teleport Proxy Service address and port, or cloud tenant." /> | ||
| here with your Teleport Proxy Service address and port, or Teleport Enterprise | ||
|
Check failure on line 47 in docs/pages/access-controls/sso/one-login.mdx
|
||
| Cloud tenant (e.g. `company.teleport.sh:443`) to fill out the values below. | ||
| </Admonition> | ||
|
|
||
| - **Login URL**: | ||
| - `https://`<Var name="teleport.example.com:443"/>`/web/login` | ||
| - **ACS (Consumer) URL**, **SAML Recipient**, **ACS (Consumer) URL Validator**, & **Audience**: | ||
| - `https://`<Var name="teleport.example.com:443"/>`/v1/webapi/saml/acs/onelogin` | ||
|
|
||
|  | ||
|
|
||
| 1. Teleport needs to assign groups to users. From the **Parameters** page, | ||
| configure the application with some parameters exposed as SAML attribute | ||
| statements: | ||
|
|
||
|  | ||
|
|
||
|  | ||
|
|
||
| <Admonition | ||
| type="warning" | ||
| title="Important" | ||
| > | ||
| Make sure to check `Include in SAML assertion` checkbox. | ||
| </Admonition> | ||
|
|
||
| 1. Add users to the application: | ||
|
|
||
|  | ||
|
|
||
| 1. Obtain SAML metadata for your authentication connector. Once the application | ||
| is set up, navigate to the the **More Actions** menu and find the **SAML | ||
| Metadata** option: | ||
|
|
||
|  | ||
|
|
||
| You can either left-click the option and download the XML document as a local | ||
| file or right-click the option and copy the link address. The Teleport Auth | ||
| Service either reads the provided document or queries the address to obtain | ||
| SAML metadata. We recommend copying the address so the Auth Service can use | ||
| the most up-to-date information. | ||
|
|
||
| ## Step 2/3. Create a SAML connector | ||
|
|
||
| Create a SAML connector using `tctl`. Update <Var name="xml-path"/> to the URL | ||
| of the XML document that you copied in the previous step. If you downloaded the | ||
| XML document instead, use the path to the XML metadata file: | ||
|
|
||
| ```code | ||
| $ tctl sso configure saml --preset onelogin \ | ||
| --entity-descriptor <Var name="xml-path"/> \ | ||
| --attributes-to-roles groups,admin,editor \ | ||
| --attributes-to-roles groups,dev,access > onelogin.yaml | ||
| ``` | ||
|
|
||
