This guide details the steps required to set up OneLogin and CSE TrustProvider to enable device registration and authentication for any SaaS application. Additionally, this guide covers how to add policy enforcement in CSE TrustProvider at the SaaS application level.
In the IDP-first authentication flow, you configure your OneLogin to federate authentication requests to CSE's TrustProvider component. CSE TrustProvider federates right back to OneLogin for user authentication but, because CSE is now in the authentication flow, it is able to enforce Zero Trust security policy.
CSE supports two types of IDP-first authentication flows for OneLogin:
1. Service Provider-initiated - End users launch the SaaS application directly.
2. Identity Provider-initiated - End users launch the SaaS application from the OneLogin catalog.
OneLogin currently cannot redirect the end user back to intended SaaS application. The end user must click the SaaS application again from OneLogin Portal.
Before proceeding with the setup steps below, please ensure you have:
About the screenshots and example values: The screenshots in this guide were captured in an example tenant. Wherever a URL, subdomain, or tenant identifier appears in an image or a code sample, substitute the value from your own environment — your OneLogin subdomain (for example, https://<your-subdomain>.onelogin.com) and your production CSE tenant URLs. Do not enter the example or lab values literally.
At a high level, configuring OneLogin IdP federation to CSE can be broken out into three phases:
Phase 1. Configure CSE as a OneLogin Trusted IDP
This phase establishes trust between OneLogin and CSE's TrustProvider.
| Step | Description |
|---|---|
| 1 | Configure OneLogin Trusted IdP |
| 2 | Configure CSE IDP-routed Service |
| 3 | Prepare your CSE-registered app details for OneLogin |
| 4 | Update OneLogin Trusted IdP Configuration |
Phase 2. Configure SP-initiated Access
This phase sets up all apps federated with OneLogin to use CSE TrustProvider for ZeroTrust policy checks.
| Step | Description |
|---|---|
| 5 | Configure OneLogin SaaS Application |
Phase 3. Configure IdP-initiated Access
Phase 3 is only required if your end users will launch the SaaS application from the OneLogin application catalog.
This phase sets up applications launched from the OneLogin catalog to use CSE TrustProvider for ZeroTrust policy checks.
| Step | Description |
|---|---|
| 6 | Configure Proxy SaaS Application |
| 7 | Assign Users to Application |
| 8 | Disable Original Application from OneLogin Catalog |
Step 1. Configure OneLogin Trusted IdP
1.1 In the OneLogin Admin Portal, navigate to Authentication > Trusted Idps and then click New Trust.
1.2 Enter the Trust Provider name "CSE SAML Idp" and then click the green checkmark.
1.3 Navigate to the Settings tab and then copy the SP Entity Id, which you will use in the steps below.
Step 2. Configure CSE IDP-routed Service
2.1 In the CSE Command Center, navigate to Manage Services > SaaS Applications and then click + PUBLISH SAAS APPLICATION.
2.2 Select IDP Routed to route OneLogin to CSE
2.3 Enter the service details shown below.
https://<your-subdomain>.onelogin.com/access/idp (replace <your-subdomain> with your OneLogin subdomain)
2.4 Register.
2.5 Make note of the SaaS app Client configuration values shown in the Command Center, as you will use them in Step 4.1.
2.6 Also, copy the Metadata URL, paste it in your browser search bar and then press enter to download the xml file. You will use the information in this file to configure SSO in OneLogin.
Step 3. Prepare your CSE-registered App Details for OneLogin
3.1 Open the metadata xml file downloaded in Step 2.6 in your preferred text editor.
3.2 Locate and copy the X509Certificate string, and then paste it in a separate, new text editor file.
3.3 Format the string and then save it as a pem file. You will upload this file in Step 4.1.
-----BEGIN CERTIFICATE-----) to the first line.-----END CERTIFICATE-----) to the last line.
3.4 Also in the downloaded metadata xml file, locate and take note of the <SingleSignOnService Location> string. You will enter this value in Step 4.1.
Step 4. Update OneLogin Trusted IdP Configuration
4.1 Navigate to Settings and then update following fields:
4.2 Click Save.
Step 5. Configure SaaS Application SSO
This step uses Slack as an example.
5.1 Log in to the Slack Admin Portal and then navigate to Settings & Permissions.
5.2 Select the Authentication tab and then click Change/Add Settings for SAML Authentication Settings.
5.3 Update the fields accordingly:
SAML SSO URL - This value is not copied directly from OneLogin. You build it so that OneLogin routes the sign-in through the CSE Trusted IdP. Use the following format:
{onelogin-domain}/access/initiate?iss={issuer}&target_link_uri={endpoint}
Replace each placeholder as described below:
| Placeholder | What to enter | Where to find it |
|---|---|---|
{onelogin-domain} | Your OneLogin instance base URL, including https://. | For example, https://example.onelogin.com. |
{issuer} | The Issuer value configured on the CSE Trusted IdP. | Authentication > Trusted IdPs > [CSE SAML Idp] > Settings > Configurations > Issuer. This is the CSE SaaS app Metadata URL you entered in Step 4.1. |
{endpoint} | The OneLogin app's SAML 2.0 Endpoint (HTTP). | Applications > [your app, e.g. Slack] > SSO > SAML 2.0 Endpoint (HTTP). |
Append the {issuer} value to the ?iss= parameter, then add a &target_link_uri= parameter set to the {endpoint} value. URL-encode both the iss and target_link_uri values. A completed URL looks like this:
https://example.onelogin.com/access/initiate?iss=https%3A%2F%2Fexample.trust.banyanops.com%2Fapi%2Fv1%2Fsaml_metadata&target_link_uri=https%3A%2F%2Fexample.onelogin.com%2Ftrust%2Fsaml2%2Fhttp-post%2Fsso%2Fabcdef
Tip: After you save, validate the URL with a test sign-in. If OneLogin does not route through the CSE Trusted IdP, confirm that the iss value exactly matches the Trusted IdP Issuer and that both query-string values are URL-encoded.
Identity Provider Issuer - Enter the Issuer URL from the OneLogin app's SSO tab (Applications > [your app] > SSO).
Public Certificate - Enter the X.509 Certificate from the OneLogin app's SSO tab (Applications > [your app] > SSO > View Details).
Sign In Button Label - Enter "OneLogin".
5.4 Click Save Configuration to verify and complete SSO setup.
Step 6. Configure Proxy SaaS Application
6.1 In OneLogin, navigate to Applications and then select Add App.
6.2 In the application catalog search box, enter SAML Custom Connector (Advanced), select that connector, and then click Save.
6.3 Navigate to the Info tab and then update the following fields:
6.4 Save.
6.5 Navigate to the Parameters tab and then add redirect url and serviceId.
redirectUrl, select the Plus icon and enter:
serviceId, select the Plus icon and enter:serviceId, then click Save
6.6 Save, and then select Save again to update the parameters.
6.7 Navigate to the Configuration tab and complete the following fields using the SAML Proxy URL and Audience (Entity ID) values from the IDP Routed App in the CSE Command Center:
{:.alert.alert-warning} Verify before publishing: The exact field mapping above could not be confirmed against a live tenant. Confirm with an SME which IDP Routed App value belongs in each OneLogin field, and update this step accordingly.
6.8 Save.
Step 7. Assign Users to Application
7.1 In OneLogin, navigate to Users and then select a User.
7.2 Navigate to the Applications tab and then click the plus icon (+) to add a new Application.
7.3 Add Slack and Slack proxy application to the user.
7.4 Click Save User.
Step 8. Disable Original Application from OneLogin Catalog
8.1 Navigate to Info and then disable Visible in portal.
Passwordless is recommended to provide an optimal user experience when accessing applications on CSE registered devices. If Passwordless is not enabled, end users will default to OneLogin's authentication methods.
Passwordless authentication with CSE leverages the fact that the trusted Device Certificate includes the user's email address in the UserPrincipalName SAN extension field.
When passwordless is enabled, the device certificate that is presented during device trust will be used to extract the user who is attempting to authenticate. The identified user will be issued a TrustToken without requiring username and password. The user will then proceed with OneLogin's authentication configurations for the user selected application such as adding MFA.
1. Edit the existing CSE IDP Routed Service for OneLogin (Step 2.3).
2. Enable Passwordless Authentication.