License requirements:
SAML SSO is only supported on the Deployment Enterprise and Data Backup Enterprise tiers.
Note: SAML user accounts are new, distinct accounts and cannot be linked to old accounts e.g. Google, Salesforce. Org connections, jobs and other settings will need to be recreated on these accounts.
This article is specific to OneLogin, we have more general documentation which can be applied to other providers as well.
We are going to switch between the OneLogin Administration page and Gearset Single sign-on settings page all through this document.
Go to the OneLogin Administration page. Select Applications -> Applications from the top menu navigation bar
Click Add App -> SAML Custom Connector (Advanced)
Give the App a new name, for example Gearset App and give the app a description. You can also upload portal Icons that you wish to use for this app. Then click Save
Once saved, click Configuration on the left hand side.
Configuration section
Before filling out this section we should login to Gearset and go to the Gearset Single Sign-on settings page - we will be using the Login URL and Gearset Information sections here.
Now go back to the OneLogin App configuration section and fill in the fields using the table below.
Field | Value | Comments |
RelayState | Leave blank | Gearset ignores an IdP-Initiated RelayState |
Audience (EntityID) | Copy and paste the Entity ID from the Gearset Information section. |
|
Recipient | Copy and paste the Assertion Consumer Service (ACS) URL from the Gearset Information section. |
|
ACS (Consumer) URL validator* | Copy and paste the Assertion Consumer Service (ACS) URL from the Gearset Information section. |
|
ACS (Consumer) URL* | Copy and paste the Assertion Consumer Service (ACS) URL from the Gearset Information section. |
|
Single Logout URL | Leave blank |
|
Login URL | Either Leave blank or copy and paste the Login URL value from the Gearset Login URL section | This value will only be used if you set the SAML initiator to be ServiceProvider |
SAML not valid before | 3 |
|
SAML not valid after | 3 |
|
SAML initiator | OneLogin or ServiceProvider | If you want to do IdP initiated requests then keep this as OneLogin. If you want to be able to login from Gearset then change this to ServiceProvider |
SAML nameID format |
| |
SAML issuer type | Specific |
|
SAML signature element | Both |
|
Encrypt assertion | Unchecked | Gearset does not currently support encrypted assertions |
SAML encryption method | Leave as TRIPLEDES-CBC | Leave this as default. |
Send NameId Format in SLO Request | Unchecked | Gearset does not currently support SAML Single Logout. Logout via Gearset. |
Sign SLO Request | Unchecked | Gearset does not currently support SAML Single Logout. Logout via Gearset. |
Sign SLO Response | Unchecked | Gearset does not currently support SAML Single Logout. Logout via Gearset. |
SAML sessionNotOnOrAfter | 1440 | Leave this as default |
Parameters section
Next we can add parameters to the SAML response.
These are the values from the Additional Attributes section under the Gearset Information section.
You will be using NameId here so keep this as the default Email.
The other attributes are option however we recommend adding display name
SSO Section
OneLogin will pre-populate the X.509 Certificate with whatever is the Default certificate set under Security -> Certificates on the top navigation menu.
You can change the certificate used by selecting Change and selecting the required certificate from the drop down list.
When you have selected the desired certificate, right-click on View details and open in new tab/window. Copy the X.509 Certificate.
If you need to create a new certificate please follow the instructions given by OneLogin - Add new certificate
Open the Single Sign-on settings page in Gearset and navigate down to the Identity Provider section. Click the Edit configuration button and paste the certificate into the certificate field.
Map the other Identify Provider fields
OneLogin SSO setting | Gearset Identify Provider setting |
Issuer URL | Issuer URL |
SAML 2.0 Endpoint (HTTP) | Identity Provider Single sign-on URL |
OneLogin Settings
Gearset Identity Provider settings
Click the Save configuration button.
The Algorithm field will tell you the algorithm used in the supplied certificate.
Make sure you select the value for SAML Signature Algorithm that matches the algorithm used in the certificate.
If the SAML Signature Algorithm and Certificate Algorithm do not match then you will be unable to login to Gearset.
Save the Application in OneLogin.
You need to assign Users to the App before they can login or it will show in their portal.