SAML Single Sign On Configuration – OneLogin
MyWorkDrive OneLogin SAML Overview
Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, specifically – between an identity provider and a service provider. As its name implies, SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions).
MyWorkDrive Server 5.0 supports SAML based Web File Manager Single Sign On (SSO) in addition to ADFS (which is configured separately). For SAML, MyWorkDrive acts as a Service Provider (SP) while OneLogin acts as the identity provider (IdP).
This document provides streamlined MyWorkDrive integration with OneLogin starting with version 5.2. For version 5.0 or to manually configure SAML view our manual SAML configuration article here
MyWorkDrive OneLogin SAML Setup
MyWorkDrive is listed an approved enterprise application in OneLogin
Note our instructions below are streamlined and starting with MyWorkDrive Server version 5.2 we can simply input the “Issuer URL” URL from the OneLogin App Configuration details to automatically configure MyWorkDrive for OneLogin Single sign-on.
- A OneLogin account with Administrator Privileges
- Ensure users have a upn suffix applied for domain name to match OneLogin Login name so they can login to your MyWorkDrive server with their email address.
- Ensure the MyWorkDrive server is trusted for delegation as per our Delegation Article
- Setup your own public SSL Certificate and Hostname pointing to your MyWorkDrive Server over port 443 (SSL) (using our *.myworkdrive.net domain is not supported) and ensure your server is publicly accessible (note reverse proxies that rewrite URL’s will not work). View Support Article.
Identity Provider Configuration
- Login into OneLogin .
- Click the Administration option .
- Click the APPS and then Add Apps shortcut.
- In search field enter SAML and then select MyWorkDrive.
- Specify Display Name and set your icons and click Save.
Note that if you use a different display name from “MyWorkDrive”, you will need to change the default name in the Enterprise Settings of your MyWorkDrive
- In Configuration tab specify the Domain.
Note that Cloud Wed Connector proxy domains (*.myworkdrive.net) are not compatible with SAML providers and you must use a direct connection, as described in the Prerequisites section.
- In Parameters tab, Verify it is set as shown below
- In SSO tab, change the SAML Signature Algorithm to SHA-256, then use the copy icon for the Issuer URL to copy the OneLogin Metadata URL. We will paste this into MyWorkDrive Server during the Server Setup process. Click Save
Remember to add users to your App in OneLogin. From the main menu click on Users, then find the users or groups you wish to assign access permissions.
If assigning by User, click on the User to get details, then click on Applications.
Click the + and search for MyWorkDrive.
Make sure that Enabled is checked and that the NameID is correct (when appropriate).
With users assigned, you should now proceed to MyWorkDrive Server Configuration.
MyWorkDrive Server Configuration
The following instructions are updated for MyWorkDrive 5.2. If you are using a prior version of MyWorkDrive, please see our manual SAML configuration article here or upgrade to MyWorkDrive 5.2 or later.
- Login to MyWorkDrive server
- Click on the Enterprise tab from the menu
- Enable SAML/ADFS SSO at the top of the Enterprise options page.
- This will open up the SAML/ADFS SSO options panel. From the drop down choose OneLogin SAML
- In the “Identity Provider Metadata URL” box, paste the URL for Issuer URL which you copied in OneLogin setup earlier.
- Optionally enable the Require SSO Login in browsers. This will require users to login through OneLogin on the Web client. SSO login is also supported in Mobile and Mapped Drive Desktop clients 5.2 and greater.
Remember to click Save when complete. The save process may take slightly longer than normal as MyWorkDrive server connects to the OneLogin Metadata url and downloads the configuration.
Proceed to testing your new OneLogin Saml SSO login.
Test OneLogin initiated SSO
- Login to OneLogin .
From the applications menu, click on MyWorkDrive. If MyWorkDrive is not listed, go back to the User Assignment step above and assign users as appropriate.
- After successful login, you are automatically redirected to MyWorkDrive server.
- Browse to the url of your MWD Site (or go specifically to the SAML URL if you do not have browser SSO required – /Account/Login-SAML.aspx for example https://MWDserver.yourdomain.com/Account/Login-SAML.aspx), and you will be automatically redirected to OneLogin.
Login to OneLogin using your credentials and you will be automatically logged in to MyWorkDrive.
Your MyWorkDrive OneLogin SAML SSO Configuration is now complete.
If you are missing shares in the folder list when logging in via the SAML Provider, the reason for that is missing or incorrect server delegation settings. Please ensure the MyWorkDrive server is trusted for delegation as per our Delegation Article.