8x8 Community

My Services Express Jitsi as a Service 8x8 Connect 8x8 Work for Web

Configuring OneLogin SAML 2.0 SSO for Admin Console

Updated: $date.format('MM/dd/yyyy', $newDate)

Objective

Configure OneLogin and 8x8 Admin Console for SAML 2.0 SSO user login.
At this time, OneLogin active user sync (SCIM) to 8x8 is not supported.  

Applies To

  • OneLogin identity management
  • 8x8 Admin Console
  • SAML 2.0 SSO

Procedure

You'll need to perform the following as an admin of both OneLogin and 8x8 Admin Console.

Add the 8x8 Application to OneLogin

  1. From Applications in OneLogin, select Add App.
    clipboard_ebe80e800e6c2cd8a29e5f524deb1bda5.png
  2. Find and select the 8x8 app (SAML 2.0, form-based auth).
    clipboard_e5c20a9318b5f47f0acc8364c369a6ba0.png
  3. In App Listing > Configuration, you can change the Display Name for the app, if needed.
    clipboard_ebb147e8e578eb2b2b9b64c610e516bc1.png
  4. Scroll down to the bottom of the same App Listing page and confirm that Connectors is set to SAML 2.0.
    clipboard_ee889a528538e2dc96491113fd601f923.png
  5. Scroll back to the top and select Save.
  6. More options will be displayed for the 8x8 app after saving. Select SSO.
    clipboard_ea71580893f086ef9b2bb5f1dcbcdd639.png
  7. Copy the URLs from the following fields (or return to this window later). You’ll need them later, during configuration of your 8x8 Admin Console account.
    • Issuer URL
    • SAML 2.0 Endpoint (HTTP)
    • SLO Endpoint (HTTP)
  8. Select View Details for your certificate, or right-click on the link and select Open link in a new tab. If you already have your OneLogin certificate in PEM format, you can skip this part. Either way, you'll need your certificate file later.
    clipboard_e4fac1628209247b62912702d7df94d17.png
  9. If needed, scroll down the Certificates page, select the appropriate PEM-formatted certificate, and select Download.
  10. Save your certificate for later upload to 8x8 Admin Console.
    clipboard_e747e63132bd55b390b363af7b210e73c.png
Next, you'll add the new 8x8 app to users, to allow them access to 8x8 applications that require authentication.
If this procedure is performed using some other method in OneLogin – such as bulk edit or Roles – you can ignore these next steps, and perform that operation instead.
  1. Select Users. For single users, select a user and select the plus sign icon.
    clipboard_edf12639a15d6ca5a19b9474f43f44a76.png
  2. Select the 8x8 application you just added and select Continue.
    clipboard_ed7444393bd4a5873b77442c5e0238aa5.png
  3. Make a note of the NameID and select Save. The user's NameID will need to be applied to the specific 8x8 user profile in 8x8 Admin Console, which is covered later in this article.
    clipboard_e798ccc444f8483eeb084b8b2a45bc144.png
  4. You should now see the 8x8 application assigned to the user you’ve modified. Select Save User.
  5. Continue with the next steps below to make the required changes to your 8x8 Admin Console account.
    clipboard_e3217323484fa3d7d3b325a2010249ae2.png

Set Up Identity Management in 8x8 Admin Console

  1. Log in to 8x8 Admin Console.
  2. Select Identity and Security.
  3. Toggle Single Sign-On (SSO) on to enable it. Note that 8x8 supports only one ID management app per account.
  4. Toggle off the 8x8 Authentication option only if you want to prevent users from authenticating with 8x8 Work credentials.
    • Doing this will allow only the SAML SSO identity provider credentials to be used.
    • Keep the 8x8 Authentivation on if users should be allowed to use both authentication methods.
  5. Under Select Your Identity Provider, select Other SAML SSO Provider. The screen will expand with more configuration options.
  6. In SAML SSO Provider Information > SAML SSO Provider Name, enter a label you want for this SSO provider. 
  7. Match the 8x8 fields with the OneLogin URL information you collected earlier, and add the OneLogin URLs into the appropriate fields in SAML Settings.
8x8                                     OneLogin
IDP Login URL             >    SAML 2.0 Endpoint (HTTP)
IDP Issuer URL/URN   >    Issuer URL
IDP Logout URL           >    SLO Endpoint (HTTP)
  1. In Certificate in use, select Click to attach a certificate file and choose the OneLogin certificate you downloaded earlier. The file name of the certificate will appear in the field. Note that this field requires a file extension other than .pem. If needed, simply rename the pem file extension to .cert before you upload the file.
  2. Finally, select Save at the bottom of the page. You should see a green confirmation banner for a few seconds at the top of the screen.
  3. Continue with the next steps below to make the necessary changes to your 8x8 users in Admin Console.
Important! If after saving you find that you’ve made a mistake with the certificate, just toggle the Single Sign-On (SSO) option off and select Save to clear out the SSO information. Then follow the above process again with the correct information. The URLs can be edited without clearing the entire SSO configuration.

Configure a User in 8x8 Admin Console for SSO Login

  1. In 8x8 Admin Console, select Home > Users.
  2. Search for the user you’re configuring, and select the pencil icon to edit the user.
  3. Scroll down to Single Sign-On (SSO) and add the user’s OneLogin NameID to the Federation ID field. Note: This field only appears after an identity provider is configured in Identity Management.
  4. Select Save.
  5. You should then see a green confirmation banner at the top of the screen for a few seconds.
This completes the 8x8 Admin Console configuration of OneLogin. Your configured users should now be able to log into 8x8 applications such as Work for Desktop. A brief example of the login process is shown, below.

8x8 Work for Desktop SSO Login Process

This login process may vary, depending on the OneLogin administrator’s configuration of that service.
  1. First, launch 8x8 Work for Desktop on your PC.
    clipboard_e0c6c0f5768f1ec8b3f269422da301b6b.png
  2. Enter the OneLogin NameID of the assigned user into the 8x8 Username or Email field and select Continue.
    clipboard_e290d06ae0a17b68df4e09b1239eea070.png
  3. Select Log in using SSO.
    clipboard_e859e99a25c13f5db2f742d4df59d170f.png
  4. In the OneLogin Username field, enter the NameID of the assigned user.
    clipboard_efec2d4828563b5143c6b8b0b6b6f5efc.png
  5. Enter the user’s OneLogin Password and select Continue.
  6. This will complete the login to 8x8 Work for Desktop.
    clipboard_ea2ac2a47c3d17fba08f9042c212335d4.png
Other login options and login persistence may be available depending on the OneLogin administrator’s configuration of that service.

Login Issues

Invalid SAML Profile

If users receive the error Invalid SAML profile error: No valid certificate found when attempting to log in to an 8x8 app, the OneLogin certificate applied to the SSO setup in 8x8 Admin Console probably included a non-PEM certificate, or a certificate was simply not added.
clipboard_ef61d96e5f756912d25fb4e3aba1d5765.png
In this case, the SSO configuration must be deleted and re-applied with the correct certificate.
Or if the certificate was never added, simply add it to the 8x8 SSO configuration, and save the configuration again.
The OneLogin X.509 PEM certificate seems to work best with this service.
clipboard_e747e63132bd55b390b363af7b210e73c.png

We Could Not Verify Your SSO Account

If users see this error when attempting to log in, the configuration in either OneLogin or 8x8 Admin Console could be incorrect, and should be reviewed and corrected as needed.
If the applications are correctly configured, then the 8x8 user profile in Admin Console is not configured correctly.
clipboard_eb636e8282137798bd37c25906228cc9b.png
To correct the user configuration issue, verify that the Admin Console user profile in Home > Users has the correct OneLogin NameID applied to the Single Sign-On > Federation ID field.
clipboard_e6c0d7dc2d0f3fef63b695bab80962991.png