Single Sign-On — OneLogin

Updated

SearchStax Site Search offers the ability for customers to set up OneLogin Single Sign-On (SSO). This lets your users log in with a single ID and password that works across multiple software systems.

Note: This is an optional feature that you can add to your SearchStax account. Contact SearchStax for details.

We use the open standard Security Assertion Markup Language (SAML) to allow identity providers (IdP) to pass authorization credentials to service providers (SP). This page provides instructions for using OneLogin to implement SSO for SearchStax.

Instructions

Once SearchStax enables SSO for your account and you set up a domain, the SSO options appear in the My Profile screen of the My Account menu:

Account settings menu with Single Sign-On configuration section highlighted, showing two-factor authentication options and setup button.

The Set Up Single Sign-On button opens a screen with configuration URLs and feature options. You'll need to refer to this screen while setting up the SSO profile with the Identity Provider.

SAML configuration panel displaying authentication settings including Assertion Consumer Service URL, metadata URL, and sign-in/sign-out endpoint fields...

This screen contains the following fields and options:

  • Assertion Consumer Service (ACS) URL: Note that the URL includes your SSO domain (called mydomain in the following discussion).
  • Metadata URL: SearchStax metadata endpoint.
  • Enable Checkbox: Check this to enable SSO for this account.
  • Assertion Responses Signed: Use the droplist to indicate whether assertions and/or responses should be signed.
  • Allow Email Password Login Checkbox: Check this to permit login by email/password in addition to SSO.
  • Auto Create Users Checkbox: Check this to create a new user account the first time a user logs in.
  • IDP Entry URL: Identity provider URL.
  • Metadata URL: The SAML 2 Metadata URL.
  • Sign-In URL: The URL used for signing into the SAML Identity Provider.
  • Sign-Out URL (Optional): The URL shown after a successful sign-out.

OneLogin Setup

  1. Go to the OneLogin administration dashboard and select the Applications drop down. Select Add App in the top right corner:
    Two action buttons: Download JSON and Add App for OneLogin SSO configuration.
  2. Search for "SAML Custom Connector (Advanced)" and select the application:
    Search results for SAML Custom Connector showing the Advanced option from OneLogin, Inc.
  3. Enter a display name for the custom SearchStax application – something like "SearchStax". You can customize the icon as well, then click Save in the top right corner:
    Portal configuration panel for SearchStax with display name, visibility toggle, and icon upload options for rectangular and square formats.
  4. This creates a new Application in your user dashboard. Go back to the applications tab in the administration dashboard and select your newly created application. You'll see some new tabs on the left. Select the Configuration Tab:
    SAML Custom Connector (Advanced) application selected in OneLogin with Configuration and Parameters options in the left sidebar.
  5. Use this tab to configure the SSO application with the information from your SearchStax dashboard. Since we used "mycompany" as our subdomain, we'll continue to use that here as well. Enter the provided metadata URL in the Audience (EntityID) box

    Application details panel showing RelayState and Audience fields with entity ID URL for OneLogin SSO configuration.
  6. Enter the provided ACS URLs into the Recipient, ACS Validator, and ACS URL boxes:
    Configuration form showing Recipient, ACS Consumer URL Validator, and ACS Consumer URL fields with required field indicators for SingleSign-On setup.
  7. Enter the Login URL into the Login URL Box:
    Login URL field displaying a SearchStax domain with a note explaining it's only required when Service Provider is selected.
  8. Make sure your settings match what's shown below. Use SP initiated with a Persistent nameID. Sign both the assertion and response, then click Save in the top right:
    SAML configuration form with four dropdown fields set to Service Provider, Persistent, Specific, and Both.
  9. Select the Parameters tab on the left. We expect Email, First Name, and Last Name to be passed, so your parameters should match the box below. You can also pass a "role" parameter. If you don't have a mapping for SearchStax roles, you can leave it as is. Users are created with Team Member as the default role. You can change these roles later from the Managed Search Dashboard:
    SAML Custom Connector field mappings table showing NameID value mapped to Email, email to Email, givenName to First Name, and surname to Last Name.
  10. Next, click the SSO tab on the left. Note the Issuer URL and the SAML 2.0 Endpoint.
    SAML configuration fields showing Issuer URL and SAML 2.0 Endpoint (HTTP) with copyable URLs for OneLogin single sign-on setup.
    You'll enter these values in the Managed Search dashboard as shown below. Click Save Settings when finished:

    SAML identity provider configuration panel with enabled security settings, assertion response options, and endpoint URLs for single sign-on setup.

The steps above show how to integrate SSO with your OneLogin instance.

Login Using SSO

The Site Search sign-in screen provides a button at the bottom for SSO – "Sign-In With your ID Provider." Click this button.

Site Search sign-in form with email and password fields, plus a sign-in button using your ID provider for single sign-on authentication.

Enter the domain that was set up for the client.

Sign-in form requesting subdomain ID with a Continue button and Regular Password Sign-in option.

Click Continue. You'll be taken to the OneLogin Sign-in page. After you authenticate, you'll be returned to your Site Search Dashboard.

Alternatively, you can go directly to https://.searchstax.com to log in. Clicking "Sign-In With your ID Provider" takes you directly to OneLogin.

SSO + Two-Factor Authentication

A user can have both SSO and Two-Factor authentication set up. The 2FA settings for a user apply to all accounts that the user can access.

However, for the account with SSO enabled, SearchStax 2FA settings don't apply. Instead, set up 2FA at the SSO Provider.

Articles in this section