OneLogin SSO
Files.com supports SSO integrations with OneLogin using the SAML protocol.
Adding Files.com in OneLogin
After logging in to your OneLogin account as an administrator, navigate to Applications, click the Add App button, and search for SAML Test Connector (IdP) and click on it.
Enter the Display Name, and click Save.
Click Configuration in the left pane, and enter the following values:
Parameter | Value |
---|---|
RelayState (optional) | [SUBDOMAIN].files.com (replace [SUBDOMAIN] with your Files.com subdomain) |
Audience | https://app.files.com/saml/metadata |
Recipient | https://app.files.com/saml/consume |
ACS (Consumer) URL Validator | https://app.files.com/saml/consume |
ACS (Consumer) URL | https://app.files.com/saml/consume |
Click Save at the top right to save these changes. Next, click SSO and click View Details under X.509 Certificate.
Change SHA Fingerprint from SHA1 to SHA256 and click Save.
Lastly, copy the SHA256 fingerprint, Issuer URL, SAML 2.0 Endpoint (HTTP), and SLO Endpoint (HTTP) so you can enter these when adding OneLogin in Files.com.
Adding OneLogin in Files.com
In the Add provider form, enter Display Name, leave the Metadata URL field empty, and enter the following values copied from OneLogin:
Input the SHA256 fingerprint from OneLogin into the corresponding SHA256 certificate fingerprint field, enter the Issuer URL from OneLogin into the designated field, input the SAML 2.0 Endpoint (HTTP) from OneLogin into the SSO endpoint field, and enter the SLO Endpoint (HTTP) from OneLogin into the designated SLO endpoint field.
Lastly, click the Save button to apply the change.
Note that you can also use more than one OneLogin instance or app connected to your Files.com site.
The OneLogin SSO method will now be available when assigning an authentication method for a user in Files.com, and the Sign in with OneLogin button will be displayed on your site's login page.
It is strongly recommended to keep at least one site administrator with the password option as the authentication method, rather than assigning all to SSO, to prevent being locked out of Files.com in case of IdP or SSO issues.
Provisioning Users Automatically
There are two ways to automatically provision users via OneLogin.
SCIM Provisioning
SCIM Provisioning is a standard that allows your Users to be automatically provisioned in Files.com from OneLogin. Input the following settings into OneLogin for SCIM:
Field | Value |
---|---|
SCIM connector base URL | https://app.files.com/api/scim |
Authentication Mode | Basic Auth |
Basic Auth Username and Password | Enter a username and password of your choosing |
The username and password entered for Basic Auth will also need to be added as the SCIM username and password in Files.com. Type SSO Providers in the search box at the top of every page and then click on the matching result. Locate your OneLogin provider entry and edit to set Enable automatic user provisioning via SCIM? to Basic.
After setting the above, your OneLogin users assigned to the Files.com application in OneLogin will be provisioned to Files.com and should be able to log in to Files.com via SSO.
Files.com offers numerous configuration options for SCIM provisioning, detailed in the Configuration Options section under our SCIM provisioning documentation.
Just-In-Time (JIT) Provisioning
JIT Provisioning operates by generating user records on Files.com upon their initial successful login. While this method is simpler than SCIM, it does have limitations. For instance, JIT can provision users but lacks the ability to delete or disable them. Files.com will automatically use Just-In-Time (JIT) Provisioning if you don't set up SCIM.