OneLogin Authentication
Previous Topic  Next Topic 

One Login Authentication


One Login authentication allows you to have single-sign-on (SSO) using the One Login SAML 2.0 identity provider.


The first step to setting up SSO with OneLogin is to create a new application icon in OneLogin named Pacific Timesheet. Search the catalog for Pacific Timesheet and use that to create the new application. Make sure you enter your subdomain, e.g. "xyz". This comes from your Pacific Timesheet application URL, e.g. https://xyz.pacifictimesheet.com.


Once you have created the Pacific Timesheet application icon in OneLogin you must then configure the security settings in Pacific Timesheet. First, find the values you need to enter into Pacific Timesheet by going to the OneLogin > Apps page. Locate and click the Pacific Timesheet application you created above, then go to the SSO panel. Enter the following information into Pacific Timesheet on the System > Security page:


Property

Description

Name

This is the name used in the login button on the Pacific Timesheet login page.

Issuer URL

The value from OneLogin, for example: https://app.onelogin.com/saml/metadata/439734

SAML 2.0 Endpoint (HTTP)

The value from OneLogin, for example: https://xyz.onelogin.com/trust/saml2/http-post/sso/439734

Certificate

The OneLogin X.509 security certificate. You can specify both a primary certificate, and optionally a secondary certificate. When a login request is authenticated the primary certificate is used first, and if that fails then the secondary certificate will be used. You would typically provide a secondary certificate a few days or weeks before the primary one expires to ensure there is no loss of access to the application when the primary certificate expires. Once the primary certificate is fully expired you can replace it with the secondary certificate at your earliest convenience, then clear the secondary certificate field.


Note that the X.509 certificate should be in PEM format, meaning it should start with the header line -----BEGIN CERTIFICATE----- and end with the footer line -----END CERTIFICATE-----

Logging

Check this option to help troubleshoot authentication failures. Errors are logged to the System Event Log, and can be view with the Reports > System Event Log report. For self-hosted systems you can also view detailed information in the log files located in the <PacificTimesheet>/tomcat/logs directory.


When you use an identity provider to connect to Pacific Timesheet, you will need a corresponding employee account in Pacific Timesheet. The identity provider's account information (be it email address, login, etc.) will be used to find a corresponding Pacific Timesheet account. The match will be made against the Pacific Timesheet account's login name, employee ID or email address, in that order.


Note: Even if SSO is enabled you can allow some employees to log in using Pacific Timesheet's standard authentication (user name and password). On the login page the employee can choose either to log in with the standard user name and password, or use the configured identity provider's SSO option. This allows you to have Pacific Timesheet accounts that do not use the configured identity provider, such as the 'admin' account, or client approver accounts, still able to log in with a user name and password.