Configuration of OneLogin and 8x8 Admin Console for SAML 2.0 SSO user login.
At this time, OneLogin active user sync (SCIM) to 8x8 is not supported.
- OneLogin identity management
- 8x8 Admin Console
- SAML 2.0 SSO
You'll need to perform the following as an admin of both OneLogin and 8x8 Configuration Manager:
- Add the 8x8 Application to OneLogin
- Set Up Identity Management in 8x8 Admin Console
- Configure a User in Admin Consoler for SSO Login
- 8x8 Work for Desktop SSO Login Process
Add the 8x8 Application to OneLogin
To begin, you'll need to add the 8x8 application to your OneLogin configuration.
- From Applications in OneLogin, click Add App.
- Find and click on the 8x8 (SAML 2.0, form-based auth).
- In App Listing > Configuration, you can change the Display Name for the app, if needed.
- Scroll down to the bottom of the same App Listing page and confirm that Connectors is set to SAML 2.0.
- Scroll back to the top and click Save.
- More options will be displayed for the 8x8 app after saving. Click SSO.
- Copy the URLs from the following fields (or return to this window later). You’ll need them later, during configuration of your 8x8 Configuration Manager account.
- Issuer URL
- SAML 2.0 Endpoint (HTTP)
- SLO Endpoint (HTTP)
- Then click on View Details for your certificate, or right-click on the link and select Open link in a new tab.
- If you already have your OneLogin certificate in PEM format, you can skip this part. Either way, you'll need your certificate file later.
- If needed, scroll down the Certificates page and select the appropriate PEM-formatted certificate, and click Download.
- Save your certificate for later upload to 8x8 Admin Console.
Next, you'll add the new 8x8 app to users, to allow them access to 8x8 applications that require authentication.
If this procedure is performed using some other method in OneLogin – such as bulk edit or Roles – you can ignore these next steps, and perform that operation instead.
- Click on Users. For single users, select a user and click the plus sign icon .
- Select the 8x8 application you just added, above, and click Continue.
- Make a note of the NameID and click Save.
- The user's NameID will need to be applied to the specific 8x8 user profile in 8x8 Admin Console, which is covered later in this article.
- You should now see the 8x8 application assigned to the user you’ve modified. Click Save User.
- Continue with the next steps below to make the required changes to your 8x8 Admin Console account.
Set Up Identity Management in 8x8 Admin Console
Next, you'll configure your 8x8 account to allow the use of your OneLogin SSO service.
- From https://admin.8x8.com/, log into the 8x8 Admin Console.
- From Home, click on Identity Management.
- Click the check box for Single Sign-On (SSO) to enable it.
- Note that 8x8 supports only one ID management app per account.
- Un-check the 8x8 Username and Password check box only if you want to prevent users from authenticating with 8x8 Work credentials.
- Doing this will allow only the SAML SSO identity provider credentials to be used.
- Keep the 8x8 Username and Password check box checked if users should be allowed to use both authentication methods.
- Select Other SAML SSO Provider. The screen will expand with more configuration options.
Now you simply need to fill in the blanks with the information you collected earlier, and upload your OneLogin certificate.
- In SAML SSO Provider Information > SAML SSO Provider Name, enter a label you want for this SSO provider.
- Match the 8x8 fields with the OneLogin URL information you collected earlier, and add the OneLogin URLs into the appropriate fields in SAML Settings.
IDP Login URL > SAML 2.0 Endpoint (HTTP)
IDP Issuer URL/URN > Issuer URL
IDP Logout URL > SLO Endpoint (HTTP)
- In Certificate in use, click on Click to attach a certificate file and choose the OneLogin certificate you downloaded earlier. The file name of the certificate will appear in the field.
- Note that this field requires a file extension other than .pem. If needed, simply rename the pem file extension to .cert before you upload the file.
- Finally, click Save at the bottom of the page. You should see a green confirmation banner for a few seconds at the top of the screen.
- Continue with the next steps below to make the necessary changes to your 8x8 users in Configuration Manager.
Important note: If after saving you find that you’ve made a mistake with the certificate, just un-check the Single Sign-On (SSO) check box and click Save to clear out the SSO information. Then follow the above process again with the correct information.
The URLs can be edited without clearing the entire SSO configuration.
Configure a User in 8x8 Admin Console for SSO Login
This is a very quick process for an 8x8 user's login configuration.
- In 8x8 Admin Console, click on Home > Users.
- Search for the user you’re configuring, and click the pencil icon to edit the user.
- Scroll down to Single Sign-On (SSO) and add the user’s OneLogin NameID to the Federation ID field.
- Note: This field only appears after an identity provider is configured in Identity Management.
- Click Save.
- You should then see a green confirmation banner at the top of the screen for a few seconds.
This completes the 8x8 Admin Console configuration of OneLogin.
Your configured user(s) should now be able to log into 8x8 applications such as Work for Desktop.
A brief example of the login process is shown, below.
8x8 Work for Desktop SSO Login Process
This login process may vary, depending on the OneLogin administrator’s configuration of that service.
- First, launch 8x8 Work for Desktop on your PC.
- Enter the OneLogin NameID of the assigned user into the 8x8 Username or Email field and click Continue.
- Click Log in using SSO.
- In the OneLogin Username field, enter the NameID of the assigned user.
- Enter the user’s OneLogin Password and click Continue.
- This will complete the login to 8x8 Work for Desktop.
Other login options and login persistence may be available depending on the OneLogin administrator’s configuration of that service.
Invalid SAML Profile
If users receive the error Invalid SAML profile error: No valid certificate found when attempting to log in to an 8x8 app, the OneLogin certificate applied to the SSO setup in 8x8 Configuration Manager probably included a non-PEM certificate, or a certificate was simply not added.
Or if the certificate was never added, simply add it to the 8x8 SSO configuration, and save the configuration again.
The OneLogin X.509 PEM certificate seems to work best with this service.
We could not verify your SSO account
If users see this error when attempting to log in, the configuration in either OneLogin or 8x8 Admin Console could be incorrect, and should be reviewed and corrected as needed.
If the applications are correctly configured, then the 8x8 user profile in Admin Console is not configured correctly.
- We could not verify your SSO account. Please contact your 8x8 administrator.
To correct the user configuration issue, verify that the Admin Console user profile in Home > Users has the correct OneLogin NameID applied to the Single Sign-On > Federation ID field.