OneLogin | Toolbox Enterprise Documentation

Prerequisites

You have a valid Okta account.
You have created an application.yaml file to configure your Toolbox Enterprise Server.

Add Toolbox Enterprise to OneLogin

Start by configuring a custom OIDC connector so that Toolbox Enterprise can use OneLogin as an authentication provider.

Open the OneLogin portal in your browser and log in using your OneLogin account.
From the main menu, select Applications | Applications.
Click Add App.
In the search field, start typing OpenId Connect and select this application.
Specify Toolbox Enterprise as an application name and click Save.
On the Configuration tab, specify the callback endpoint to redirect the end user in the Redirect URIs field - http://<toolbox_enterprise_server_domain.com>/api/login/authenticated.
On the SSO tab, select POST in the Authentication Method field.
Copy and save the Client ID and Client Secret values. You will need them for configuring application.yaml.
Save the resulting configuration.

Configure OneLogin in application.yaml

After adding Toolbox Enterprise to OneLogin, you need to configure your application.yaml file and specify the OAuth2 provider properties there:

            tbe:
                auth:
                    login-url: "https://<subdomain>.onelogin.com/oidc/2/auth"
                    token-url: "https://<subdomain>.onelogin.com/oidc/2/token"
                    jwt-certs-url: "https://<subdomain>.onelogin.com/oidc/2/certs"
                    client-id: "your_identifier"
                    client-secret: "your_password"
                    required-scopes: [ "profile", "email", "openid" ]
                    login-url-prompt-param: "login"
                    root-admin-emails:
                      - "toolbox.admin@example.com"
        

login-url

Provide a URL for logging in via OneLogin.

You can obtain this URL from the Well-known configuration on the OneLogin portal. Open the application details, go to the SSO tab and click the Well-known Configuration link. Alternatively, you can request the Well-known configuration at https://<your_OneLogin_domain>.onelogin.com/oidc/2/.well-known/openid-configuration

token-url

Provide a URL for obtaining an authorization token on OneLogin's side.

You can obtain this URL from the Well-known configuration on the OneLogin portal. Open the application details, go to the SSO tab and click the Well-known Configuration link. Alternatively, you can request the Well-known configuration at https://<your_OneLogin_domain>.onelogin.com/oidc/2/.well-known/openid-configuration

jwt-certs-url

Specify a URL to the JSON Web Key (JWK) set that is used to validate JSON Web Tokens (JWT).

You can obtain this URL from the Well-known configuration on the OneLogin portal. Open the application details, go to the SSO tab and click the Well-known Configuration link. Alternatively, you can request the Well-known configuration at https://<your_OneLogin_domain>.onelogin.com/oidc/2/.well-known/openid-configuration

client-id

Specify the public identifier for Toolbox Enterprise used in OneLogin.

client-secret

Specify the client secret for Toolbox Enterprise used in OneLogin.

required-scopes

Set the value to [ "profile", "email", "openid"].

login-url-prompt-param

Defines whether the user should be prompted with a login dialog. Specify one of the following:

login: use this value to show the login dialog to the user.
none: use this value to skip showing the login dialog to the user.

root-admin-emails

List emails of users that will receive admin rights.