Integration with OneLogin
SSO with OneLogin
With Cyral, you can authenticate database users against your OneLogin instance.
Sourcing Group Information
We recommend creating some OneLogin roles specifically for the users that should have access to Cyral.
Later on, you be able to set up fine grained access control policies based on these OneLogin roles in
Cyral. For this reason, you may choose to create multiple OneLogin roles for different levels of access.
You may also choose to use mappings to populate the newly created OneLogin roles. We recommend this approach,
as it offers the following benefits:
- Source users from multiple external directories or trusted IdPs.
- Simple and easy to manage who has access to Cyral.
- Create and delete groups of users with no side-effects for other applications.
- Control the groups that Cyral knows about-- keep your internal group names private.
In Cyral management console, create a SAML integration
Create a new SAML integration: Log in to your Cyral control plane UI, navigate to the Integrations section, find the SAML integration tile, and click Configure.
Create a new SAML connection:
- Specify a Display Name. This display name is used to identify the IdP to the user when they log in.
- In Attribute Names in SAML Assertion section, accept the defaults.
- Enable IdP-initiated login checkbox: Set IdP-initiated login to
ONto give users the added option of logging in from your IdP's portal. - Click Continue
- On the next screen, download the SP metadata file. You'll need this in the next step to set up your IdP. You are free to close the page. Your SAML Integration will save as a draft, and you will be able to return to it at a later time to finish entering the required configuration values.
Create SAML IdP app in OneLogin
Perform the following steps in OneLogin.
Open the Applications menu of the OneLogin Administration Console, and add a new SCIM Provisioner with SAML (SCIM v2 Enterprise, full SAML) application.
Give the application a name, and optionally upload a Cyral logo and add a description. Click Save.
Open the SP metadata file you downloaded from the Cyral management console in the previous section. Navigate to the Configuration tab of your OneLogin SAML application. Copy the following values from your SP metadata file:
Set the SAML Audience URL in OneLogin to the Entity ID from the SP metatdata. The URL should have the following format:
https://<CYRAL_CONTROL_PLANE_DOMAIN>/auth/realms/defaultClick continue.
Set the Recipient in OneLogin using the AssertionConsumerService
element from the SP metadata that is marked as default. The URL has following format:https://<CYRAL_CONTROL_PLANE_DOMAIN>/auth/realms/default/broker/<CYRAL_CONTROL_PLANE_DOMAIN>/endpoint/client/client-<IDP_INTEGRATION_ID>Set the ACS (Consumer) URL Validator in OneLogin using the Assertion Consumer Service URL marked as default. Perform the following modifications to the URL:
* Escape all backslashes, periods, and dashes.
* Add a ^ character to the beginning of the string.
* Add a $ character to the end of the string.See these instructions for more information.
The value will have the following format after the modifications:
^https:\/\/<CYRAL_CONTROL_PLANE_DOMAIN>\/auth\/realms\/default\/broker\/<CYRAL_CONTROL_PLANE_DOMAIN>\/endpoint\/clients\/<CYRAL_CONTROL_PLANE_DOMAIN>\-client$Set the ACS (Consumer) URL in OneLogin using the AssertionConsumerService
element from the SP metadata that is marked as default. The URL has following format:https://<CYRAL_CONTROL_PLANE_DOMAIN>/auth/realms/default/broker/<CYRAL_CONTROL_PLANE_DOMAIN>/endpoint/client/client-<IDP_INTEGRATION_ID>Set the Login URL in OneLogin to the following URL:
https://$CYRAL_CONTROL_PLANE_DOMAIN/appSet the SAML Initiator to OneLogin.
Set the SAML NameID format to unspecified.
Set the SAML signature element to both.
Click Save in the top righthand corner.
Navigate to the Parameters tab of your OneLogin SAML application. Leave all default fields as is. You will additionally need to add some custom user attributes, that Cyral will extract from the SAML assertion. For each field below, select the + icon in the top right corner:
First Name: This is required. Enter
firstNameas the Field name. Ensure that the you check Include in SAML assertion. Click Save. Set the Value to be the user's first name. Click Save.Last Name: This is required. Enter
lastNameas the Field name. Ensure that the you check Include in SAML assertion. Click Save. Set the Value to be the user's last name. Click Save.Email: This is required. Enter
emailas the Field name. Ensure that the you check Include in SAML assertion. Click Save. Set the Value to be the user's email. Click Save.Group Names: This is required. Enter
memberOfas the Field name. Ensure that the you check Include in SAML assertion. Additionally, select Multi-value parameter. Click Save. Set the Default if no value selected to be theUser Roles. Click Save.
Navigate to the SSO tab of your OneLogin SAML application. Set the SAML Signature Algorithm to
SHA-256. Save the integration.Navigate to the Access tab of your OneLogin SAML application. Select the OneLogin Roles that contain the users that should have access to Cyral. Save the integration.
Select More Actions ➡️ SAML Metadata to download the IdP Metadata associated with your OneLogin SAML application.
In Cyral management console, complete the SAML integration
In this final step, you will supply the IdP Metadata you downloaded from OneLogin to the Cyral management console.
Return to your SAML integration in the Cyral management console. Upload the IdP Metadata XML file you retrieved from OneLogin.
Click Save.
Your SAML Integration is complete. You can verify it by logging into your CP using the new OneLogin integration from both the Cyral CP and your OneLogin dashboard.
Next step
See Set up SSO authentication for users for the steps to activate SSO authentication on each repository that will use it.
SCIM with OneLogin
Cyral supports the use of the SCIM protocol to retrieve group information from OneLogin. While Cyral also supports other ways to retrieve group information from SAML, the SCIM approach is the only way to get group information for login workflows in which the user does not visit the Cyral Access Portal. For example, login through Tableau to Snowflake with Cyral SSO relies on Cyral's SCIM integration to retrieve the user's group information.
Prerequisites
Before you set up the SCIM integration, make sure you have:
- A OneLogin solution that supports User Provisioning (such as the Professional Bundle).
- A working OneLogin SSO integration configured in Cyral.
Get configuration values from the Cyral UI
In the Cyral CP, navigate to Integrations ➡️ SAML ➡️ Configure ➡️ find the OneLogin SSO integration you created for OneLogin and click the pencil icon to edit.
Select Enable service account resolution. The Configure Your SCIM Integration panel appears.
The integration tile will display some configuration values. In the next procedure, you or your SAML administrator will copy this value into the IdP. Copy the values displayed and store them securely.
note
The following values must be saved for later use:
- SCIM connector base URL: The base URL for the SCIM integration endpoints.
- Bearer Token: An OAuth access token needed for authentication and authorization with the Cyral SCIM endpoints associated with the given integration instance.
Click Save.
Configure SCIM in OneLogin
Perform the following steps in OneLogin.
Navigate to the SCIM Provisioner with SAML (SCIM v2 Enterprise, full SAML) application you created upon configuring a OneLogin SSO integration
Navigate to the Configuration tab of your OneLogin SAML application. Under the API Connection section:
- Select Enable.
- Copy the following json into the SCIM JSON Template field:
{
"schemas": [
"urn:scim:schemas:core:2.0"
],
"userName": "{$parameters.scimusername}",
"name": {
"familyName": "{$user.lastname}",
"givenName": "{$user.firstname}",
"formatted": "{$user.display_name}"
},
"emails": [{
"value": "{$user.email}",
"type": "work",
"primary": true
}],
"title": "{$parameters.title}"
} - Enter the SCIM Base URL retreived from the Cyral management console in the previous section.
- Enter the Bearer Token retreived from the Cyral management console in the previous section.
- Save the integration.
Navigate to the Rules tab. Add a rule. Name it
scim-groups-are-roles. Under Actions:- Select Set Groups in <APP_NAME> from the dropdown menu.
- Select Map from OneLogin.
- Use the second dropdown and select Role that matches
^.*$. Note: If you prefixed all your Cyral OneLogin Roles with the string ‘cyral’, you can use the regex^cyral.*$ - Click Update.
- Save the integration.
Navigate to the Provisioning tab.
- Select Enable Provisioning
- Ensure that updates in OneLogin are automatically propagated to Cyral. Under ‘Require admin approval before this action is performed’, deselect all actions.
- Save the integration.
Navigate to the Parameters tab.
- Edit the scimusername field. Set the value to Email.
- Edit the Groups field. Select Include in User Provisioning.
- Ensure that updates in OneLogin are automatically propagated to Cyral. Under ‘Require admin approval before this action is performed’, deselect all actions.
- Save the integration.
Navigate to the Provisioning tab. Under the Entitlements section, select Refresh. This is how you will trigger the rule you created, mapping OneLogin Roles to the users and groups that will be provisioned to Cyral.
Navigate to the Users tab. From the drop down in the top right corner, select Apply to all and then Reapply Mappings. Repeat steps 6 and 7 until there are no errors.
Next step
With SCIM configured, your Cyral installation can provide service account resolution for Looker and Tableau, ensuring you know the SSO user identity of users who connect to a repository through a service account. See set-up instructions: