Archive

Please reload

Tags

Please reload

Setting up the FlowLogViewer with OneLogin SSO

September 14, 2018

Several PiaSoft customers have asked us to add SSO support, and in v 1.11 , we have added it. We also have instructions to set up with Okta.


The Single Sign On workflow to view Flow Logs looks like:

  1. User logs into your SSO Identity Provider.

  2. User follows a link to a FlowLogsViewer instance.

  3. After authentication with the IDP completes successfully, user is redirected to the base login page. Credentials are no longer required here.

If access to the app denied through the SSO IDP, users get redirected to an access denied page on the SSO provider page.

Setup

Once your instance is set up (don't forget our free 30-day trial), you will need to:

- SSH to the instance

- Add some configuration to /home/ubuntu/flowlogviewer/current/config/application.rb

 

For OneLogin to work, you will need a connector set up. You can use the SAML Test Connector (IdP w/ attr) that OneLogin helps you set up here:
https://developers.onelogin.com/saml/python#Task2

 

1. Modify application.rb

SSH to the instance and open this file with your favorite editor:

/home/ubuntu/flowlogviewer/current/config/application.rb 

 

Modify this section:

 # SSO Configuration. Please see www.piasoftware.net/setup for help setting up SSO

    config.sso_enabled = false

    config.idp_sso_target_url = "URL_TO_YOUR_SSO_PROVIDER_GOES_HERE"

    config.idp_cert_fingerprint = "SHA256 fingerprint of your SSO Provider's key goes here"

    # Change this line if you're creating a fingerprint with an algorithm besides sha256

    config.idp_cert_fingerprint_algorithm = "http://www.w3.org/2000/09/xmldsig#sha256"

 

 

 

1a. Set "config.sso_enabled = true"

 

1b. Visit the OneLogin Console -> Apps. You should have an app that uses SAML 2.0 like this after having created the SAML Test Connector:

Click it.

 

1b. For the parameter for config.idp_sso_target_url, go to the SSO page and copy the value from:
   "SAML 2.0 Endpoint (HTTP)"

1c. For the parameter config.idp_cert_fingerprint, under "X.509 Certificate", click "View Details". Change the SHA Fingerprint algorithm from SHA1 -> SHA256 and copy the fingerprint to application.rb.

 

The file should look like:
 

 

# SSO Configuration. Please see www.piasoftware.net/setup for help setting up SSO

config.sso_enabled = true

config.idp_sso_target_url = "https://pia-software-dev.onelogin.com/trust/saml2/http-post/sso/1111111111"

config.idp_cert_fingerprint = "00:7A:E8:61:18:AB:43:3F:10:7E:78:02:FA:6F:07:7C:91:20:A7:D5:33:74:DB:74:A8:75:B7:E2:B1:DE:40:DF"

config.idp_cert_fingerprint_algorithm = "http://www.w3.org/2000/09/xmldsig#sha256"

 

Save and exit.

 

2. Restart the flowlogviewer:

$ sudo systemctl restart flowlogviewer.target

 

Now, when you hit the IP for your Flow Logs Viewer instance, you should be redirected to the SSO provider.

Please reload

Recent Posts

Please reload

pia@piasoftware.net

(804) 5050PIA

(804) 505-0742

  • Pia Software on LinkedIn
  • Pia Software on Twitter
  • PiaSoftware on Facebook

©2017 BY PIA SOFTWARE.  All rights reserved.