SearchStax Site Search Single Sign-On (SSO) Setup for OneLogin
The SearchStax Site Search solution now offers the ability for customers to set up OneLogin Single Sign-On (SSO) to let their users log in with a single ID and password that works across multiple software systems.
We use the open standard Security Assertion Markup Language (SAML) to allow identity providers (IdP) to pass authorization credentials to service providers (SP). This page provides instruction to use OneLogin to implement SSO for SearchStax.
SSO is an add-on Site Search feature that is available with the Advanced and Premium plans.
Instructions
Once SSO is enabled by SearchStax for your account, and a domain is set up, the options to set up SSO appear in the My Profile screen of the My Account menu:
The Set Up Single Sign-On button leads to a screen of configuration URLs and feature options. You will need to refer to this screen while setting up the SSO profile with the Identity Provider.
This screen contains the following fields and options:
- Assertion Consumer Service (ACS) URL: Note that the URL includes your SSO domain (called mydomain in the following discussion).
- Metadata URL: SearchStax metadata endpoint.
- Enable Checkbox: If checked, SSO is enabled for this account.
- Assertion Responses Signed: Use the droplist to indicate whether assertions and/or responses should be signed.
- Allow Email Password Login Checkbox: If check, permits login by email/password in addition to SSO.
- Auto Create Users Checkbox: Should a new user account be created the first time a user logs in?
- IDP Entry URL: Identity provider URL.
- Metadata URL: The SAML 2 Metadata URL.
- Sign-In URL: The URL used for signing into the SAMP Identity Provider.
- Sign-Out URL (Optional): The URL shown after a successful sign-out.
OneLogin Setup
- Go to OneLogin administration dashboard and select the Applications drop down. Select Add App in the top right corner:
- Now Search for “SAML Custom Connector (Advanced)” and then select the application:
- Enter a display name for the custom SearchStax application – something like “SearchStax”. Feel free to customize the icon as well then click Save in the top right corner:
- This creates a new Application in your user dashboard. Now go back to the applications tab still inside the administration dashboard and select your newly created application. You will see some new tabs on the left. Select the Configuration Tab:
- This tab is where you will configure the SSO application with the information provided in our SearchStax dashboard. Since we used “mycompany” as our subdomain we will continue to use that here as well. Enter the provided metadata URL in the Audience (EntityID) box
- Enter the provided ACS URLs into the Recipient, ACS Validator, and ACS URL boxes:
- Enter the Login URL into the Login URL Box:
- Be sure your settings align with what is shown below. This will be SP initiated, with a Persistent nameID, and both the assertion and response will be signed, then click Save in the top right:
- Select the Parameters tab on the left. We expect Email, First Name, and Last Name to be passed so your parameters should look like the box below. You also have the ability to pass a “role” parameter. If you do not have a mapping for SearchStax roles, you can leave it as it, and the users will get created with Team Member as the role by default. These roles can always be changed later from the Managed Search Dashboard:
- Next click into the SSO tab on the left. Take note of the Issuer URL and the SAML 2.0 Endpoint.
You will be putting these values in the Managed Search dashboard as shown below. Click Save Settings when finished:
The steps below show how we have integrated it with our OneLogin instance.
Login Using SSO
The Site Search sign-in screen provides a button at the bottom for SSO – “Sign-In With your ID Provider.” Click this button.
Enter the domain that was set up for the client.
Click Continue. This takes you to the OneLogin Sign-in page. After you authenticate, it brings you back to your Site Search Dashboard.
Alternately, you can directly go to https://<Subdomain>.searchstax.com to login, and clicking on the “Sign-In With your ID Provider” will take you directly to OneLogin.
SSO + Two-factor Authentication
A User can have SSO and Two-Factor authentication both set up. The 2FA settings for a user will apply to all accounts that the user has access to.
However, for the account that has SSO Setup, SearchStax 2FA settings will not apply. In that case, 2FA should be set up at the SSO Provider.
Questions?
Do not hesitate to contact the SearchStax Support Desk.