Managed Search Single Sign-On (SSO) OneLogin

---

SearchStax Managed Search now offers the ability for customers to set up Single Sign-On (SSO) using OneLogin to let their users log into SearchStax apps with a single ID and password that works across multiple software systems.

We use the open standard Security Assertion Markup Language (SAML) to allow identity providers (IdP) to pass authorization credentials to service providers (SP). This page provides instructions on how to configure OneLogin SSO with SearchStax.

SSO is an add-on SearchStax feature that is purchased separately as part of the Security Pack. If you are interested in the Security Pack, please contact Sales.

The following steps explain how it can be set up for OneLogin.

Instructions

Once SSO is enabled by SearchStax for your account, the owner and/or admin can see options to set it up. The options to set up SSO are in the User Preferences screen of the SearchStax Cloud Dashboard:

The first option is the Single Sign-On subdomain. This is a label like mycompany, which the system will use to build a URL such as mycompany.searchstax.com.

Click Next to view the next page of SSO parameters.

The “direct Sign-In URL” is the URL that your team can use for signing into SearchStax Cloud. The other two URLs are discussed below.

1. Go to OneLogin administration dashboard and select the Applications drop down. Select Add App in the top right corner:
   
2. Now Search for “SAML Custom Connector (Advanced)” and then select the application:
   
3. Enter a display name for the custom SearchStax application – something like “SearchStax”. Feel free to customize the icon as well then click Save in the top right corner:
   
4. This creates a new Application in your user dashboard. Now go back to the applications tab still inside the administration dashboard and select your newly created application. You will see some new tabs on the left. Select the Configuration Tab:
   
5. This tab is where you will configure the SSO application with the information provided in our SearchStax dashboard. Since we used “mycompany” as our subdomain we will continue to use that here as well. Enter the provided metadata URL in the Audience (EntityID) box
   
   
6. Enter the provided ACS URLs into the Recipient, ACS Validator, and ACS URL boxes:
   
7. Enter the Login URL into the Login URL Box:
   
8. Be sure your settings align with what is shown below. This will be SP initiated, with a Persistent nameID, and both the assertion and response will be signed, then click Save in the top right:
   
9. Select the Parameters tab on the left. We expect Email, First Name, and Last Name to be passed so your parameters should look like the box below. You also have the ability to pass a “role” parameter. If you do not have a mapping for SearchStax roles, you can leave it as it, and the users will get created with Team Member as the role by default. These roles can always be changed later from the Managed Search Dashboard:
   
   
10. Next click into the SSO tab on the left. Take note of the Issuer URL and the SAML 2.0 Endpoint.
    
    You will be putting these values in the Managed Search dashboard as shown below. Click Save Settings when finished:
    
    

The steps below show how we have integrated it with our OneLogin instance.

Login Using SSO

https://app.searchstax.com/ now provides a button at the bottom for SSO – “Sign-In With your ID Provider.” Click this button.

Enter the domain that was set up for the client.

Click Continue. This takes you to OneLogin Sign-in page. After you authenticate, it brings you back to your SearchStax Dashboard.

Alternately, you can directly go to https://<Subdomain>.searchstax.com to login, and clicking on the “Sign-In With your ID Provider” will take you directly to OneLogin.

SSO + Two-factor Authentication

A User can have SSO and Two-Factor authentication both setup. The 2FA settings for a user will apply to all accounts that the user has access to.

However, for the account that has SSO Setup, while logging in, SearchStax 2FA settings will not apply. In that case, 2FA should be set up at the SSO Provider.