This article will provide the steps required to set up Nomos One single sign on access for your organisation, using OneLogin as the identity provider.
App Creation
- Sign in to the OneLogin portal.
- At the top of the page, click “Applications”.
- Click the “Add App” button.
- On the “Find Applications” page, search for “SAML Custom Connector (Advanced)” and click on the application that appears below.
- Enter the name of your app. This can be updated later if need be.
- Click “Save”.
- Once the page reloads, click on “Configuration”.
At this point you should have an app created, and land on a page that looks similar to this:
Single Sign On setup
- Staying within the page you just generated, update the form to match the following:
- For “RelayState”, leave blank.
- For “Audience (EntityID)”, enter:
urn:amazon:cognito:sp:<USER_POOL_ID> - For “Recipient”, enter:
https://onelease-<dev|stg|prod>.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponse - For “ACS (Consumer) URL Validator”, enter a regular expression used to ensure that OneLogin posts the SAML response to the correct URL by validating the “ACS (Consumer) URL” entered in the next field. For more information on this step, please refer to this article in the OneLogin knowledge base.
- For “ACS (Consumer) URL”, enter":
https://onelease-<dev|stg|prod>.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponse - For “Single Logout URL”, leave blank.
- For “Login URL”, leave blank.
- For “SAML not valid before”, enter: 3
- For “SAML not valid on or after”, enter: 3
- For “SAML initiator”, enter: “Service Provider”
- For “SAML nameID format”, enter: “Persistant”
- For “SAML issuer type”, enter: “Specific”
- For “SAML signature element”, choose both.
- For “Encryption assertion”, check the box.
- For “SAML encryption method”, enter: “AES-256-CBC”.
- For “Send NameID Format in SLO Request”, check the box.
- For “Generate AttributeValue tag for empty values”, check the box.
- For “Sign SLO Request”, un-check the box.
- For “Sign SLO Response”, un-check the box.
- For “SAML sessionNotOnOrAfter”, enter: 1440
- Click the “Save” button.
- Click on “Parameters".
- Click the + icon to add a new field for the required SAML assertion:
- In the “Name” field, enter: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- Check the box for “Include in SAML assertion” and click “Save”.
- Once the model refreshes, change the “Value” drop-down to “Email”. Click “Save”.
The majority of the setup within OneLogin is now done. The certificate conversion still needs to be done, but will be processed after the Cognito configuration, which is handled by the Nomos One team.
Certificates
- In Cognito, go to the IdP page for the provider created in the previous step.
- Click “View encryption certificate”.
- Click “Copy”.
- We now need to format the certificate before entering into OneLogin:
- Navigate to this OneLogin page: https://developers.onelogin.com/saml/online-tools/x509-certs/format-x509-certificate
- Enter the certificate that you copied into the “X.509 cert” field, and click “FORMAT X.509 CERTIFICATE”.
- Copy the certificate from the “X.509 cert with header” text box.
- Return to the OneLogin application.
- Click on “Configuration” and scroll to the bottom of the page.
- Enter the copied certificate into the text field under “SAML Encryption”.
- Click “Save”.
The setup process will now be complete, and your organisation can begin using single sign on to access Nomos One.
Nomos One does not provide or purport to provide any accounting, financial, tax, legal or any professional advice, nor does Nomos One purport to offer a financial product or service. Nomos One is not responsible or liable for any claim, loss, damage, costs or expenses resulting from your use of or reliance on these resource materials. It is your responsibility to obtain accounting, financial, legal and taxation advice to ensure your use of the Nomos One system meets your individual requirements.