G-Cloud 4 Service Definition

wispsyndicateSécurité

23 févr. 2014 (il y a 3 années et 3 mois)

353 vue(s)



Page
1

of
14












OneLogin

G
-
C
loud
4
Service
D
efinition

September 2013

Table of Contents

PRODUCT OVERVIEW

................................
................................
................................
.............................

3



Page
2

of
14

PRODUCT DESCRIPTION

................................
................................
................................
.......................

3

ONELOGIN PLATFORM

................................
................................
................................
...........................

6

A
VAILABILITY

................................
................................
................................
................................
............................

6

E
UROPEAN
D
ATACENTER ROLL OUT

................................
................................
................................
......................

6

O
NE
L
OGIN
S
ECURITY

................................
................................
................................
................................
...............

7

DETAILED RESPONSES T
O G
-
CLOUD 4
-

SERVICE SUBMISSION P
ORTAL

.............................

8

P
RICING AND
C
OMMERCIALS

................................
................................
................................
................................
...

8

A
CCREDITATION

................................
................................
................................
................................
........................

8

G
ENERAL
T
ECHNICAL
I
NFORMATION

................................
................................
................................
....................

8

S
ERVICE
M
ANAGEMENT

................................
................................
................................
................................
...........

9

S
AA
S

G
ENERIC

................................
................................
................................
................................
........................

10

S
AA
S

G
ENERIC
C
LIENTS

................................
................................
................................
................................
........

10

S
AA
S

-

G
ENERIC


G
ENERAL
F
EATURES

................................
................................
................................
............

11

S
AA
S

GENERIC
B
USINESS
C
ONTINUITY

................................
................................
................................
..............

11

S
AA
S

GENERIC
-

A
UTHORISATION
,

A
UTHENTICATION AND
P
ERSONALISATION

................................
.........

11

S
AA
S

GENERIC


I
NTEGRATED
C
OM
MUNICATION
T
OOLS

................................
................................
...............

12

S
AA
S

GENERIC


I
DENTITY
S
ERVICES

................................
................................
................................
.................

12

APPENDIX A


VERSION MATRIX

................................
................................
................................
.....

13






Page
3

of
14

P
RODUCT
O
VERVIEW


OneLogin provides a cloud
-
based IAM product that offers simple single sign
-
on (SSO), making it
easier for companies to secure and manage access to web applications. As part of the OneLogin
product, the company also handles IAM challenges like directory int
egration, provisioning and
strong authentication. This approach helps companies overcome some of the time and cost
hurdles that have stopped IAM projects in their tracks, or led to significant additional costs being
incurred.


OneLogin is the industry's m
ost comprehensive solution for managing user identities for web
applications in the cloud and behind the firewall. The service comes complete with secure single
sign
-
on for web, mobile and iPad, federated cloud search, user provisioning with entitlements,
deep directory integration with real
-
time user sync, out
-
of
-
band multi
-
factor authentication with
Push, VPN integration, compliance reporting and support. OneLogin's pre
-
integrated offering
includes the largest ecosystem of applications (2,800), authentica
tion methods (8), directories
(4), VPNs (4) and SAML Toolkits (5), so organizations can get up and running in minutes with no
professional services required.


T
HE
O
NE
L
OGIN
Z
ERO
C
OST
C
ONNECTOR
P
LEDGE

OneLogin believe that the creation of connectors for appl
ications that do not currently exist
within the current application catalogue should be added free of charge. Users simply have to
request additional connectors via the service desk portal.


P
RODUCT
D
ESCRIPTION


S
INGLE
S
IGN
-
ON

OneLogin supports standards
-
based single sign
-
on using SAML, OpenID and WS
-
Federation and
comes with a catalog of more than 3,000 application connectors that can be configured in
minutes. With Desktop SSO, Users that are signed into their Windows network can be signed into

OneLogin a
utomatically without having to enter their credentials. This makes it even easier for
users at the office to access their cloud applications.


P
ASSWORD
V
AULTING

Many applications don’t support SAML and never will. OneLogin’s industry
-
leading, cloud
-
based
password vaulting makes it possible to provide end
-
users the same single sign
-
on experience for
all web apps. OneLogin stores the passwords securely server
-
side and injects them into an
application’s login page during sign
-
on. OneLogin's browser extension
is also able to trigger this
process if the user goes directly to an application's login page.

Password Vaulting's built
-
in audit trail records all important activity, including user updates, login
attempts and application sign
-
ins. This detailed informati
on can be easily scanned using the
event browser or you can use OneLogin’s reporting engine to slice and dice it any way you want.

D
IRECTORY
I
NTEGRATION

OneLogin makes it easy to securely connect your directory infrastructure to OneLogin and your
cloud app
lications. Enable users to sign into applications with their existing network credentials,
eliminate app integration “spaghetti”, unify multiple directories, and simplify cross
-
application
analysis and compliance.



Page
4

of
14


One
-
Minute Active Directory Connector Installation
-

OneLogin’s Active Directory Connector
(ADC) is installed by downloading a Windows executable that deploys the ADC as a Windows
service
--

so you don’t have to worry about manual restarts after a Windows
reboot. No firewall
changes are required as all communication is performed over two separate, outbound SSL
connections.

High Availability
-

OneLogin maintains a health status for each ADC. You may also install multiple
AD connectors across multiple server
s in a high
-
availability scenario. If one fails OneLogin will try
the next. We also support Domain Discovers (if your Domain Controller goes off line we can
discover another one within your domain to keep the connection alive).

Real
-
time User Synchronizati
on
-

Real
-
time user synchronization means that when users are
created, updated or disabled in Active Directory, the changes are instantly pushed to OneLogin
which updates all user directories in real
-
time. This not only saves a tremendous amount of time
an
d effort, but also acts as an effective “kill switch” for when employees leave the company.

Powerful Administrative Capabilities

-

Active Directory transfers powerful new capabilities
within OneLogin. For example, you can use any attribute in Active Direct
ory as an indicator for
application or policy assignments as well as perform bulk operations (like activating users).

Full Active Directory Attribute Mapping

-

As a minimum, OneLogin synchronizes email address,
SAM Account, distinguishedName and memberOf (
i.e. security group memberships). Create
custom fields in OneLogin then map any Active Directory attribute to those fields for
synchronization.

Complex Directory Infrastructures

-

For organizations with multiple directories, OneLogin is a
real lifesaver, b
ecause it allows for the integration of any number of Active Directory and LDAP
directories, and presents them as a single directory to other applications. Most applications are
only able to integrate with one directory per customer, but the combination of

OneLogin’s
directory integration capabilities and SAML overcomes this limitation.

M
ULTI
-
FACTOR
A
UTHENTICATION

OneLogin’s Mobile One
-
Time Password App for smartphones has a wireless push feature which
also doubles as an out
-
of
-
band authentication solution
to help prevent man
-
in
-
the
-
middle
attacks.
Users love being able to send their code with just a push of a button.
OneLogin also
comes pre
-
integrated with third
-
party solutions from RSA, SafeNet, Symantec, VASCO and
Yubico. OneLogin supports PKI browser cer
tificates.

U
SER
P
ROVISIONING WITH
E
NTITLEMENTS



Page
5

of
14

Manually creating, updating and deleting users in applications is both labor
-
intensive and error
-
prone. OneLogin can do real
-
time user provisioning, importing, matching and de
-
duplication as
well as Just In Ti
me Provisioning into the IAM Directory.

OneLogin’s real
-
time user provisioning with entitlements automates and streamlines this process
for a range of applications, including Box, Clarizen, Dropbox, EchoSign, Google Apps,
GoToMeeting, HipChat, NetSuite, P
arature, RemedyForce, Salesforce, WebEx, Yammer and
Zendesk. OneLogin provides flexible rules for controlling user entitlements, such as roles, profiles
and groups.

F
LEXIBLE
A
DMINISTRATIVE
R
OLES AND
P
RIVILEGES

OneLogin allows flexible administrative roles

and privileges meaning that you can give users the
power to manage accounts, groups, or specific users. This means that a LOB manager could
administer his own group and users. OneLogin gives central IT administrators the power to give
additional freedom a
nd responsibility to LOB managers, but the power to revoke those privileges
at any time. Admins love the ‘assumed user’ feature that let’s them see what the user is seeing in
their account.

F
INE
G
RAINED
P
OLICY
C
ONTROLS

You can restrict access to target app
lications based on restricted IP addresses or require
additional authentication from unknown browsers, if the user is off the corporate network, etc.
OneLogin also gives administrators the ability to separate app administration from user
management. For ex
ample, administrators can assign security policies to specific users
independent of granting their access to their apps.

OneLogin also lets administrators define a logical structure for application access that may or
may not correlate exactly with Active D
irectory Groups, so they can write and rewrite rules in
seconds without changing their on
-
premise security permissions, providing them with the
complete flexibility on how they want to manage cloud app access without having to modify or
adhere to their on
-
premise AD model.

An example of this would be the provisioning of an
external graphic designer. If he were an internal employee he would belong to the marketing
group in active directory. However, we only want the contractor to have access to a subset of
the
internal marketing team’s applications. Furthermore, we want to impose stricter security policies
for outside consultants then we would for regular employees. Rather than having to modify
active directory and create a whole new permission structure tha
t supports this requirement, the
administrator can do this in OneLogin
--

outside of AD. This has tremendous implications for LOBs.

VPN

I
NTEGRATION

Remote users who need to access resources behind the firewall can sign into their VPN via
OneLogin, which su
pports both IPSec and SSL VPNs. VPN devices can delegate authentication to
OneLogin via RADIUS, which in turn can delegate authentication to the user’s directory and
validate one
-
time passwords at the same time. For SSL VPNs, users don’t even have to know
they
are accessing an application via VPN; OneLogin will sign the user into the VPN and the application
in the same process.

I
DENTITY
I
NTELLIGENCE

OneLogin provides a number of standard reports that can be used to analyze user behavior,
application usage a
nd potentially fraudulent use. Custom reports can be built from scratch based
on four standard report types: users, apps, events and logins. You can run reports on logged
provisioning events such as pending and failed provisioning tasks, including deleting

failed,
deleting pending approval, modifying failed, modifying pending approval, provisioning failed, and
provisioning pending approval.

You can create any number of custom reports based on the same report type. By default, a
report will list all records

in the data set defined by its report type. For example, the User Details
report type lists all users in your OneLogin account. You can apply one or more conditions that
filter only the records you need. For example, you can apply a condition that lists o
nly active


Page
6

of
14

users who have signed into OneLogin in the past month. There is no limit to the number of
conditions that you can apply to the report.

M
OBILE

OneLogin integrates with native resident apps through a combination of SAML and password
synchronization. Native resident apps that support SAML automatically work with OneLogin’s
single sign
-
on. Other applications that don’t support SAML are integrated vi
a password
synchronization, which means users can sign into their mobile apps using their SSO password.
OneLogin’s native iPad application lets users sign into their apps using form
-
based
authentication, SAML and WS
-
Federation while on the go.


O
NE
L
OGIN
P
LATFORM

A
VAILABILITY

The OneLogin platform is highly secure and highly scalable. By design, OneLogin’s cloud
-
based
infrastructure contains no single
-
point
-
of
-
failure and includes built
-
in redundancy at every tier:
DNS, datacenter, application servers and d
atabase servers. The diagram illustrates the OneLogin
high
-
availability setup.

E
UROPEAN
D
ATACENTER ROLL OUT


Currently OneLogin’s platform is based out of two datacenters in the US, in Dallas and Chicago.
OneLogin will be rolling out a replicated infrastru
cture in EMEA in the next 60 to 90 days. This
platform will be completely separate from the US based platform to address concerns regards
data residency and privacy issues raised by European and other Non US based customers.



R
EDUNDANT

DNS

VeriSign and Dy
n concurrently resolve all domain names related to OneLogin’s applications. In
the event that one DNS provider encounters an outage, the other provider continues to resolve
domain names without interruption. Domain names are resolved with a Time
-
To
-
Live (T
TL) of 30
seconds, enabling us to perform very fast data center fail
-
over in the event of a complete site
outage.


R
EDUNDANT
D
ATACENTERS

OneLogin hosts its application in two physically separate data centers with dedicated servers,
deep
-
packet
-

inspection
firewalls and load balancers. Should one data center become completely
unavailable, traffic will redirect to the other data center to ensure continuous operation.

We use enterprise
-
grade data centers backed by a 100% uptime guarantee with Uninterruptible
P
ower Supplies and diesel generators. All access to the data centers is video monitored and
requires card access. Our hosting provider is SAS
-
70 Type II audited and Safe Harbor compliant.

R
EDUNDANT
A
PPLICATION
S
ERVERS

Load balancers evenly distribute incom
ing requests across a group of application servers. Should
an application server become unavailable, the load balancer distributes subsequent requests to
the remaining application servers.

DDOS

P
ROTECTION

In the event of a Distributed
-
Denial
-
of
-
Service att
ack, OneLogin redirects all traffic to VeriSign
DDoS
Protection that

will filter out the malicious traffic, letting only genuine traffic through to
OneLogin’s application servers.

N
O PLANNED
D
OWNTIME



Page
7

of
14

While some SaaS vendors operate with planned partial or
full downtime, OneLogin performs
without planned downtime for any component of its infrastructure. Software upgrades can be
rolled out while the system is operating at normal load without skipping a beat.

I
NDEPENDENT
A
UDITS

As part of our ongoing commitme
nt to provide a best
-
in
-
class cloud service, we contract with
independent parties to continuously evaluate our application and operation.

P
ENETRATION TESTING

iSEC Partners
-

with deep experience in application, infrastructure and mobile security
-

perform
s
quarterly white box penetration tests. Armed with our source code, they attempt to hack into
the application. OneLogin keeps informed of any discoveries throughout the assessment and
reviews a detailed report of all findings. With our commitment to your
security, OneLogin
addresses high priority vulnerabilities immediately and low priority vulnerabilities within a month
of the assessment.

O
NE
L
OGIN
S
ECURITY

D
ATA CENTER SECURITY

OneLogin provides essential redundancy by employing multiple data centers to h
ost its
application and data. OneLogin data centers are SAS
-
70 Type II compliant and use advanced
measures for redundancy, availability, physical security and continuity. Here are some of the
highlights of their security and availability measures.




Availability: Data centers have n+1 (or greater) redundancy for all critical components,
including cooling systems, power, connectivity, and other essential systems. (N+1 means
that there is at least one spare for any single point of failure.)



Physical sec
urity: All equipment is secured within locked cages or vaults, secured with
separate keys or biometric scanning. Access to the facility is protected by 24
-
hour onsite
monitoring and guards, biometric authentication, CCTV with video archives, access
control

lists, and access and surveillance audit logs.



Environmental controls and continuity: Data centers include full Uninterruptible Power
Supply systems, backup systems, and uptime guarantees. Data center facilities have
advanced fire suppression and flood co
ntrol measures.


All facilities are regularly audited for SAS
-
70 Type II compliance.


E
NCRYPTION OF COMMUNI
CATIONS

All data electronically transmitted to OneLogin is sent over Secure Sockets Layer (SSL). All
communication between our data centers happens
via an IPsec VPN.

E
NCRYPTION OF PASSWOR
DS

When required by a given application, OneLogin stores and manages passwords on behalf of its
customers. These passwords are protected with multiple levels of encryption. Every customer
has its own encryption key,
which is used to encrypt all passwords within the account. The
customer encryption keys are encrypted using a master key, which is stored separate from the
database.


Note that for certain setups, OneLogin does not store any decryptable passwords at all. F
or
example, this is the case when all the applications use the SAML protocol for single sign
-
on.






Page
8

of
14

D
ETAILED
R
ESPONSES TO

G
-
C
LOUD
4

-

S
ERVICE
S
UBMISSION
P
ORTAL


P
RICING AND
C
OMMERCIALS

*Q
-
G23.

U
NIT PRICE

The price described here is for the OneLogin Enterp
rise servi
ce. Full details are available

in
Appendix A
.



*Q
-
G25.

D
OES YOUR SERVICE HAV
E A RESOURCE ELEMENT
?

The OneLogin Subscription includes FREE deployment and configuration services and all
Technical Support depending on the version purchased.


Whils
t the majority of OneLogin’s deployment costs are included in the cost of the Software
Subscription there may be cases where additional Services are required for:


o

Individual User Training

o

Specialised Workflow Design and Implementation

o

Knowledge Transfer
for SAML implementation of in house applications.


*Q
-
G45.

F
REE OPTION
?

There is a free version available however it has limited functionality and is unsupported.


*Q
-
G46.

T
RIAL
O
PTION
?

A Trial version is available. OneLogin is very happy to run a Free POC

in advance of a purchase of
the solution.


A
CCREDITATION

OneLogin follows best practice industry standards and approaches for security and resilience, as
set out throughout this document, but does not currently ho
ld UK government accreditation.
OneLogin
has just undertaken a preliminary audit for ISO 27001 and expect to achieve full
certification in Q1 2014.

G
ENERAL
T
ECHNICAL
I
NFORMATION

*Q
-
G20.

I
S
API

ACCESS AVAILABLE
,

DOCUMENTED AND SUPPO
RTED
?


OneLogin's REST API
has been developed to allow

customers
t
o customize and extend the
OneLogin platform to suit their evolving business requirements.

Through the
OneLogin's REST API

you can
:

Creat
e or delete a user login,
Update user’s metadata/details,

Set (
and

reset) a user’s password,

Assign applicatio
ns/roles to a user,
Create an “embedded” URL that a user can click o
n to auto
-
launch an application, obtain a list of all users, and r
ead a particular user’s configuration.





Page
9

of
14

Q
-
G21.

O
PEN
S
T
A
NDARDS SUPPORTED AND

DOCUMENTED
?


OneLogin supports all the major
SSO Identity Standards including SAML, WS
-
Fed and OpenID.
OneLogin supports all major browsers across al major operating systems,


*Q
-
G54.

I
NFORMATION
P
RINCIPLES FOR THE
UK

P
UBLIC
S
ECTOR SUPPORTED AND
DOCUMENTED
?


The data held in OneLogin is just the ema
il address, First name and Last name and SamAccount
name so these
principles

do not really apply.

*Q
-
G55.

G
OVERNMENT
ICT

S
TRATEGY AND
G
REENING
G
OVERNMENT
ICT

S
TRATEGY SUPPORTED AN
D
DOCUMENTED
?

OneLogin’s service can be said to support 3 of the 4
pillars

of

the Government ICT Strategy.


Part 1


Reducing waste and project failure, and stimulating economic growth
.

OneLogin’s service can be tested in advance of purchase and requires hours to configure reducing
wasted
man
-
hours

and removing the
possibility

of p
roject failure.

Part 2


Creating a common ICT inf
rastructure

OneLogin could be used to help create a common ICT infrastructure but is unlikely at this time.

Part 3


Using ICT to enable and deliver change

OneLogin allows for the speedy deployment of new
services delivered from the Cloud

Part 4


Strengthening governance

OneLogin delivers complete reporting on application usage of managed applications



With regard to the Greening Government ICT Strategy OneLogin hosts i
t
s services in highly
efficient thir
d party datacenters.


S
ERVICE
M
ANAGEMENT


*Q
-
G26.

O
N
-
BOARDING PROCESS E
.
G
.

MOVING ON TO THE SER
VICE
?

The OneLogin on
-
boarding process is very simple. It is a question of installing the Active Directory
Connector and then populating the OneLogin service
with the users identities. This can take as
little as 2 hours and be done remotely. Once the connection to the Directory had been created
then connections to the individual applications can be set up.

The length of the set up process
tends to be dictated b
y the number of applications that we need to link to and the number of
different types of users that we need to map to differing roles.


Free Deployment


OneLogin’s deployment service is included in the cost of the subscription. In specific scenarios
addit
ional paid for assistance may be required for training, complex configuration and knowledge
transfer for SAML enabling in house applications.


*Q
-
G27.

O
FF
-
BOARDING PROCESS E
.
G
.

MOVING OFF THE SERVI
CE
?



Page
10

of
14

As no data is held in the OneLogin service the service
can be switched off very easily. There
would be a requirement to have another service in pl
ace to ensure continued LogIn or

all
applications could be set so that they no longer used OneLogin as the Identity provider.

*Q
-
G30.

D
ATA LOCATION OPTION
CAN BE DEF
INED BY USER
?

OneLogin will be available with a choice of Infrastructure platforms, one based in Europe and one
based in the USA.

The European infrastructure is slated for release in October/November 2013.

*Q
-
G33.

S
UPPORT BOUNDARIES
/

INTERFACES DOCUMENTE
D
?

OneLogin can only support its own service and the connector created for the specific application.
OneLogin
cannot

be responsible for the application to which OneLogin is connected.

*Q
-
G35.

P
ERFORMANCE ATTRIBUTE
S DEFINED AND DOCUME
NTED
?

OneLogin has an SL
A of 99.99% uptime. There is a continual update on our website reporting on
daily and monthly uptime.


www.onelogin.com/trust

Full details of the SLA and Service Credits are available in the Master Service
Agreement included
in this submission.

*Q
-
G37.

I
S A SUPPORT SERVICE
PROVIDED AND DOCUMEN
TED
?

OneLogin provides email and phone support.
See documents on Support

attached under
supporting documents
.

*Q
-
G39.

S
ELF SERVICE PROVISIO
NING
/
DE
-
PROVISIONING
?

Users
can setup their own OneLogin accounts from the OneLogin web site.

*Q
-
G40.

T
IME FOR PROVISIONING
/
DE
-
PROVISIONING DOCUMEN
TED
?

OneLogin’s implementation time is dependent on the complexity of the project. A simple link to
OneLogin and Google Apps for instance

may take as little as 3 hours. More complex
environments may take several days of online support to implement.


S
AA
S

G
ENERIC

*Q
-
LOT3
-
225.

D
OES YOUR COMPANY COM
PLY WITH THE
G
OVERNMENT
O
PEN
S
TANDARDS
P
RINCIPLES

OneLogin complies with Open Standards like SAML and therefor the requirement for
Interoperability
. It may be argued that outside of this the standards do not apply as they are
focused on
data and data formats

and OneLogin stores no data.

S
AA
S

G
ENERIC
C
LIEN
TS

*Q
-
LOT3
-
3.

S
UPPORTED WEB BROWSER
S
?

OneLogin supports all common browsers. Where OneLogin is used to work with Password
vaulted applications a Browser plug is required. OneLogin supports the following browsers.




Windows/IE




MAC/Safari




Windows & MAC & LI
NUX /Firefox




Windows

&

MAC

&

Linux

&

Android

/

Chrome



Page
11

of
14

Q
-
LOT3
-
6.

S
MARTPHONE
/

T
ABLET
A
CCESS
?

OneLogin supports the features made available by the individual providers of the Software being
used. Some will support SAML others not.

OneLogin has a specific Application to work with
iPads


S
AA
S

-

G
ENERIC


G
ENERAL
F
EATURES

*Q
-
LOT3
-
10.

I
NTERNATIONAL
L
A
NGUAGE
S
UPPORT
?

OneLogin will be rolling out its End User facing User Interface in the following languages in
October 2013. German, Italia
n, Spanish, Portuguese and French.


*Q
-
LOT3
-
18.

N
ATIVE SEARCH
?

OneLogin has a unique federated search facility that allows users to search across multiple siloed
applications in real time.

*Q
-
LOT3
-
19.

S
UPPORT OF BULK INPUT
/
EXPORT OF DATA IN ST
ANDARD FORMAT
S
?

Where OneLogin is not being is used in conjunction with a customers Directory a customer may
import users in CSV format.

Reports may be exported in csv or xls format.


S
AA
S

GENERIC
B
USINESS
C
ONTINUITY

*Q
-
LOT3
-
21.

S
EPARATED ENVIRONMENT
S
?

OneLogin
Architecture

separates

functions

and ensures
Encryption Keys are kept separate from
the database.


*Q
-
LOT3
-
22.

C
ACHING
?

OneLogin can be used to cache Passwords

to deliver a degree of HA in the event the customers
Directory ceases to be available.

This will

ensure continued access to Cloud based applications.



S
AA
S

GENERIC
-

A
UTHORISATION
,

A
UTHENTICATION AND
P
ERSONALISATION

*Q
-
LOT3
-
23.

I
NTEGRATION WITH
I
DENTITY
S
YSTEMS
?

OneLogin will integrate with OpenID. OneLogin can


OneLogin’s SAML Service Provider fea
ture enables it to act as a SAML service provider, which
means that it can integrate with third party identity providers, such as Active Directory
Federation Services, Shibboleth, CA SiteMinder and PingFederate.


The service provider interface allows other

identity providers using SAML to:



Sign users into OneLogin



Sign users into applications that are already federated with OneLogin using SAML


The ability to integrate with other identity providers is key in projects where the existing identity
provider inf
rastructure is being phased out or enhanced to work with cloud
-
based applications.




Page
12

of
14

ESTABLISHING

TRUST

BETWEEN

ONELOGIN

AND

ANOTHER

IDENTITY

PROVIDER


Other identity providers federate with OneLogin the same way they would any cloud application;
by uploadi
ng their X.509 certificate to OneLogin. This enables OneLogin to verify that SAML
assertions come from a trusted party.


SIGNING

USERS

INTO

ONELOGIN

USING

SAML


The most basic way of using OneLogin as a SAML service provider is to let users sign into
OneLogin by another identity provider. For example, users could be signed into OneLogin by AD
-
FS when they click on a link in a SharePoint site or some other application that federates with
AD
-
FS.


The identity provider simply posts a SAML response to the
URL below with the user’s user name
or email address in the NameID attribute.


https://app.onelogin.com/session/saml


This method requires the user to already exist in OneLogin.


S
AA
S

GENERIC


I
NTEGRATED
C
OMMUNICATION
T
OOLS

*Q
-
LOT3
-
31. Social Networks?

On
eLogin provides SSO access to most Social Networks
-

Twitter, Facebook
etc.

that require a
login
.


S
AA
S

GENERIC


I
DENTITY
S
ERVICES

*Q
-
LOT3
-
235.

R
EGISTRATION AND
E
NROLMENT
?

OneLogin allows users to register or be automatically enrolled.


Q
-
LOT3
-
237.

M
ULTIFACTOR
A
UTHENTICATION
S
TANDARDS
?

OneLogin includes a free Software based 2FA service which is available on iPhone, Blackberry and
Android.

OneLogin also supports 3
rd

party Multifactor Authentication from RSA, Yubikey, Vasco, Safenet,
Symantec and Fir
eID.


*Q
-
LOT3
-
238.

I
DENTITY EXCHANGE PRO
TOCOL
SAML

2.0?

OneLogin supports SAML 2.0, WS
-
Fed and OpenID.

OneLogin Ships with over 200 predefined
connectors that reduce

the burden of configuring
popular applications.

OneLogin also has a predefined vanilla co
nnector that can be used to create connections to other
SAML based applications.








Page
13

of
14

A
PPENDIX
A



V
ERSION
M
ATRIX


F
R
EE
Sta
r
te
r
En
te
r
p
r
i
s
e
U
n
l
i
m
i
te
d
U
n
l
i
mi
t
e
d

U
se
rs,
3

C
o
mp
a
n
y
Ap
p
s,
5

Pe
rso
n
a
l

Ap
p
s,
D
i
re
ct
o
ry
I
n
t
e
g
ra
t
i
o
n
,
O
n
e
L
o
g
i
n

Mo
b
i
l
e

O
T
P
,
O
n
e
L
o
g
i
n

f
o
r
i
Pa
d
,
O
n
l
i
n
e

Su
p
p
o
rt
Mi
n
i
mu
m
5
0

U
se
rs,
5

C
o
mp
a
n
y
Ap
p
s,
U
n
l
i
mi
t
e
d

Pe
rso
n
a
l

Ap
p
s,
D
i
re
ct
o
ry
I
n
t
e
g
ra
t
i
o
n
,
O
n
e
L
o
g
i
n

Mo
b
i
l
e

O
T
P
,
O
n
e
L
o
g
i
n

f
o
r
i
Pa
d
,
O
n
l
i
n
e

Su
p
p
o
rt
U
n
l
i
mi
t
e
d

C
o
mp
a
n
y
Ap
p
s,
U
n
l
i
mi
t
e
d

Pe
rso
n
a
l

Ap
p
s,
D
i
re
ct
o
ry
I
n
t
e
g
ra
t
i
o
n

,

VPN
,
O
n
e
L
o
g
i
n

Mo
b
i
l
e

O
T
P
,
O
n
e
L
o
g
i
n

f
o
r
i
Pa
d
,
T
h
i
rd
-p
a
rt
y
St
ro
n
g

Au
t
h
,
R
e
p
o
rt
i
n
g
8
×
5

L
i
ve

C
u
st
o
me
r
Su
p
p
o
rt
,
U
n
l
i
mi
t
e
d

C
o
mp
a
n
y
Ap
p
s,
U
n
l
i
mi
t
e
d

Pe
rso
n
a
l

Ap
p
s,
D
i
re
ct
o
ry
I
n
t
e
g
ra
t
i
o
n
,

VPN
,
O
n
e
L
o
g
i
n

Mo
b
i
l
e

O
T
P
,
O
n
e
L
o
g
i
n

f
o
r
i
Pa
d
,
T
h
i
rd
-p
a
rt
y
St
ro
n
g

Au
t
h
,
R
e
p
o
rt
i
n
g
,
U
se
r
Pro
vi
si
o
n
i
n
g
,
2
4
×
7

L
i
ve

C
u
st
o
me
r
Su
p
p
o
rt
,
Si
n
g
l
e

Si
g
n
-o
n
C
o
mp
a
n
y
a
p
p
s
3
5
u
n
l
i
mi
t
e
d
u
n
l
i
mi
t
e
d
Pe
rso
n
a
l

a
p
p
s
5
u
n
l
i
mi
t
e
d
u
n
l
i
mi
t
e
d
u
n
l
i
mi
t
e
d
OpenID




SAML




C
u
st
o
m
co
n
n
e
ct
o
rs


D
e
skt
o
p

si
n
g
l
e

si
g
n
-o
n


Sh
a
re
d

l
o
g
i
n
s


O
n
e
L
o
g
i
n

fo
r

i
Pa
d




C
l
o
u
d

Se
a
r
c
h


Mu
l
ti
-fa
c
to
r

A
u
th
e
n
ti
c
a
ti
o
n
O
n
e
L
o
g
i
n

Mo
b
i
l
e

O
T
P




R
SA

Se
cu
rI
D



V
ASC
O

I
D
EN
T
I
T
Y



V
ASC
O

D
I
G
I
P
ASS



Y
u
b
i
co

Y
u
b
i
Ke
y



PKI

b
ro
w
se
r
ce
rt
i
f
i
ca
t
e
s

D
i
r
e
c
to
r
y

I
n
te
g
r
a
ti
o
n
N
u
mb
e
r
o
f

d
i
re
ct
o
ri
e
s
u
n
l
i
mi
t
e
d
u
n
l
i
mi
t
e
d
u
n
l
i
mi
t
e
d
u
n
l
i
mi
t
e
d
O
n
e
L
o
g
i
n

a
s
a

d
i
re
ct
o
ry




Act
i
ve

D
i
re
ct
o
ry




L
D
AP




G
o
o
g
l
e

Ap
p
s



W
o
rkd
a
y


Po
l
i
c
i
e
s
Ma
xi
mu
m
n
u
mb
e
r
o
f

p
o
l
i
ci
e
s
1
1
u
n
l
i
mi
t
e
d
u
n
l
i
mi
t
e
d
Branding
C
u
st
o
m
su
b
d
o
ma
i
n




C
u
st
o
m
l
o
g
o




C
u
st
o
m
co
l
o
rs




Emb
e
d
d
i
n
g


U
s
e
r

Ma
n
a
g
e
m
e
n
t
Roles
2
2
u
n
l
i
mi
t
e
d
u
n
l
i
mi
t
e
d
Bu
l
k
u
se
r
o
p
e
ra
t
i
o
n
s



D
e
l
e
g
a
t
e

a
d
mi
n

p
ri
vi
l
e
g
e
s


C
u
st
o
m
u
se
r
f
i
e
l
d
s

R
e
p
o
r
ti
n
g
D
e
t
a
i
l
e
d

e
ve
n
t

l
o
g




St
a
n
d
a
rd

re
p
o
rt
s



C
u
st
o
m
re
p
o
rt
s


Pa
ssw
o
rd

e
xp
o
rt


VPN

I
n
te
g
r
a
ti
o
n
SAML
-b
a
se
d

SSL

VPN
s


R
AD
I
U
S


U
s
e
r

Pr
o
v
i
s
i
o
n
i
n
g
Au
t
o
ma
t
e
d

u
se
r
ma
n
a
g
e
me
n
t

En
t
i
t
l
e
me
n
t

ma
p
p
i
n
g
s

Pa
ssw
o
rd

syn
ch
ro
n
i
za
t
i
o
n

Su
p
p
o
r
t
O
n
l
i
n
e

Su
p
p
or
t
O
n
l
i
n
e

Su
p
p
or
t
8
×
5

L
i
v
e

Su
p
p
or
2
4
×
7

L
i
v
e

Su
p
p
or
t
Se
p
t
e
mb
e
r
2
0
1
3
O
n
e
L
o
g
i
n

V
e
rsi
o
n

Ma
t
ri
x


Page
14

of
14