SAML/SSO with OneLogin
Account Holders have numerous security settings available in Litmus and options that protect users and content. You can configure SAML single sign-on between Litmus and OneLogin to simplify your users' access to Litmus.
Before you start
- Only the Account Holder can access and configure SAML settings in Litmus.
- New user seat creation is not supported via SAML. Users must be created within Litmus first and then authenticated via your IdP prior to them logging into Litmus.
- SSO with SAML can only be configured at the parent account level and is automatically applied to all subaccounts on your plan.
NOTE: SAML functionality is available with Litmus Enterprise plans
Start with Litmus settings
Find Your Subaccounts in the left side settings menu, then Security and finally the SAML tab in the popup window.
Toggle on Enable SAML. If you would like your users to only access Litmus via SSO with your IdP solution, you can check the box Enforce sign-in with SAML.
NOTE: When this option is active, the Litmus Account Holder will still be able to sign in directly using their credentials via the Litmus login screen. This is to prevent the account holder from getting locked out of full account administrative functionality. Other users will be required to log in via SAML. Password resets using the Forgotten Password? option on the regular Litmus login screen will be disabled for all users.
Select OneLogin as your Identity Provider. Take note of the Audience URN, ACS (Consumer) URL Validator and ACS (Consumer) URL. You will need these later to configure a new app for Litmus in OneLogin.
Continue in OneLogin
Open a new browser tab or window so you can view both OneLogin and Litmus during configuration, then log in to OneLogin as an administrator. Go to Administration → Apps → Add Apps.
Search SAML Test Connector (IdP) in the search box under Find Applications. Select the result called SAML Test Connector (IdP).
Configure the new application. Change the display name to Litmus. Toggle on Visible in Portal and upload the Litmus logo as the app icon. Select Save in the top right of the screen.
Next, navigate to the Configuration tab and paste the Audience URN, ACS (Consumer) URL Validator and ACS (Consumer) URL from Litmus. You may also add an optional single Logout URL. Save in the upper right corner when you're finished.
Select the SSO tab in OneLogin. Two elements on this tab need to be copied and pasted into your Litmus SAML setup. First, copy the SAML 2.0 endpoint (HTTP) field from OneLogin and paste it into the corresponding field in your Litmus SAML configuration.
Next, find the X.509 Certificate and right-click the View Details link under the certificate field. Select Open Link in New Tab then copy the certificate using the Copy to Clipboard icon. Paste the X.509 Certificate into the corresponding field in your Litmus SAML configuration. Save your Litmus SAML settings.
You are now ready to assign the Litmus application to your OneLogin users, groups or role types. In your OneLogin administrator role, go to Administration →Users then select the relevant option from the Users drop-down menu.
Select the users, roles or groups that require access to Litmus, then navigate to the Applications tab and select the New app button. From here, follow the on-screen instructions to select your newly created Litmus application before saving.