SAML/SSO with OneLogin

This section explains step by step how to configure SAML single sign-on (SSO) between Litmus and OneLogin as the identity provider.

Things to note

• New user seat creation is not supported via SAML. Users must be created within Litmus first and then authenticated via OneLogin prior to logging into Litmus.
• Only the Litmus account holder will be able to access and configure SAML settings on an account.
• SSO with SAML can only be configured at the parent account level and is automatically applied to all subaccounts on your plan.
• SAML functionality is available with a Litmus Enterprise plan.

How to set up SAML/SSO with OneLogin

1. As the Litmus account holder, sign into Litmus, find  Your Subaccounts in the side menu, then “Security” and finally the “SAML” tab in the popup window.

Short animation showing the Your Subaccounts category in Settings, the Security left menu option, and the SAML tab setting in Litmus

2. Toggle on “Enable SAML”.

3. If you would like your users to only access Litmus via SSO with OneLogin, you can check the box “Force sign in with SAML”.

Note: When this option is active

• The main Litmus account holder will still be able to sign in to Litmus using their Litmus credentials via the Litmus login screen. This is to prevent the main account holder from getting locked out of full account administrative functionality. Other users will be forced to login via SAML.
• Password resets using the “Forgotten Password?” option on the regular Litmus login screen will be disabled for all users.

4. Select OneLogin as your IdP.

5. Take note of the “Audience URN”, “ACS (Consumer) URL Validator” and “ACS (Consumer) URL”, as you will need these when configuring a new app for Litmus within OneLogin.

6. In a new browser tab or window (as you will need to view both OneLogin and Litmus during configuration), log in to OneLogin as an administrator and go to Administration → Apps → Add Apps.

7. Look up the term “SAML Test Connector (IdP)” in the ‘Find Apps’ search box and select the result titled “SAML Test Connector (IdP)”.

8. Next configure the new application by changing the display name to “Litmus”, ensuring the “Visible in Portal” option is toggled on and uploading a copy of the Litmus logo (found here) as the icon for the app. Once done, click “save” in the top right of the screen.

9. Once saved, navigate to the “Configuration” tab and paste in the “Audience URN”, “ACS (Consumer) URL Validator” and “ACS (Consumer) URL” from Litmus (as referenced in step 5) and click save. Note: You may also add your “single Logout URL” at this time if you wish.

10. Next, navigate to the “SSO” tab. Copy the “SAML 2.0 endpoint (HTTP)” field from OneLogin and paste it into the corresponding field on the Litmus SAML configuration tab (See step 1).

11. Return to Onelogin SSO tab and open the X.509 Certificate by right-clicking the “View Details” link under the certificate field and selecting “Open Link in a New Tab”. Then copy the certificate using the “Copy to Clipboard” icon. Paste the X.509 Certificate into the corresponding field on the Litmus SAML configuration tab (See step 1). Once the certificate has been pasted into Litmus, click “Save SAML settings”.

12. You are now ready to assign the Litmus application to your OneLogin users, groups or role types. To do this, return to OneLogin as an administrator and go to Administration →Users then select the relevant option within the “Users” drop-down menu.

13. Select the users, roles or groups that require access to Litmus, then navigate to the “Applications” tab and click the “New App” button. From here, follow the on-screen instructions and select the newly created “Litmus” application before saving.