Some Triofox customers may already be using OneLogin and wish to use their OneLogin credentials for a single sign-on to Triofox. This article describes how Triofox can be federated with OneLogin such that OneLogin is the Security Assertion Markup Language (SAML) Identity Provider (IdP) and Triofox will be the SAML Service Provider (SP) (aka Relying Party (RP)).
- Sign in to the Triofox server's management portal as a cluster admin.
- Click on the "Settings" Icon
- Enable the check box in the Enable SAML Authentication section. Select the text under the Access service provider metadata using the following link, and copy the URL text to the clipboard:
In this example, the service provider metadata URL was: https://slserv02triofox.hadroncloud.com/portal/saml2.aspx
- Paste the service provider metadata URL into a text editor. In a later step in this document, OneLogin will refer to the first part of this URL as Triofox Domain. This first portion of the example URL is shown selected below:
Save the text in the text editor to a file. It will be used later when configuring OneLogin.
- Select "Other" and click "Next"
- Continuing the Triofox Single Sign-On settings, disable the Add SSO link to the login page:
- You may want to have some descriptive text for the Display text for the SSO link:
- You may want to enable the Create User when User Doesn't Exist setting. This is useful for auto-provisioning new users in Triofox:
- Leave the Triofox portal page open as there will be Azure AD settings that will need to be configured on this page.
- In another browser, tab sign in to onelogin.com as an administrator
- Click Applications:
- Search for Triofox, a pre-defined application in OneLogin, then click on the app:
- The app configuration will be displayed. Update the Display Name, icons, and Description as you see fit then click the Save button in the upper right:
- Click on the Configuration node, the Application details will be displayed. Use the values described in step 6 above for the Triofox Domain, and "Save"
- The application is already configured for the Parameters (SAML assertion properties) required by Triofox. Required Fields: Mail, Given Name, Surname
- Click on the SSO node, then copy the SAML 2.0 Endpoint (HTTP) to the clipboard:
- Back in the Triofox Single Sign-on UI, paste the SAML 2.0 Endpoint (HTTP) into the IdP End Point URL
- Set the IdP Email Parameter to mail:
- Set the IdP Given Name Parameter to givenName:
- Set the IdP Surname Parameter to surName:
- Back in the OneLogin UI, click on the SSO node, then copy the Issuer URL to the clipboard:
- Paste this URL into the address bar of the browser and navigate to the site. A metadata XML document will be downloaded.
- Open the downloaded metadata XML document in a text editor. Select all of the text and copy it to the clipboard:
- Back in the Triofox cluster manager UI, paste the XML metadata into the IdP Meta Data text box:
- There are two methods to sign into Triofox. The first is Identity Provider (IdP) initiated.
- In a web browser, navigate to the OneLogin Applications URL for your tenant (in our example, https://gladinet2-dev.onelogin.com/apps.
- The application you created will be listed. Click on the application and you should be redirected to your Triofox website:
- If you watch the address bar you will see some redirects but eventually, you should be signed into the correct tenant in the Triofox portal without being prompted for credentials.
- The second method is Relying Party (RP) initiated.
- Navigate to the first URL displayed in the Triofox Single Sign-On settings page:
- You will see some redirects if you watch the address bar, including the URL of your OneLogin tenant. If you are using the same browser, you won't be prompted for credentials because your browser already has the token from the previous sign-in to OneLogin. You should see the Triofox portal page.
Install the Windows client, as usual, that is, first sign in to the web portal using the OneLogin application (IdP initiated sign-on), then download the Triofox Windows client software. After installation, the Windows client will use the security token from the web browser to sign the user in the first time. If the Windows Client signs out or the token expires, the Windows Client will display the OneLogin sign in: