SSO/SAML Setup: OneLogin

Note: DataGrail only supports connections with SAML v2.0.

DataGrail OneLogin Application

1. Create a DataGrail App in your OneLogin instance
2. Integrate OneLogin with a read-only user. This will alert Legal when new applications are added/removed that may contain personal data so they can take appropriate action to comply with Privacy Regulations

Step 1: Build a SAML Test Connector (Advanced) App:

1. Click the Administration Tab in the top right corner

2. Select Users and then Custom User Fields.

3. Add a new field called DataGrail Admin with is_dg_admin for the Shortname.

4. Go to Applicationsthen >> Add App

5. Under Find Applications select SAML Custom Connector (Advanced)

6. Edit the Display Name to DataGrail and clickSave. Once complete, navigate to the Configuration tab on the left-hand menu.

7. Please edit the following fields in bold:

8. 1. Audience (EntityID): https://[yourname].datagrail.io/saml/metadata

      • Example: if TestCustomer was installing this saml solution to host platform login, the above url would be https://testcustomer.datagrail.io/saml/metadata

   2. Recipient: https://[yourname].datagrail.io/saml/auth

      • Example: if TestCustomer was installing this saml solution to host platform login, the above url would be https://testcustomer.datagrail.io/saml/auth

   3. ACS Consumer URL: https://[yourname].datagrail.io/saml/auth

      • Example: if DataGrail Demo was installing this saml solution to host platform login, the above url would be https://testcustomer.datagrail.io/saml/auth

   4. ACS Consumer URL Validator

      1. Input the regex expression that matches the value of the Consumer URL from step 3.
      2. Ex: https://testcustomer.datagrail.io/saml/auth is validated as:

      ^https:\/\/testcustomer\.datagrail\.io\/saml\/auth$

      Note: ‘/’ and ‘.’ are escaped characters so you need to put a ‘\’ in front of each one. The '^' and '$' characters indicate the beginning and end of the regular expression.

   5. SAML not valid before / not valid on or after: 3 (should be the default)

   6. SAML Initiator: Default: OneLogin

   7. SAML NamedID Format: email

   8. SAML Issuer Type: Specific

   9. SAML Signature Element: Response

   10. SAML Encryption Method: Default to TRIPLESDES-CBC

   11. SAML sessionNotOnOrAfter: Set to 1440 (should be the default)

9. Select the Parameters section in the left-hand menu.

10. Add a field named email, select Include in SAML assertion, and click save. Once complete, selectEmail from the value dropdown. Click save.

10. Add a field named first_name, select Include in SAML assertion, and click save. Once complete, select First Name from the value dropdown. Click save.

11. Add a field named last_name, select Include in SAML assertion, and click save. Once complete, select Last Name from the value dropdown. Click save.

12. Add a field named is_dg_admin, select Include in SAML assertion, and click save. Once complete, select DataGrail Adminfrom the value dropdown. Click save.

13. Open the SSO section of the left-hand menu. Set SAML Signature Algorithm to SHA-256.

14. Copy the Issuer URL (metadata URL) and send it to: support@datagrail.io

Step 2: Invite Users:

Learn about inviting new users with OneLogin here.

Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.