Criipto
  1. Integrations
  2. OneLogin

This tutorial demonstrates how to integrate Criipto Verify with OneLogin. The following steps are required to complete your first login:

  1. Register your OneLogin tenant in Criipto Verify
  2. Configure the OAuth2 flow
  3. Create a OneLogin Trusted IDP for Criipto Verify

Register your OneLogin tenant in Criipto Verify

  1. Login to you Criipto Verify account - https://dashboard.criipto.com/applications/add
  2. Navigate to Applications
  3. Select the + sign to add a new application
  4. Provide the necessary information on the Register Application Screen
  • A name for the application. For this example OneLogin has been chosen.

  • Select the relevant domain from the Available on domain section. This will be the domain used to communicate to OneLogin. If you only subscribe to one Criipto Verify domain, only one will be listed.

  • Add a Client ID/Realm to identify the OneLogin Tenant in Criipto Verify. In this example urn:onelogin:criipto has been assigned.

  • Add the applicable Callback URL for you OneLogin tenant in the format of https://<SUBDOMAIN>.onelogin.com/access/idp.

  • Choose the relevant legal/bank identities you would like to integrate.

  • Once you are happy to proceed select Save.

    A completed application registration will look as follows:

Add New App Choose eID's

Configure the OAuth2 flow

  1. Navigate to applications
  2. Select the application configured in the previous section
  3. Scroll down to the OpenID Connect application section and enable Enable OAuth2 Code Flow by selecting the corresponding toggle: Client secret on save
  4. Click Save
  5. The client secret will be displayed - This will be needed when configuring the Trusted IDP within OneLogin. Please note this is the only time the client secret will be displayed. Criipto only stores the client secret as a hashed value, meaning it can not be retrieved again once generated and stored. OAuth2 config
  6. Leave remaining settings as default.

Create a OneLogin Trusted IDP for Criipto Verify

  1. Authenticate to the OneLogin admin console with an appropriate administrative account.
  2. Navigate to Authentication -> Trusted IDPs OAuth2 config Please note: For additional information on OneLogin Trusted IDP please refer to the Trusted IDP knowledge base article
  3. Select New Trust from the top right
  4. Provide an appropriate name. Please Note: For each legal/bank identity that needs to be integrated with OneLogin, a separate Trusted IDP needs to be configured. For the purposes of this documentation NO Bank ID, will be used as the example.
  5. In the Login Options section, if you wish to represent this Trusted IdP as an authentication option on the tenant’s login page via an icon, then check Show in Login panel and provide a url to a suitable icon. (Note: websites typically host a “favicon.ico” file that could be used e.g. https://www.onelogin.com/favicon.ico) In the example of NO BankID, https://www.bankid.com/en/_themes/bankid-www/img/logo1-default.svg can be used Show login option
  6. In the Configurations section, enter the Issuer URL. This will be the domain chosen during the Criipto Verify signup process.
  • To review your domain in Criipto Veirfy navigate to Domains from the admin console and be sure to prefix https://
  1. (OPTIONAL) The Email Domains field is used to automatically invoke this Trusted IdP when a user enters their email address at login time - if the email address is unrecognized, but belongs to one of the domains listed, then this TIdP will be invoked via an authentication request. This setting can be left blank if invoking this Trusted IDP from the OneLogin login panel is the preferred method.
  2. Check Sign Users into OneLogin and deselect Sign Users into additional applications.
  3. Scroll down to the protocol section select OIDC from the dropdown
  4. Add {tidp.email} in the User Attribute Value in the User Attribute section or whatever is applicable to your use case. This is the attribute used for User attribute matching. User attribute
  5. Select Email for User Attribute Mapping or the value applicable to your use case.
  6. (OPTIONAL) Allowed Email Domains is a whitelist. This allows the administrator to restrict the acceptable email domains for inbound identities. If empty, there is no restriction.
  7. The authentication endpoint syntax is as follows
  • https://<Criipto Verify Domain Name>/<base64 encoded acr value for legal/bank id being configured>/oauth2/authorize
  • To identify what the base64 encoded acr value for legal/bank id being configured, please use Supported login methods table
  • Therefore, in this example of Norwegian BankID the following issuer will be used: https://onelogintest-test.criipto.id/dXJuOmdybjphdXRobjpubzpiYW5raWQ=/oauth2/authorize
  1. Select BASIC as the Token Endpoint Auth. Method.
  2. Add the relevant token endpoint. The Token Endpoint syntax would be: https://<Criipto Verify Domain Name>/oauth2/token
  3. Add the user information endpoint in the User Information Endpoint section. The user information endpoint syntax would be: https://<Criipto Verify Domain Name>/oauth2/userinfo
  4. Add the relevant scopes in the scopes section. At a minimum openid must be used.
  5. Add the client ID specified in step 4 of the Registration of the OneLogin tenant in Criipto Verify to the Client Id section.
  6. Add the Client Secret in the Client Secret section as noted in step in step 6 of Configure the OAuth2 flow.
  7. Lastly In the Trusted IdP Settings tab, head to the top of the page and check Enable Trusted IDP in the Enable/Disable field.

Supported login methods

Login methodacr_valuesbase64 encoded
Norwegian BankID
  Mobile or Web (user choice): urn:grn:authn:no:bankiddXJuOmdybjphdXRobjpubzpiYW5raWQ=
  BankID Biometrics (level substantial): urn:grn:authn:no:bankid:substantialdXJuOmdybjphdXRobjpubzpiYW5raWQ6c3Vic3RhbnRpYWw=
Norwegian Vipps Login
  Login with Vipps app: urn:grn:authn:no:vippsdXJuOmdybjphdXRobjpubzp2aXBwcw==
Swedish BankID
  All options (user chooses): urn:grn:authn:se:bankiddXJuOmdybjphdXRobjpzZTpiYW5raWQ=
  Same device:urn:grn:authn:se:bankid:same-devicedXJuOmdybjphdXRobjpzZTpiYW5raWQ6c2FtZS1kZXZpY2U=
  Another device (aka mobile): urn:grn:authn:se:bankid:another-devicedXJuOmdybjphdXRobjpzZTpiYW5raWQ6YW5vdGhlci1kZXZpY2U=
  QR code: urn:grn:authn:se:bankid:another-device:qrdXJuOmdybjphdXRobjpzZTpiYW5raWQ6YW5vdGhlci1kZXZpY2U6cXI=
Danish MitID
  Level low: urn:grn:authn:dk:mitid:lowdXJuOmdybjphdXRobjpkazptaXRpZDpsb3c=
  Level substantial: urn:grn:authn:dk:mitid:substantialdXJuOmdybjphdXRobjpkazptaXRpZDpzdWJzdGFudGlhbA==
  MitID Erhverv (MitID Business): urn:grn:authn:dk:mitid:businessdXJuOmdybjphdXRobjpkazptaXRpZDpidXNpbmVzcw==
Finnish Trust Network
  BankID:urn:grn:authn:fi:bankiddXJuOmdybjphdXRobjpmaTpiYW5raWQ=
  Mobile certificate (Mobiilivarmenne): urn:grn:authn:fi:mobile-iddXJuOmdybjphdXRobjpmaTptb2JpbGUtaWQ=
  Both of the above:urn:grn:authn:fi:alldXJuOmdybjphdXRobjpmaTphbGw=
Itsme
  Basic: urn:grn:authn:itsme:basicdXJuOmdybjphdXRobjppdHNtZTpiYXNpYw==
  Advanced: urn:grn:authn:itsme:advanceddXJuOmdybjphdXRobjppdHNtZTphZHZhbmNlZA==
Belgium
  Verified e-ID: urn:grn:authn:be:eid:verifieddXJuOmdybjphdXRobjpiZTplaWQ6dmVyaWZpZWQ=

Test users

Almost all eID types have a notion of test users and real users.

Real users are real people logging in to a web site, thus voluntering their real name and typically also a social security number, SSN.

Test users are either created by you for the occasion, or we provide you with access to already created test users.

You may read more in the section on eIDs