OneLogin - Integrations - Idura Verify Documentation
Idura
  1. Integrations
  2. OneLogin

This tutorial demonstrates how to integrate Idura Verify with OneLogin. The following steps are required to complete your first login:

  1. Register your OneLogin tenant in Idura Verify
  2. Configure the OAuth2 flow
  3. Create a OneLogin Trusted IDP for Idura Verify

Register your OneLogin tenant in Idura Verify

First, you must create a new application for your OneLogin tenant in Idura Verify. This is done via the Idura Dashboard.

Create Application

Once the application is created, you'll need some of its details for configuring OneLogin to communicate with Idura Verify. Gather the following information from the application settings:

  • Client ID to identify your OneLogin tenant to Idura Verify. We chose urn:idura:samples:onelogin for this example.
  • Client secret is needed if you choose the back-channel approach. The secret is generated when you configure OAuth2 Code Flow for your application.
  • Domain on which you will be communicating with Idura Verify. If your company name is Acme Corp, it could be, for example, acme-corp.idura.broker.

Configure OAuth2 Code Flow

If you are registering a new application, please save the initial configuration first.

After saving, you can configure the OAuth2 Code Flow for this application by following the three steps:

  1. Go to the OpenID Connect section of your Application settings and Enable OAuth2 Code Flow. OAuth2 client secret
  2. Copy the generated client secret. Note that this is the only time you will be shown the actual value of the client secret. Idura only stores this as a hashed value, which means you cannot retrieve the value once it has been generated and stored. OAuth2 client secret
  3. Set the user info response strategy to plainJson to enable retrieval of plain JSON user information from the /oauth2/userinfo endpoint. OAuth2 code flow Note that some libraries do not support the final userinfo request. In those cases, you will need to fetch the user data directly from the token endpoint as opposed to the userinfo endpoint. You can do this by choosing fromTokenEndpoint as a User info response strategy. User info response strategy

Idura Verify supports four modes for retrieving user information:

  • Plain JSON object (plainJson): User information is returned from the userinfo endpoint as a standard JSON object.
  • Signed JWT (signedJwt): User information is returned from the userinfo endpoint as a digitally signed JSON Web Token.
  • Signed and encrypted JWT (signedAndEncryptedJwt): User information is returned from the userinfo endpoint as a signed and encrypted JSON Web Encryption(JWE) object.
  • Directly from the token endpoint, embedded in the id_token (fromTokenEndpoint). The fromTokenEndpoint flow is not standard, but can be useful if you are working with a product that does not call the userinfo endpoint.

Create a OneLogin Trusted IDP for Idura Verify

  1. Authenticate to the OneLogin admin console with an appropriate administrative account.
  2. Navigate to Authentication -> Trusted IDPs OAuth2 config Please note: For additional information on OneLogin Trusted IDP please refer to the Trusted IDP knowledge base article
  3. Select New Trust from the top right
  4. Provide an appropriate name. Please Note: For each legal/bank identity that needs to be integrated with OneLogin, a separate Trusted IDP needs to be configured. For the purposes of this documentation NO Bank ID, will be used as the example.
  5. In the Login Options section, if you wish to represent this Trusted IdP as an authentication option on the tenant’s login page via an icon, then check Show in Login panel and provide a url to a suitable icon. (Note: websites typically host a “favicon.ico” file that could be used e.g. https://www.onelogin.com/favicon.ico) In the example of NO BankID, https://www.bankid.com/en/_themes/bankid-www/img/logo1-default.svg can be used Show login option
  6. In the Configurations section, enter the Issuer URL. This will be the domain chosen during the Idura Verify signup process.
  • To review your domain in Idura Verify, navigate to Domains from the admin console and be sure to prefix https://
  1. (OPTIONAL) The Email Domains field is used to automatically invoke this Trusted IdP when a user enters their email address at login time - if the email address is unrecognized, but belongs to one of the domains listed, then this TIdP will be invoked via an authentication request. This setting can be left blank if invoking this Trusted IDP from the OneLogin login panel is the preferred method.
  2. Check Sign Users into OneLogin and deselect Sign Users into additional applications.
  3. Scroll down to the protocol section select OIDC from the dropdown
  4. Add {tidp.email} in the User Attribute Value in the User Attribute section or whatever is applicable to your use case. This is the attribute used for User attribute matching. User attribute
  5. Select Email for User Attribute Mapping or the value applicable to your use case.
  6. (OPTIONAL) Allowed Email Domains is a whitelist. This allows the administrator to restrict the acceptable email domains for inbound identities. If empty, there is no restriction.
  7. The authentication endpoint syntax is as follows
  • https://<Idura Verify Domain Name>/<base64 encoded acr value for legal/bank id being configured>/oauth2/authorize
  • To identify what the base64 encoded acr value for legal/bank id being configured, please use Supported login methods table
  • Therefore, in this example of Norwegian BankID the following issuer will be used: https://onelogintest-test.criipto.id/dXJuOmdybjphdXRobjpubzpiYW5raWQ=/oauth2/authorize
  1. Select BASIC as the Token Endpoint Auth. Method.
  2. Add the relevant token endpoint. The Token Endpoint syntax would be: https://<Idura Verify Domain Name>/oauth2/token
  3. Add the user information endpoint in the User Information Endpoint section. The user information endpoint syntax would be: https://<Idura Verify Domain Name>/oauth2/userinfo
  4. Add the relevant scopes in the scopes section. At a minimum openid must be used.
  5. Add the client ID specified in step 4 of the Registration of the OneLogin tenant in Idura Verify to the Client Id section.
  6. Add the Client Secret in the Client Secret section as noted in step in step 6 of Configure the OAuth2 flow.
  7. Lastly In the Trusted IdP Settings tab, head to the top of the page and check Enable Trusted IDP in the Enable/Disable field.

Supported login methods

Login methodacr_valuesbase64 encoded
Norwegian BankID
Mobile or Web (user choice):urn:grn:authn:no:bankiddXJuOmdybjphdXRobjpubzpiYW5raWQ=
BankID Biometrics (level substantial):urn:grn:authn:no:bankid:substantialdXJuOmdybjphdXRobjpubzpiYW5raWQ6c3Vic3RhbnRpYWw=
Norwegian Vipps Login
Login with Vipps app:urn:grn:authn:no:vippsdXJuOmdybjphdXRobjpubzp2aXBwcw==
Swedish BankID
All options (user chooses):urn:grn:authn:se:bankiddXJuOmdybjphdXRobjpzZTpiYW5raWQ=
Same device:urn:grn:authn:se:bankid:same-devicedXJuOmdybjphdXRobjpzZTpiYW5raWQ6c2FtZS1kZXZpY2U=
Another device (aka mobile):urn:grn:authn:se:bankid:another-devicedXJuOmdybjphdXRobjpzZTpiYW5raWQ6YW5vdGhlci1kZXZpY2U=
QR code:urn:grn:authn:se:bankid:another-device:qrdXJuOmdybjphdXRobjpzZTpiYW5raWQ6YW5vdGhlci1kZXZpY2U6cXI=
Danish MitID
Level low:urn:grn:authn:dk:mitid:lowdXJuOmdybjphdXRobjpkazptaXRpZDpsb3c=
Level substantial:urn:grn:authn:dk:mitid:substantialdXJuOmdybjphdXRobjpkazptaXRpZDpzdWJzdGFudGlhbA==
MitID Erhverv (MitID Business):urn:grn:authn:dk:mitid:businessdXJuOmdybjphdXRobjpkazptaXRpZDpidXNpbmVzcw==
Finnish Trust Network
BankID:urn:grn:authn:fi:bankiddXJuOmdybjphdXRobjpmaTpiYW5raWQ=
Mobile certificate (Mobiilivarmenne):urn:grn:authn:fi:mobile-iddXJuOmdybjphdXRobjpmaTptb2JpbGUtaWQ=
Both of the above:urn:grn:authn:fi:alldXJuOmdybjphdXRobjpmaTphbGw=

Test users

Most eIDs distinguish between real users and test users.

Real users represent actual individuals who authenticate on your website, providing real personal information such as their name and typically a Social Security Number (SSN).

Test users are fictitious identities used for development and testing. Depending on the eID, you can either create your own test users or use pre-existing ones provided by Idura.

For instructions on creating test users for each eID, please refer to Test user guides.