1. Docs
  2. Pulumi Cloud
  3. Access management
  4. SAML(SSO)
  5. OneLogin

SAML: Configuring OneLogin

    This guide walks you through configuring OneLogin as a SAML SSO identity provider (IdP) for the Pulumi Cloud.

    Prerequisites

    Creating the OneLogin Application

    The first step is to create a new OneLogin Application for Pulumi SSO:

    1. From the OneLogin Administration portal, go to the Applications page and select the Add App button.

    2. Search for SAML Custom Connector (Advanced) and select it.

      Finding the SAML Test Connector App

    3. Enter a Display Name and optionally a logo. See Pulumi Logos.

    4. Select Save.

      Creating a OneLogin Application example

    Configuring the OneLogin Application

    Now configure the OneLogin Application with the SAML settings for Pulumi SSO.

    Configure SAML URLs

    Select the Configuration view for the application and enter/confirm the values in the following table.

    The values you need to use are dependent upon your Pulumi organization name. Be sure to replace acmecorp with your actual organization name.

    Configuration SettingsValue
    Relay Statehttps://api.pulumi.com/login/acmecorp/sso
    Audience (EntityID)https://api.pulumi.com/login/acmecorp/sso/saml/metadata
    Recipienthttps://api.pulumi.com/login/acmecorp/sso/saml/acs
    ACS Consumer URL Validator.*
    ACS Consumer URLhttps://api.pulumi.com/login/acmecorp/sso/saml/acs
    SAML initiatorOneLogin
    SAML nameID formatEmail
    SAML issuer typeSpecific
    SAML signature elementResponse
    SAML encryption methodTRIPLEDES-CBC
    Do not change the value of SAML nameID format once your users have started using Pulumi—not even switching its value between EmailAddress or Persistent.

    Configuration settings example

    Configure SSO Settings

    Select the SSO view for the application and set/confirm the following:

    SSO SettingsValue
    SAML Signature AlgorithmSHA-512

    SSO Settings

    User Assignments

    After the Pulumi SAML application has been created in OneLogin, the next step is to assign users to it. This will grant specific users or groups access to sign into Pulumi with their OneLogin-provided credentials.

    To assign users or groups to the application, navigate to the Users tab in the OneLogin portal to add users and then assign them to the Pulumi SSO application.

    User Assignments

    Configuring Your Pulumi Organization

    The final step is to configure the Pulumi Cloud with details on your new OneLogin-based SAML application. To do this, you need to obtain the IDP metadata document from OneLogin and then provide it to Pulumi.

    First, navigate to the OneLogin Application you created above and select the More Actions drop down menu button and select SAML Metadata to download the metadata XML file.

    Get Metadata

    1. Open the file and copy the entire block of XML text in your clipboard

    2. Open the Pulumi Cloud and navigate to your SAML organization.

    3. Select the Settings tab, and then select Access Management.

    4. In the Membership Requirements section, select the Change requirements button.

    5. Select SAML SSO and then select Next.

    6. Paste the IDP metadata XML into the bottom card titled SAML SSO Settings

      Pulumi Organization Settings

    7. Select Save at the bottom of the card.

    Once the IDP metadata descriptor has been saved, you are all set to log into Pulumi.

    Signing into Pulumi using OneLogin

    Members of your OneLogin application can now sign into Pulumi. Navigate to https://app.pulumi.com/signin/sso/ and enter the name of your Pulumi organization.

    Pulumi Cloud

    Troubleshooting

    If you run into any troubles configuring OneLogin, signing into Pulumi, or need some assistance, contact us.

      Introducing Pulumi Copilot - Intelligent Cloud Management