Hi

I get this error:

id token not issued by correct OpenID provider - expected: https://myapp.onelogin.com/oidc | from: https://openid-connect-eu.onelogin.com/oid

I've definitely changed the issuer:

const OIDC_BASE_URI = `https://myapp.onelogin.com/oidc`;

var strategy = new OneLoginStrategy({
  issuer: OIDC_BASE_URI,

Not sure what to do...

When I tried the sample of Auth Flow, I just could not make it work.
After numbers of trial and error, I found out that it works properly by changing the Authentication Method of Token Endpoint from Basic to POST in the SSO setting of App.
I think that additional description in "1. Auth Flow/README.md" should be placed about the necessity of this setting.

I cannot seem to get the SPA example working.
Every time I try to authenticate I keep getting the error:

iat is in the future 1536067127

Can this be related to a config issue or rather system date & time?

Hey there,

Trying to run this app locally to test it out. I keep getting 404s. There's a weird "undefined" in the URL after clicking login, I'm not sure where that's coming from. My OIDC_REDIRECT_URI from the .env file matches the Redirect URI in my OIDC panel configs (http://localhost:3000/oauth/callback). My token endpoint method is set to POST. Not sure what the next step here would be. Thanks!

I don't see this example implementing silent renew so I'm wondering how we can do it with one login. I tried to implement it in my react app but I just got this End User Authentication required error when I turned on automaticSilentRenew (it triggered signinSilent from the oidc-client lib when the token is about to expire). It seems to me that one login could not recognize the id_token_hint in the request param that is sent from the silent renew call by the lib. Thus, it doesn't recognize that the user has an active session with one login while receiving the silent renew request from the client. How can we solve this problem ? Thanks !

Hi,
I want to use Onelogin as the IDP for 2 different SPA's (angular apps), so I cloned this repo in order to test different scenarios.

I was able to setup the OIDC Connector in my Onelogin Account and was able to login different Users.

Next I wanted to try to log a User out of "App - A" and recognize it in "App - B". Therefore I started with the Logout itself, leading me to this error: No end session endpoint url returned while calling the signoutRedirect Method of the Oidc.UserManager

I know that you can override specific metadata for the UserManagerSettings, so I gave the metadata from onelogin oidc a look. (<your_endpoint>/oidc/.well-known/openid-configuration)
There is not a single metadata endpoint which would be close to one that sounds like it would log out a User from all sessions.

Is this not supported by Onelogin or how can this be achieved ?

The first line of "1. Auth Flow / README.md" is "OneLogin OpenId Connect Implicit Flow Sample".
Flow name is wrong.

I tried Password grant type, but it again & again asking username & password, does not navigate to any
ang getting
GET / 304 80.462 ms - -
GET /stylesheets/style.css 304 1.199 ms - -
POST /login 302 312.710 ms - 46
GET / 304 4.022 ms - -
GET /stylesheets/style.css 304 0.338 ms - -
POST /login 302 33.700 ms - 46
GET / 304 3.406 ms - -
GET /stylesheets/style.css 304 0.528 ms - -

I am trying out this tutorial but encountered the above error can anyone help verify if this tutorial is working?

hi,

For 1. Auth Flow, you need to include information in the readme file that states a change in the URI's for the EU shard, specifically:

app.js file:

• https://openid-connect-eu.onelogin.com/oidc

• https://openid-connect-eu.onelogin.com/oidc/token/revocation

users.js

• https://openid-connect-eu.onelogin.com/oidc/me

Thanks

Looking at the following source code, both "email" and "profile" are specified within "scope".
https://github.com/onelogin/onelogin-oidc-node/blob/master/1.%20Auth%20Flow/app.js#L100

However, when I check the OneLogin's OIDC metadata, "email" is not included in "scopes_supported".
It is working without problems, but I wonder if it is appropriate to specify what you do not support within an official sample.

As you may be aware, Halogen Software has recently been acquired by Saba Software.
https://www.saba.com/press/news/saba-software-announces-agreement-to-acquire-halogen-software
Thus, the "Halogen Software" TalentSpace Product is currently called "Saba TalentSpace".
 
Could you update your public documentation:
  https://www.onelogin.com/connector/halogen
  https://www.onelogin.com/connector/halogenadmin
 
It is using the old Saba logo. You can see what Saba Software current logo looks like from the above article or by just visiting saba.com

    You can get the logo from here:
    https://archive.org/download/sabalogo/sabalogo.png

Also, maybe the URLs could be updated (e.g. - https://www.onelogin.com/connector/talentspace) ?
 
  
Secondly, the following are screenshots of your onelogin App Store when searching for "Halogen":
  https://archive.org/download/app_store2/app_store2.jpg
  https://archive.org/download/app_store/app_store.jpg
 
We are having to tell our clients to search for "Halogen Software" to implement SSO. It would be great if you could update these to say "Saba TalentSpace" and with the current logo.
 
For the built-in "Rectangular Icon", you can use:
  https://archive.org/download/sabafulllogo/sabafulllogo.png
 
For the built-in "Square Icon", you can use:
  https://archive.org/download/sabalogo/sabalogo.png
 
 
Lastly, for the "Configuration" section of the SAML SSO app you have for Halogen Software, the built-in app appears to only come with a "SAML Audience URL" field and a "SAML Consumer URL" field which will fail when configuring this with clients.
 
It should come with the "SAML Consumer URL", "SAML Audience URL", "SAML Recipient", and "ACS URL Validator".
 
Otherwise, we're forced to walk clients through adding a custom app via "SAML Test Connector (IdP w/ attr") which comes with all these fields to get this working successfully.

I read that OneLogin OIDC Provider does not currently support single logout, although I managed to "force" a login from my React app with prompt: "login" setting.

However, when I am redirected to the login screen & I try to use a different user's credentials, I receive 500 Internal Server Error. Until I either

• explicitly go to the OneLogin portal and sign out the last logged-in user,
• use my app in the incognito mode,

it seems impossible to "switch" accounts in my app.

Is there any workaround for that?

I'm trying to walk through this tutorial but the application is not going to the login screen once the login button is clicked. I am seeing this in my console:

GET /?code=YmMyZTJlY2MtNjIwYi00Zjc0LTljMjEtZTI4MTI5OTJkODY54_Dumh8dkTJcpNQoV7ClooOYXEE8c-YYR694nfl_hi5CSZ4mW7-DITNnpJcMf05TLMr65nebyY--JQTTE05-gg&state=loUWE64wD%2FzZxYKwG4B%2BrQj3 200 3.322 ms - 540

which tells me the request is being made succesfully but the login screen never appears for me to actually login and there is not 'flow' to follow or understand this process.

I have set up an app in the compants apps and changed the .env.sample to .env along with updating the variables within the .env file

I'm going through the tutorial and found a few issues:

1. Clone this repo and then update /javascripts/main.js with the client_id you obtained from OneLogin and the subdomain of your OneLogin account.

There seems (on my end) to be an issue with the client_id and subdomain instructions. It's not entirely obvious if the client_id needs to be the one that is issued in the OneLogin App or our personal API one given to us. If it's the later, that will throw an error with the following output:

error: invalid_client
error_description: client is invalid
state: 7f38287367a6475f9eaa6c0b6370c1c

When I have the correct client_id setup in the javascripts/main.js file I am not seeing anywhere there being a field for me to specify the parameter of subdomain. Can someone tell me where this is supposed to be specified as I don't see it being a valid parameter per the codes layout ATM?

2. You will need to add your callback url to the list of approved Redirect URIs for your OneLogin OIDC app via the Admin portal. e.g. http://localhost:3000/oauth/callback

So I have http://localhost:3000/oauth/callback setup in the configuration --> redirect URI's field and it still is throwing me an issue:

error: redirect_uri_mismatch
error_description: redirect_uri did not match any client's registered redirect_uris
state: 497592e85aae4273ad05f397fbd6dcc9

Can I get a hand clarifying what's going wrong? I'd be more than happy to update the docs in return for a hand in this :)

When installing your example onelogin-oidc-node application. npm install returns the following error/ warning.

added 137 packages from 146 contributors and audited 339 packages in 1.6s
found 4 vulnerabilities (1 moderate, 3 high)
  run `npm audit fix` to fix them, or `npm audit` for details

This comes down to one dependency in package.json.

-    "hbs": "^4.0.5",
+    "hbs": "^4.1.0",