Release Notes

OneLogin

Configuring the Veza integration for OneLogin

Overview

The OneLogin integration connects to your OneLogin environment to discover users, group memberships, applications, and role assignments managed by the identity provider.

The integration enables:

  • Discovery of OneLogin users, groups, roles, and applications

  • Visibility into OneLogin administrative roles

  • Review of SAML applications assigned to OneLogin users and groups

  • Mapping access between OneLogin users and AWS IAM roles they can assume

Configuring OneLogin

Veza connects to your OneLogin environment using read-only API credentials. To configure the integration, you will need to create a new credential and save the client ID and secret.

Prerequisites

  • OneLogin administrator account

  • API credentials with Read All scope

Creating OneLogin API Credentials

  1. Log in to OneLogin as an account owner or administrator.

  2. Navigate to Developers > API Credentials.

  3. Click New Credential.

  4. Select "Read All" scope.

  5. Click Save and securely store the client ID and secret.

See the Working with API Credentials documentation for more details.

Configuring OneLogin on the Veza Platform

  1. In Veza, go to the Integrations page.

  2. Click Add Integration and search for OneLogin.

  3. Click on the OneLogin tile to open the configuration form.

  4. Enter the required information.

  5. Click Create Integration to save the configuration.

Field
Description

Insight Point

Choose whether to use the default data plane or a deployed Insight Point

Name

A friendly name to identify the unique integration

Domain

OneLogin domain, e.g., your-domain.onelogin.com

Region

OneLogin region, e.g., us

Client ID

API client ID from OneLogin

Client Secret

API secret from OneLogin

Mapping Configuration

Define rules for linking OneLogin users to other IdP identities or local users.

Custom Properties

Specify any Custom Fields to extract by entering the API shortname and data type.

Notes and Supported Entities

The OneLogin integration discovers the following entities and relationships:

  • Domain → Users

  • Domain → Applications

  • Domain → Groups (one-to-many)

  • Domain → Roles (one-to-many)

  • Users → Groups (many-to-one)

  • Users → Roles (many-to-many)

  • Applications → Users (many-to-many)

OneLogin Domain

A OneLogin tenant containing and managing users, applications, groups, and roles. The domain serves as the root node for discovering identity and access relationships.

OneLogin User

Identities in OneLogin, including core attributes and authentication status. Users can belong to groups and be assigned roles.

Attribute
Description

username

OneLogin username (required)

email

User's email address (required)

firstName

User's first name

lastName

User's last name

title

Job title (optional)

department

Department name (optional)

isLocked

Account lock status

lastLoginAt

Timestamp of last login

mfaActive

Multi-factor authentication status

createdAt

Account creation timestamp

updatedAt

Last modification timestamp

awsIamRoleArns

List of AWS IAM roles the user can assume

samlProviderArn

SAML provider ARN for AWS role assumption

OneLogin App

SAML Applications integrated with OneLogin define what users can access through OneLogin SSO.

Attribute
Description

oneLoginConnectorId

OneLogin connector identifier (required)

samlProviderIds

Associated SAML provider IDs (optional)

createdAt

Application creation timestamp

updatedAt

Last modification timestamp

OneLogin Group

Groups represent collections of users, used for role-based access control at scale.

OneLogin Role

Admin role assignments in OneLogin grant access to platform management capabilities. Roles track administrative access with admin ID mappings.

Attribute
Description

adminIds

List of administrative user IDs (optional)

PreviousOkta MFA statusNextOpenAI

Last updated

Was this helpful?