Configuring the Veza integration for OneLogin
The OneLogin integration connects to your OneLogin environment to discover users, group memberships, applications, and role assignments managed by the identity provider.
The integration enables:
Discovery of OneLogin users, groups, roles, and applications
Visibility into OneLogin administrative roles
Review of SAML applications assigned to OneLogin users and groups
Mapping access between OneLogin users and AWS IAM roles they can assume
Veza connects to your OneLogin environment using read-only API credentials. To configure the integration, you will need to create a new credential and save the client ID and secret.
OneLogin administrator account
API credentials with Read All scope
Log in to OneLogin as an account owner or administrator.
Navigate to Developers > API Credentials.
Click New Credential.
Select "Read All" scope.
Click Save and securely store the client ID and secret.
See the Working with API Credentials documentation for more details.
In Veza, go to the Integrations page.
Click Add Integration and search for OneLogin.
Click on the OneLogin tile to open the configuration form.
Enter the required information.
Click Create Integration to save the configuration.
Insight Point
Choose whether to use the default data plane or a deployed Insight Point
Name
A friendly name to identify the unique integration
Domain
OneLogin domain, e.g., your-domain.onelogin.com
Region
OneLogin region, e.g., us
Client ID
API client ID from OneLogin
Client Secret
API secret from OneLogin
Mapping Configuration
Define rules for linking OneLogin users to other IdP identities or local users.
Custom Properties
Specify any to extract by entering the API shortname and data type.
The OneLogin integration discovers the following entities and relationships:
Domain → Users
Domain → Applications
Domain → Groups (one-to-many)
Domain → Roles (one-to-many)
Users → Groups (many-to-one)
Users → Roles (many-to-many)
Applications → Users (many-to-many)
A OneLogin tenant containing and managing users, applications, groups, and roles. The domain serves as the root node for discovering identity and access relationships.
Identities in OneLogin, including core attributes and authentication status. Users can belong to groups and be assigned roles.
username
OneLogin username (required)
email
User's email address (required)
firstName
User's first name
lastName
User's last name
title
Job title (optional)
department
Department name (optional)
isLocked
Account lock status
lastLoginAt
Timestamp of last login
mfaActive
Multi-factor authentication status
createdAt
Account creation timestamp
updatedAt
Last modification timestamp
awsIamRoleArns
List of AWS IAM roles the user can assume
samlProviderArn
SAML provider ARN for AWS role assumption
SAML Applications integrated with OneLogin define what users can access through OneLogin SSO.
oneLoginConnectorId
OneLogin connector identifier (required)
samlProviderIds
Associated SAML provider IDs (optional)
createdAt
Application creation timestamp
updatedAt
Last modification timestamp
Groups represent collections of users, used for role-based access control at scale.
Admin role assignments in OneLogin grant access to platform management capabilities. Roles track administrative access with admin ID mappings.
adminIds
List of administrative user IDs (optional)