A number of account-level settings are available for configuration only by the Account Owner. These settings determine broad-based account policies that are unlikely to change with any regularity. They should be configured when you initially implement OneLogin for your organization.
To access Account Settings, log in as an Account Owner and go to Settings > Account Settings.
The Basic tab includes settings that affect how the end-user engages with their personal account, applications, and the OneLogin portal. It also includes settings that determine some admin-level privileges.
Subdomain: Displays your organization-specific OneLogin subdomain. For example,
mycompany.onelogin.com. You set up your subdomain when you first create your OneLogin account. This field is display-only. If you want to change it, contact OneLogin support.
Private Application Catalog: Enables your users to request access to applications that are already configured for use within your organization but that may not be included in Roles that the user is assigned to. Note: This is a preview feature that is currently available to admins only.
SAML Apps: Select Disable SAML Name ID Change to prevent admins from overriding the SAML Name ID value in SAML logins. If this option is selected, SAML Name ID values will always be populated using mappings or the default value set on the Parameters tab for the SAML app.
Assuming Users: Select Allow assuming users to enable account admins to view end-user accounts through the 'eyes' of the user. Select Allow external assuming to allow OneLogin support team members to do the same. This feature allows quick diagnosis and solution of potential problems as well as a more effective troubleshooting workflow.
OpenID: Enables the use of OpenID for users, which is another method of authentication for each individual user identity.
Framing Protection: Prevents embedding your OneLogin dashboard into other websites.
Deactivate Account: Deactivates your OneLogin account.
These settings control how your organization and its users handle passwords, and also let you redirect your users to a custom page upon logout.
Important! Some of these options are enabled by default. You can disable them, but to re-enable them, you must send an official request to OneLogin Support.
Admin password reveal: Enabled by default. Allows admins to view users' application passwords for "company apps" that use form-based authentication. This option does not allow admins to see passwords for "personal apps."
Enable password mapping: By caching encrypted passwords in OneLogin's database, OneLogin can use these passwords (AD Passwords, for instance) to provide access to apps for sign-in or provisioning purposes.
This option must be enabled if you want to use OneLogin SSO passwords as the app password for apps that support SSO password mapping, such as Google Apps and Salesforce. If you enable this option and set the Password parameter to SSO password on the Parameters page for the app, users' app credentials will change every time their OneLogin SSO credentials change. You must also Enable directory fallback password cache to enable SSO password mapping, and it is recommended that you enable SSO password prompt.
For Desktop SSO, the user must log in at least once into their onelogin account in order for the password to be cached, because Desktop SSO relies on a token and not the actual password.
SSO password prompt: If an application is using the password mapping feature, the application will detect when a user's password is out of sync with the directory, prompt the user for their password, and then cache it.
Enable directory fallback password cache: Enabled by default. Allows OneLogin to authenticate a user based upon a cached hash of the last successful password in the event of lost communication between OneLogin and the third-party directory.
Enable smart password: Select to ease migration from a remote (third-party) user directory to the OneLogin Cloud Directory, allowing users to avoid having to do a password reset when you migrate. OneLogin captures a hash of a user's password in OneLogin any time a user authenticates against a remote directory like Active Directory, LDAP, or G Suite. The hash is stored in OneLogin but not the password itself. See Smart Passwords.
Logout URL: Specifies a global custom logout destination for any user logging out of their account.
Using the power of Twilio, OneLogin can let you provide self-service password reset by sending a new temporary password to the end-user's mobile device. For more information, see SMS Password Reset.
OneLogin supports a substantial level of localization in a variety of languages. Be aware that this only affects end-users, while the administrator portal remains largely in English. For the configuration process and more details about what localization does, see Configuring Localization.
Personal Applications: Enables users to access personal applications they added to their OneLogin portal. Typically, social media apps are categorized in this category, but the user can add any app to their Personal Apps for quick access. Administrators cannot view or manage these apps.
Profile Page: Enables users to upload a profile picture on their Profile page.
Force Tabs: Forces users to organize their collection of apps into tabs, instead of the default organizational method, which is to organize them on the same page.
Secure Notes: Enables users to create and access secure notes. For more information, see Secure Notes.
Password Notification (only for OneLogin directory users): Configures the portal to display a banner message five days before a user's password expires. The banner contains a link to update the password in the user’s profile.
While most notification configuration happens on the Activity > Notifications page and the Settings > Branding page, you can use this tab to provide a list of email addresses for the people who should receive security-related notifications from OneLogin. In the Security contact email list, enter as many email addresses as you like, separated by commas.