Users are typically employees of your organization, but can be any person that your organization cares about, including partners and customers.
In OneLogin, user management tasks include:
- Adding users, either directly into the OneLogin directory, or by synchronizing them from an external directory, such as Active Directory, LDAP, Workday, Google Apps, or a custom user store.
- Granting OneLogin administrative privileges to users.
- Granting app access to users through OneLogin SSO.
- Provisioning users to apps (creating or updating user accounts for apps).
Your user base might have different kinds of users that you want to treat differently. For example, employees need access to sensitive corporate data in your business applications and customers need access to online service and support functions.
OneLogin allows you to connect users from a variety of directories to all kinds of applications.
Synchronizing with external directories
You can choose to manage users directly in OneLogin or synchronize them from an external source, such as these:
- Active Directory
- Google Apps
- Custom user store
You can mix and match these as you wish for different groups of users, but once a user has been created in OneLogin, its original source will typically remain the system of record for that user.
If you already have your employees in Active Directory, for example, you can use OneLogin's Active Directory Connector to automatically synchronize users to OneLogin.
You can also programmatically manage users in OneLogin via the OneLogin REST API and thereby sync with a relational database, for example.
See more about synchronizing users from external sources in Directory Integration.
The table below outlines the attributes that a user can have.
|First Name||User's First Name|
|Last Name||User's Last Name|
|Phone Number||User's Phone Number|
|Mobile Phone||User's Mobile number, used in various authentication functions.|
|Email address||Will be used for email notifications and login.|
|Username||Can be used for login.|
|Group||The group the user belongs to.|
|Security policy||Defines the user's security policy. If not set, the security policy from the user's group or the default policy for the account.|
|Authenticated by||Controls which directory the user is authenticated against. OneLogin is the default directory.|
|Custom fields||Any custom user fields.|
|Comment||Any notes you might want to store about a user.|
|OpenID||A OneLogin-issued OpenID that can be used for signing into applications that support OpenID.|
|External ID||Can be used to store an external ID used to uniquely identify the user in another system.|
|OneLogin ID||The user's unique ID in OneLogin. Used in OneLogin's REST API to query, update and delete users.|
|Multi-factor authentication||Any authentication factors configured for the user, for example, OneLogin Protect.|
|Temporary OTP token||Allows the user to sign in using a one-time password in the case their second authentication factor has been lost.|
|Privileges||One or more privileges that allows the user to manage groups, apps etc.|
|Roles||Roles granted to this user.|
|Apps||Apps granted via roles or directly.|
User Statuses and States
Users can be in the following statuses and states.
Statuses describe the outcome of an operation performed on a user. Statuses include:
- Unactivated - The user was never made active. (Does not occupy a seat license)
- Active - All OneLogin functionality applies to the user, and it occupies a seat license.
- Suspended - The user was previously active, but has been deactivated. (Does not occupy a seat license)
- Locked - The user has tried to log in with the wrong credentials too many times and has been locked out of their account for the time period defined in their user policy.
- Password expired - User's password has expired
- Awaiting password reset - User or admin requested password reset, not yet reset
- Security questions required - User requires security questions.
- Never logged In - The user is active but has never logged into their account.
- Never invited - The user has been successfully created and is active, but an invitation to log in has not yet been sent.
States describe a stage in a process (such as user account approval). User state determines the possible statuses a user account can be in. States include:
- Unapproved - The user has been successfully imported from a third-party directory, but has neither been accepted nor rejected by the administrator. (Does not occupy a seat license.)
- Approved - The user has been successfully imported from a third-party directory, and has been accepted by the administrator and made active. Only approved users are "licensed."
- Rejected - The user has been successfully imported from a third-party directory, but has been rejected by the administrator. The user does not occupy a seat license, but remains in the system and can still be approved and made active.
- Unlicensed - Does not occupy a seat license. Users are placed in this state if an attempt is made to add them without having enough available seats in your subscription. You can also manually set users to Unlicensed as a way of freeing up seat licenses for other users. Note that your account may not yet be enabled for this user state. See Managing Unlicensed Users.
You can change many user statuses and states on the Users > All Users page and by applying Mappings.
By default, users in OneLogin can only sign into the portal and launch applications. The Account Owner is created with a super user privilege, which allows them to grant privileges to other users.
- Super user – Gives a user all privileges, including access to apps, directories, policies etc
- Assume users – Allows a user to assume other users
- Manage users – Allows a user to manage all users in the account
- Helpdesk - Allows a user to perform a limited subset of user management tasks
- Manage group – Allows a user to manage a specific group of users
- Manage role - Allows a user to assign users to a specific role
- Manage applications - Allows a user to add and configure app connectors
Note that only the Account Owner has access to the account settings.
Roles and apps
A user can have both personal and company apps. Personal apps can only be assigned by the user themselves and are completely invisible to admin users. Company apps, on the other hand, can only be assigned by admin users and can be assigned in a number of ways, which you can read more about in Assigning Apps to Users.
Custom user fields
On the Unlimited Plan, you can define custom fields. These fields can be mapped to fields in Active Directory or other directories and make your user workflow more flexible.