# SSO With OneLogin (OIDC)

### Overview

This guide provides step-by-step instructions to configure single sign-on (SSO) with OneLogin V2. You already use OneLogin to conveniently manage permissions to applications. After SSO configuration is complete, you can also use your SSO provider to manage permissions to your data sources.

{% hint style="info" %}
OneLogin V1 has been deprecated by OneLogin and is no longer available. This guide has been updated to use V2.
{% endhint %}

### Prerequisites

To get started, make sure the following conditions are met:

* In OneLogin, you must be an administrator with the ability to manage application settings.
* In StrongDM, your permission level must be set to Administrator.
* Ensure you have a unique identifier for users. Only email address is currently supported.

### Steps

#### Create the OneLogin app

{% hint style="info" %}
These instructions vary based on your organization's StrongDM region (not your individual location).
{% endhint %}

{% tabs %}
{% tab title="US" %}

1. In the OneLogin Admin portal, click **Applications** > **Add App** to create a new application.
2. Search for **StrongDM** and select the option that has **OpenID Connect2.0 , provisioning** in the description. Enter a name for the application and click **Save**.
3. ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-cdf2e93e5090b8d8f3341ce6a73eb877ec4769e8%2Fsso-onelogin-details-oidc.png?alt=media)\
   In the **Configuration** tab, go to the **Application details** section. In the **Login URL** field, enter the URL you use to access StrongDM's Admin UI, **with** a trailing slash. `https://app.strongdm.com/`
4. ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-289a08bca8080c6aea06dee6e33a60460c6236a5%2Fsso-onelogin-step-3.png?alt=media)\
   Go to the **SSO** tab and copy the **Client ID** and **Client Secret**. You need these values later.
5. On the **SSO** tab under **Token Endpoint**, set the **Authentication Method** to **POST** and save the configuration.
6. From the main OneLogin menu, navigate to **Users**. Each user that should access the StrongDM Admin UI *must* be assigned access to your **StrongDM** app. This can be accomplished by assigning the app to a specific role or directly to a certain user. If assigning the app to a role, make sure the user is also given the role.
   {% endtab %}

{% tab title="UK" %}

1. In the OneLogin Admin portal, click **Applications** > **Add App** to create a new application.
2. Search for **StrongDM** and select the option that has **OpenID Connect2.0 , provisioning** in the description. Enter a name for the application and click **Save**.
3. ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-cdf2e93e5090b8d8f3341ce6a73eb877ec4769e8%2Fsso-onelogin-details-oidc.png?alt=media)\
   In the **Configuration** tab, go to the **Application details** section. In the **Login URL** field, enter the URL you use to access StrongDM's Admin UI, **with** a trailing slash. `https://app.uk.strongdm.com/`
4. ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-289a08bca8080c6aea06dee6e33a60460c6236a5%2Fsso-onelogin-step-3.png?alt=media)\
   Go to the **SSO** tab and copy the **Client ID** and **Client Secret**. You need these values later.
5. On the **SSO** tab under **Token Endpoint**, set the **Authentication Method** to **POST** and save the configuration.
6. From the main OneLogin menu, navigate to **Users**. Each user that should access the StrongDM Admin UI *must* be assigned access to your **StrongDM** app. This can be accomplished by assigning the app to a specific role or directly to a certain user. If assigning the app to a role, make sure the user is also given the role.
   {% endtab %}

{% tab title="EU" %}

1. In the OneLogin Admin portal, click **Applications** > **Add App** to create a new application.
2. Search for **StrongDM** and select the option that has **OpenID Connect2.0 , provisioning** in the description. Enter a name for the application and click **Save**.
3. ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-cdf2e93e5090b8d8f3341ce6a73eb877ec4769e8%2Fsso-onelogin-details-oidc.png?alt=media)\
   In the **Configuration** tab, go to the **Application details** section. In the **Login URL** field, enter the URL you use to access StrongDM's Admin UI, **with** a trailing slash. `https://app.e.strongdm.com/`
4. ![](https://4180056444-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FF7eka9SH5TT8nJm2ZfWj%2Fuploads%2Fgit-blob-289a08bca8080c6aea06dee6e33a60460c6236a5%2Fsso-onelogin-step-3.png?alt=media)\
   Go to the **SSO** tab and copy the **Client ID** and **Client Secret**. You need these values later.
5. On the **SSO** tab under **Token Endpoint**, set the **Authentication Method** to **POST** and save the configuration.
6. From the main OneLogin menu, navigate to **Users**. Each user that should access the StrongDM Admin UI *must* be assigned access to your **StrongDM** app. This can be accomplished by assigning the app to a specific role or directly to a certain user. If assigning the app to a role, make sure the user is also given the role.
   {% endtab %}
   {% endtabs %}

#### Configure StrongDM

1. Enter the account details in the StrongDM Admin UI. Go to **Settings** > [User Management](https://app.strongdm.com/app/settings/user-management). In the **Single Sign-on** section, set the following:
   * **Provider:** Select **OneLogin (OIDC)**.
   * **Single sign-on URL:** Enter your Issuer URL (`https://<SUBDOMAIN>.onelogin.com/oidc/2`).
   * **Client ID**: Paste your client ID.
   * **Client Secret**: Paste your client secret.
2. Select your desired [general SSO settings](https://docs.strongdm.com/admin/principals/sso/..#general-sso-options) and click **activate**.
3. Confirm that the email addresses for all users are identical in both StrongDM and OneLogin. Also check that all users you intend to grant database access have access to the StrongDM application by default.

{% hint style="info" %}
Once you have saved the application configuration in OneLogin, it may take some time for the changes to be reflected in the OneLogin authentication environment. We recommend waiting at least several hours before enabling and testing OneLogin SSO in StrongDM after you have completed the setup.
{% endhint %}