Skip navigation
Documentation

OneLogin

Last Updated: October 22nd, 2020

Contents

Duo integrates with OneLogin to add two-factor authentication, complete with inline self-service enrollment and Duo Prompt.

Duo and OneLogin

Duo Security’s authentication platform secures access to OneLogin, extending two-factor protection to web applications launched from a OneLogin browser session.

Connectivity Requirements

This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.

First Steps

  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and navigate to Applications.
  3. Click Protect an Application and locate OneLogin in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. (See Getting Started for help.)

Treat your secret key like a password

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Duo Universal Prompt

Duo's next-generation authentication experience, the Universal Prompt, is coming to web-based applications that display the current Duo Prompt in browsers.

Migration to Universal Prompt for your OneLogin application is a two-step process:

  • Update the OneLogin application to support the Universal Prompt.
  • Enable the Universal Prompt experience for users of that OneLogin application (when the Universal Prompt becomes available)

OneLogin needs an update to support the Universal Prompt when it's ready, but the update isn't available yet. The "Universal Prompt" section reflects this status as "Waiting on App Provider". Please contact OneLogin to request Duo Universal Prompt support for OneLogin.

After OneLogin makes the necessary changes available you may need to install an application update on your server, or log in to OneLogin as an admin to enable Duo Universal Prompt support.

Universal Prompt Info - Update Not Yet Available

You'll later return to the settings on this page to activate the Universal Prompt for your OneLogin users once we've released it.

Click the See Update Progress link to view the Universal Prompt Update Progress report. This report shows the update availability and migration progress for all your Duo applications in-scope for Universal Prompt support.

Read the Universal Prompt Update Guide for more information about the update process to support the new prompt, and watch the Duo Blog for future updates about the Duo Universal Prompt.

Configure OneLogin

Enable Duo Authentication Factor

  1. Log into your OneLogin account.

  2. Navigate to SecurityAuthentication Factors and click the New Auth Factor button.

  3. Choose Duo Security from the "Partners" section to enable Duo.

  4. Fill out the form as follows and click Save when done.

    User description A descriptive name for Duo authentication factor i.e. "Duo Security"
    Integration Key Your integration key (i.e. DIXXXXXXXXXXXXXXXXXX)
    Secret Key Your secret key
    API Hostname Your API hostname (i.e. api-XXXXXXXX.duosecurity.com)
    Duo OTP Identifier Select the attribute from the list that contains values that match your end users' Duo usernames. In this example the OTP identifier is Email, so OneLogin sends the email attribute value to Duo as the username. Be sure to select an OTP attribute that has unique values populated for all OneLogin users who will log in with Duo.

    OneLogin Duo Application Information

  5. The OneLogin Authentication Factors page now lists Duo Security. You can configure policies that use the Duo factor next.

Configure and Apply User Policy

  1. Navigate to SecurityPolicies and click the New User Policy button.

  2. Give the new policy a descriptive name, such as Duo MFA Policy, and click the checkmark button next to the policy name field to apply.

  3. Navigate to the MFA settings in the policy editor navigation and check the checkbox next to OTP Auth Required in the "One-time passwords" section.

  4. Scroll to the "MFA Device Registration" section. Choose whether you want all users without an MFA device to register one at login (Users without a MFA device must register one before being able to login.), or another option that lets users choose to register an MFA device at login or not.

  5. Scroll down further to the "Enforcement Settings" section and change the OTP required for pull down menu to All users if you want to require everyone who receives this policy to enroll with Duo at login time. If you would like users to be able to optionally enroll with Duo from their OneLogin settings after logging in, Change the OTP required for pull down menu to Configured users only.

    If you want your users to complete Duo authentication at every login leave the OTP required at setting as At every login. Changing the OTP required for pull down menu setting to Unknown browser will present your users with a "Browser not recognized" message after completing Duo two-factor authentication.

    If the user chooses to remember the browser, the next login using that same browser will not prompt for Duo authentication.

  6. Click the Save button to create the new policy.

  7. You can apply the new Duo MFA policy to users in a few different ways.

    • To make the new MFA policy the default for all users, click the More Actions button and choose Set as default policy.

    • To apply the new Duo MFA policy to individual users, navigate to UsersAll Users. Click on a listed user to open the User Info page, and change the Security Policy pull down menu setting to your new Duo MFA policy. Click the Save User button to apply the change.

    • To apply the new Duo MFA policy to a subset of users, you can create a group, add those users to the new group, and apply the policy to just that group. To create a new OneLogin group, navigate to navigate to UsersGroups. Click the NEW GROUP button. Give the new group a descriptive name, such as Duo Users, and click the checkmark button next to the group name field to apply. In the Group Security Policy section change the Security policy pull down menu option to the new Duo MFA group created earlier.

    Navigate back to the All Users page and edit the properties of individual users to add them to the new Duo group so they receive the new MFA policy.

See the OneLogin online documentation for additional information about configuring Duo authentication.

Test Your Setup

Enable Hostname Whitelisting

If you plan to permit use of WebAuthn authentication methods (security keys, U2F tokens, or Touch ID), Duo recommends enabling hostname whitelisting for this application and any others that show the inline Duo Prompt before onboarding your end-users.

If your MFA user policy is set to require OTP, the next time users subject to that policy log in to OneLogin they will see a message from OneLogin letting them know they need to setup 2-factor authentication after entering the primary username and password. Continuing takes them to the Duo prompt.

If the user is new to Duo they'll see the Duo new enrollment prompt. The user can follow the instructions to enroll an authentication device in Duo for use with OneLogin.

OneLogin Duo Enrollment

The next time a user logs in after completing enrollment, Duo Security's two-factor authentication will be ready to use! Users can approve a Duo Push authentication request from a smartphone or tablet, approve authentication over the phone, or enter a passcode generated via the Duo Mobile app, text message, or hardware token.

OneLogin Duo Authentication

If your MFA user policy is set to require OTP for configured users only, your OneLogin users will need to manually configure Duo after login by clicking on the username in the top right side of the OneLogin window, and selecting Profile from the menu.

Once on the Profile page, the user sees that no Duo device exists in the "2-Factor Authentication"section, and clicks the plus sign icon to Add Device.

OneLogin presents the Duo enrollment or authentication prompt to the user.

OneLogin Duo Enrollment

After completing enrollment or authenticating with a previously enrolled device, the user's profile shows Duo as a registered 2-Factor authentication device.

The next time the user logs on to OneLogin the Duo two-factor authentication prompt is shown after primary username and password submission.

Troubleshooting

Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.