Skip navigation
Documentation

OneLogin

Contents

Duo integrates with OneLogin to add two-factor authentication, complete with inline self-service enrollment and authentication prompt.

Duo and OneLogin

Duo Security’s authentication platform secures access to OneLogin, extending two-factor protection to web applications launched from a OneLogin browser session.

First Steps

  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and navigate to Applications.
  3. Click Protect an Application and locate OneLogin in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. (See Getting Started for help.)

Configure OneLogin

Enable Duo Authentication Factor

  1. Log into your OneLogin account.

  2. Navigate to SettingsSecurityAuthentication Factors and click the NEW AUTH FACTOR button.

  3. Choose DUO SECURITY to enable Duo.

    OneLogin Authentication Factors

  4. Fill out the form as follows and click Save when done.

    Description A descriptive name for Duo authentication factor i.e. "Duo Security"
    Integration Key Your integration key (i.e. DIXXXXXXXXXXXXXXXXXX)
    Secret Key Your secret key
    API Hostname Your API hostname (i.e. api-XXXXXXXX.duosecurity.com)

    OneLogin Duo Application Information

  5. The OneLogin Authentication Factors page lists Duo Security.

    OneLogin Authentication Factors

Configure and Apply User Policy

  1. Navigate to SettingsSecurityPolicies and click the NEW USER POLICY button.

  2. Give the new policy a descriptive name, such as Duo MFA Policy, and click the checkmark button next to the policy name field to apply. Navigate to the MFA tab in the policy editor and check the Required checkbox next to OTP Auth Required.

    Change the OTP required for pull down menu to All users if you want to require everyone who receives this policy to enroll with Duo at login time. If you would like users to be able to optionally enroll with Duo from their OneLogin settings after logging in, Change the OTP required for pull down menu to Configured users only.

    OneLogin Authentication Factors

    If you want your users to complete Duo authentication at every login leave the OTP required at setting as At every login. Changing the OTP required for pull down menu setting to Unknown browser will present your users with a "Browser not recognized" message after completing Duo two-factor authentication.

    OneLogin Authentication Factors

    If the user chooses to remember the browser, the next login using that same browser will not prompt for Duo authentication.

    Click the Save button to create the new policy.

  3. You can apply the new Duo MFA policy to users in a few different ways. To make the new MFA policy the default for all users, click the More Actions button and choose Set as default policy.

    OneLogin Policy Default

    To apply the new Duo MFA policy to individual users, navigate to UsersAll Users. Click on a listed user to open the User Info page, and change the Security Policy pull down menu setting to your new Duo MFA policy. Click the Save User button to apply the change.

    OneLogin Set User Policy

    To apply the new Duo MFA policy to a subset of users, you can create a group, add those users to the new group, and apply the policy to just that group. To create a new OneLogin group, navigate to navigate to UsersGroups. Click the NEW GROUP button. Give the new group a descriptive name, such as Duo Users, and click the checkmark button next to the group name field to apply. In the Group Security Policy section change the Security policy pull down menu option to the new Duo MFA group created earlier.

    OneLogin New Duo Group

    Navigate back to the All Users page and edit the properties of individual users to add them to the new Duo group so they receive the new MFA policy.

See the OneLogin online documentation for additional information about configuring Duo authentication.

Test Your Setup

Important

Duo authentication is only visible in the OneLogin "New Interface" login page. OneLogin is rolling out the new UI to customers. If the Duo authentication prompt is not visible for OTP enabled users on your login page contact OneLogin support to request the "New Interface" setting be enabled for your account.

If your MFA user policy is set to require OTP for all users, the next time your users log in to OneLogin they will see the Duo New Enrollment prompt after entering the primary username and password. The enrollment wizard will prompt for a phone number and verify it with a simple phone call or text message.

OneLogin Duo Enrollment

The next time a user logs in after completing enrollment, Duo Security's two-factor authentication will be ready to use! Users can approve a Duo Push authentication request from a smartphone or tablet, approve authentication over the phone, or enter a passcode generated via the Duo Mobile app, text message, or hardware token.

OneLogin Duo Authentication

If your MFA user policy is set to require OTP for configured users only, your OneLogin users will need to manually configure Duo after login by clicking on the username in the top right side of the OneLogin window, and selecting Security from the menu.

The user sees that no Authentication Devices are registered. Click the plus sign icon to Add Device.

OneLogin Duo Authentication

OneLogin presents the Duo enrollment or authentication prompt to the user.

OneLogin Duo Authentication

After completing enrollment or authenticating with a previously enrolled device, the user's Security properties shows Duo as a registered Authentication device.

OneLogin Duo Authentication

The next time the user logs on to OneLogin the Duo two-factor authentication prompt is shown after primary username and password submission.

Troubleshooting

Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free