All Collections
Integrations
Connecting OneLogin Identity Provider to Drata
Connecting OneLogin Identity Provider to Drata

This article covers how to connect OneLogin Identity provider to Drata.

Faraz Yaghouti avatar
Written by Faraz Yaghouti
Updated this week

HERE'S WHY

Connecting OneLogin to Drata allows all of your company's personnel to be synchronized with Drata, and to provision accounts for each. This is the first connection/integration that should be completed as a new customer of Drata, as it will allow for the compliance monitoring of your company's personnel.

BEFORE DIVING IN

  • The email domain, when connecting the IdP, must match each of the personnel’s email domain that you would like to sync. Personnels that have different domains or multiple domains are not synced.

    • If you need to sync multiple email domains, please reach out to our Technical Support team.

  • For customers who previously had any SSO configured: If your Drata tenant has previously connected to OneLogin using our Enterprise SSO connector, you can maintain that connection.

  • Important to note: There is a delay between the initial connection and the first import of user accounts. At the longest this should take no more than one hour for customers with hundreds of users.

  • Within OneLogin natively, Web Auth (WebAuthn) is one of their supported Security Factors, for the purposes of enforcing MFA at login. However, this specific factor is not exposed over their API, so Drata does not receive this kind of factor when testing whether the user has MFA enabled. All other security factors are exposed by OneLogin. This means that any users who have chosen WebAuthn as their security factor will fail the MFA On Identity Provider monitoring test (Test 86). In order for these users to pass that monitoring test, evidence of MFA must be uploaded on the personnel page or choose another security factor in OneLogin.

HERE'S HOW

Overview

There are three parts to the OneLogin integration:

  • Part 1: Connect OneLogin as an Identity provider to sync personnel into Drata. Open the Drata connection drawer and input the initial connection information.

  • Part 2: Connect OneLogin as an Enterprise SSO provider to allow single sign on into Drata for your employees.

  • Part 3: (Optional) You can limit scope for Drata to a subset of employees by entering a OneLogin group that only includes those employees.

The corresponding steps for each part are detailed in the following sections.

Part 1: Follow these instructions to connect OneLogin to Drata:

  1. Select "Connections" on the side navigational menu.

2. Select the 'Available connections' tab and then search for OneLogin to select the connect button

3. Follow the instructions in the connection drawer carefully. Enable the permission level “Read all users“ in the modal. Take your time and complete one step entirely before moving on to the next. Paste the required values in each field as indicated.

Part 2: Utilizing the Enterprise SSO connection to allow company personnel to log in to Drata:

If you did not have an Enterprise SSO Connection already, you will see the following banner at the top of the connection drawer:

This is a prompt to begin the Enterprise Single Sign-On Provider connection. If this Enterprise SSO connection is not enabled, only administrators will be able to log in to Drata with magic link functionality. Thus, it is highly recommended to make this connection as soon as possible. You can initiate this by either (1) navigating to ‘Enterprise Single Sign-On’ connection filter, or (2) directly from the bottom of the OneLogin connection drawer (this option shown below).

Part 3: Limiting the Personnel in scope for Drata by using a OneLogin Group:

After the connection has been established, you may optionally designate a OneLogin Group as the only group of users to synchronize into Drata by following these steps:

1. Click the small edit icon to the far right of “Configuration Options”.

2. Designate a OneLogin Group to sync with. You may want to navigate to the OneLogin groups page which will have a URL of the form {domain}.onelogin.com/groups be sure this group includes the Drata administrator as well.

Important to note: If an extra character is typed when specifying a OneLogin group, the sync will not match the group name to a OneLogin Group and will default to synchronizing all users for that account. If the Administrator makes an edit to the connection and to fix a typo, the next personnel sync will change the personnel list based on the new group. This will designate any personnel not in that group as a ‘Former Employee’ to show they are now out of scope.

3. Save and confirm the group. The next personnel sync will change the personnel list based on the new group.

  • Drata does not support nested groups. We will sync members in the top level of the specified group, but not members in any second-level or further groups.

Did this answer your question?