Skip to main content

OneLogin Integration Guide (IdP)

This article covers how to connect OneLogin Identity provider to Drata.

Updated this week

Connecting OneLogin to Drata allows all of your company's personnel to be synchronized with Drata, and to provision accounts for each. This is the first connection/integration that should be completed as a new customer of Drata, as it will allow for the compliance monitoring of your company's personnel.

Key Capabilities

  • Identity Synchronization: Syncs personnel from OneLogin into Drata based on email domain and (optionally) a designated OneLogin group.

  • Access & Scope Management: Allows you to scope which personnel are in Drata by configuring a OneLogin group.

  • Compliance Monitoring Foundation: Provides the identity data required for personnel-related compliance monitoring and tests.

Prerequisites & Data Access

  • The email domain used when connecting the IdP must match the email domain of each personnel record you want to sync.

  • Personnel with different or multiple email domains are not synced. If you need to sync multiple email domains, contact Drata Technical Support.

  • If your Drata tenant previously connected to OneLogin using the Enterprise SSO connector, you can maintain that connection in addition to this identity connection.

  • There may be a delay (up to ~1 hour) between the initial connection and the first import of user accounts, especially for customers with hundreds of users.

  • MFA / WebAuthn limitation:

    • OneLogin supports Web Auth (WebAuthn) as a security factor. However, this factor is not exposed via the OneLogin API, so Drata cannot detect it when testing whether a user has MFA enabled.

    • Users using WebAuthn as their factor will fail the MFA on Identity Provider monitoring test (Test 86).

    • To pass Test 86, either:

      • Upload alternative MFA evidence on the personnel page in Drata, or

      • Configure another supported MFA factor in OneLogin.

  • Role requirements: To connect, you must be assigned one of the following Drata roles: Admin, Workspace Managers, DevOps Engineer.

  • If you have the Access Reviewer role, you can only view the Connections page.

Step-by-Step Setup

There are three parts to the OneLogin integration:

  • Step 1: Connect OneLogin as an Identity provider to sync personnel into Drata.

  • Step 2: Connect OneLogin as an Enterprise SSO provider to allow single sign on into Drata for your employees.

  • Step 3: (Optional) You can limit scope for Drata to a subset of employees by entering a OneLogin group that only includes those employees.

Step 1: Prepare OneLogin & Tenant Scope

  1. Select "Connections" page from the left side navigation menu.

  2. Select the 'Available connections' tab and then search for OneLogin to select the connect button

  3. In the OneLogin connection process follow the on-screen instructions.

  4. When prompted, enable the “Read all users” permission level in the OneLogin authorization modal.

  5. Paste any required values into the connection fields exactly as indicated in the drawer.

Step 2: Connect OneLogin as an Enterprise SSO Provider

  1. If you do not already have an Enterprise SSO connection, you should see a banner at the top of the OneLogin connection drawer prompting you to configure SSO.

  2. Start the Enterprise SSO setup either by:

    • Navigating to the Enterprise Single Sign-On connection filter and then searching and connecting to Single Sign-On connection , or

    • Clicking the prompt at the bottom of the OneLogin connection drawer.

  3. Follow the SSO configuration steps to allow company personnel to log in to Drata via OneLogin.

If the Enterprise SSO connection is not enabled, only administrators will be able to log in to Drata via magic link. It is highly recommended to complete this SSO connection as soon as possible.

Part 3: Limit Personnel Scope Using a OneLogin Group

After the initial connection is established, you can restrict which personnel sync into Drata:

  1. In the OneLogin connection in Drata, click the small edit icon to the far right of “Configuration Options”.

  2. Specify a OneLogin Group to sync. You can locate your groups in OneLogin at a URL similar to: {domain}.onelogin.com/groups

    • Ensure this group includes the Drata administrator and any personnel you want in scope.

  3. Save and confirm the group selection.

Important behavior:

  • If an extra character or typo is included in the group name, Drata will not be able to match it and will instead default to synchronizing all users for that account.

  • If you later correct the group name and save, the next personnel sync will:

    • Adjust the personnel list to match the new group, and

    • Mark any personnel not in that group as “Former Employee” (out of scope).

  • Nested groups are not supported. Drata will sync members in the top level of the specified group only.

Related Articles
Google Workspace Integration Guide
Microsoft 365 Integration Guide
JumpCloud Identity Provider (IdP) Integration Guide
CyberArk Integration Guide
PingOne Integration Guide
Did this answer your question?