Skip to main content

Before you begin

To complete this guide, you’ll need:
  • ConductorOne Super Administrator or Connector Administrator role
  • A OneLogin account
Estimated time: 10 minutes

Step 1: Integrate your OneLogin instance

Start by integrating your OneLogin instance with ConductorOne. Use the OneLogin connector to sync OneLogin to ConductorOne. Once connected, ConductorOne ingests all of the users, apps, groups, and other entitlements and resources from OneLogin.

Step 2: Convert an OneLogin app to a managed app

Before managing access to an OneLogin app, you’ll need to begin managing it with ConductorOne.
1
Navigate to Applications and click the Unmanaged apps tab.
2
Find the application you want to enable for self-service or lifecycle management.
3
Click Manage.
Don’t stress.Converting an app from unmanaged to managed in ConductorOne does not change any configuration in the IdP.
Once an application is managed, you can enforce access controls, run user access reviews, and drive lifecycle management for the app.

Step 3: Configure the app entitlements (optional)

Every managed application in ConductorOne comes with a Credential resource. This “access entitlement” is used to manage account level access to application. In OneLogin, at a minimum, this means that the user is assigned to the OneLogin app. Additionally, applications configured in OneLogin may use groups to SCIM roles and permissions to the connected application. ConductorOne can easily convert these linked entitlements into resources and entitlements in your ConductorOne instance. If groups are assigned to the application in OneLogin, you can convert these linked entitlements from OneLogin into in-app entitlements in the ConductorOne app:
1
On the app’s Entitlements tab, click the Linked entitlements icon at the top right corner of the entitlements table (the icon looks like a Venn diagram).
2
In the Linked entitlements drawer, click the Setup tab.
3
For each IdP entitlement ConductorOne has identified as linked to the app, choose an action:
  • Create virtual role: Set up a new role in the app that will be linked to the IdP entitlement. This role will only exist in ConductorOne, and will function as an alias for the IdP entitlement. Your colleagues can request and review the role, which will appear as part of the app, but they will in actuality be requesting or reviewing the IdP entitlement.
  • Provision access for: Link the IdP entitlement to an existing entitlement in the app. When your colleagues request or review the app entitlement, they will also be requesting or reviewing the IdP entitlement.
  • Skip: Do nothing.
4
When you’ve made all of your selections, click Save.
ConductorOne will now create the resources and entitlements in the managed app, and importantly, will set a binding for that entitlement to the OneLogin group (we’ll get to bindings later). For now, just know that this allows us to perform magic!

Step 4: Configure the app and entitlements for self service

Now we’ll configure the application and any entitlements we created in Step 3 so they’re ready for self-service requests.
1
Navigate to the app’s Setup tab
2
In the Entitlement configuration rules section of the page, click Edit.
3
In the configuration rules pane, click the toggle to Enable configuration rules.
4
If you want to make the app itself requestable, click Credential in the selected resources.
5
If you want to make the roles or other entitlements you created in Step 3 requestable, select those resource types.
6
Use the Access profiles dropdown to select Everyone.
7
Finally, check the box at the bottom of the screen and click Apply.

Step 5: Request your OneLogin app and roles

Now we’re ready it give it a whirl!
1
Click Requests and make sure that App catalog is selected.
2
Find the application you just created.If you’ve made the application requestable, you’ll see a Request button on the app. If you’ve made individual roles or entitlements requestable, you’ll see those on the app.
3
Select the app or a role you want to request, and click Request.
4
Enter the justification and click Request.

Success!

The request will be auto-approved based on the policy, and you will be provisioned access by assigning you to the application and the correct groups in OneLogin!