Users are typically employees of your organization, but can be any person that your organization cares about, including partners and customers. Your user base might therefore have different kinds of users that you want to treat differently. For example, your employees may need access to sensitive corporate data in your business applications, while your customers require online services and support functions. This article provides a complete overview of the user management options available in your user directory.
Managing Users
Go to Users > Users in your OneLogin admin portal to access the primary user management page of your user directory. This is where you can view a complete list of all users, or search and filter for specific users.
Adding Users
Manually Adding Individual Users
You can add users one at a time by clicking New User in your user management page and filling out a brief form with your new user's information. For more information, check out Adding Users Manually or the demo video to the right.
Users can also manually create their own accounts as-needed with a custom self-registration URL.
Importing Users with a CSV File
If you have a large quantity of users to add, you may want to upload them in bulk using a comma-separated values (CSV) file. This is a template that you can download from OneLogin, edit as a spreadsheet or text document, and then re-upload into your OneLogin user directory. It's a useful solution for when you already have a list or database of your customers, because many names can by copy-and-pasted at once instead of entered individually page by page.
Syncing Users From an External Directory
You may already have a system of record for your employees or customers, such as Active Directory (AD), G Suite, Workday, or a custom-built user store. If that's the case, you can avoid duplicating your efforts or having to make redundant updates by synchronizing OneLogin with your existing directory in Users > Directories. The process will be slightly different for each directory, but you can find instructions specific to your directory type in Directory Integration.
More Actions
Open the More Actions menu in the upper-right corner of the user directory to perform tasks that may affect multiple users at once.
Import users
|
Upload a CSV file or get the CSV template to bulk-import users.
|
Bulk operations
|
Perform an action, such as activating or deleting users, on a set of multiple users at once based on their role, group, or status.
|
Custom user fields
|
Create or manage your organization's customized user attributes.
|
Approve all users
|
Move all unapproved users into the Approved state.
|
License all users
|
Grant a OneLogin seat license to all users in the Unlicensed state. If you have more unlicensed users than available licenses, the licenses will be applied alphabetically down the user list until they run out.
|
You can edit users on an individual level by going to Users > Users and selecting the user you wish to manage. The following sections summarize each page of the user record and the settings you can modify there.
User Info
Basic Information
Profile Picture
|
You can add a photo to your user's profile by clicking the default user icon and uploading an image file.
|
Active
|
Deactivated users cannot access or use their OneLogin accounts but do not occupy a seat license, so this feature can be useful for cycling in and out seasonal employees or recurring temporary customers.
|
First name
|
The user's first name. This field is required.
|
Last name
|
The user's last name. This field is required.
|
Email
|
An email address where the user can receive notifications. This field is required if the Username field is empty; at least one of the two must be filled.
|
Username
|
A unique ID for the user to enter when signing into OneLogin. This field is required if the Email field is empty. If you enter an Email for the user but not a Username, they will use their email address as a username when signing in.
|
Phone number
|
The user's phone number.
|
Manager
|
Another user in your organization who acts as the user's manager. This is a dropdown field that you can use to search all users.
|
Company
|
The user's place of work, if not at your own company; useful for tracking multiple users affiliated with the same client.
|
Department
|
The department associated with the user.
|
Title
|
The user's job title or role.
|
Custom Fields
With the Advanced Directory add-on, you can define custom user fields that may be mapped to fields in other directories and make your user workflow more flexible.
Directory details
If your user directory is syncing with an external directory, its information will populate here along with an automatically generated unique ID used in OneLogin's REST API to query, update and delete users.
This is an open field where you can write any notes you might want to store about a user. These comments are not visible to the user unless you've given them user management privileges.
Privileges
Click Add Privilege to give your user the ability to manage groups, applications, other users, etc. See Privileges for a full list of abilities.
Delegated Admin Privileges
With the Delegated Administration add-on, you can customize and grant granular administrative abilities to users. It's similar to the Privileges feature, but with a more fine-tuned degree of control over specific actions your admins are permitted to take.
Authentication
Authentication
Group
|
Select a group to assign the user to.
|
Trusted IDP
|
Select an identity provider (IdP) to use for securely signing the user into OneLogin and its protected applications.
|
Authenticated by
|
If your user is synchronized with an external directory, synchronize which directory should handle the user's authentication. By default, OneLogin provides the user authentication.
|
User security policy
|
Select a security policy to assign to the user. By default, it's either the policy assigned by the user's group if they have one or the default policy for your organization if they do not.
|
Open ID
If you've configured any OpenID Connect apps to use with OneLogin, this is the ID your user connects to them with. By default, it's set to the same Username you may have configured in the user's basic info, but it can be changed here.
Multi-factor methods
Multi-factor authentication
|
If the user has registered a device to use as a multi-factor authentication (MFA) factor, it will appear here.
|
Temporary token
|
This generates an emergency replacement token that allows the user to sign in with a one-time password (OTP) in the event that they've lost access to one of their necessary security factors. You can choose whether the token can be used once or repeatedly, and how long the user has to apply it before it expires.
|
Applications
Here, you can view the roles currently associated with the user and the applications currently available to them.
Click any app to view and manually edit the user's login details for that app.
Note: Manually entered login details will always override those set by app rules and provisioned attributes. Click Reset Login to remove the manual changes and revert the user to their automatically provisioned login details.
Devices
This page displays a list of all devices used to authenticate your user, such as PKI certificates downloaded to desktop devices, or mobile devices equipped with OneLogin Protect or other OTP authentication apps.
Activity
This page displays a running log of the user's authentication activity and any major changes made to the user's apps, roles, groups, or other settings. Similar updates of all user activity in OneLogin can be viewed in your events log.
More Actions
Additional user management options can be found under the More Actions menu in the upper-right corner of the user record. The options available to you may vary based on your own account privileges.
Assume User
|
Take control of the user's account to modify their settings or troubleshoot their configuration.
|
Change Password
|
Manually enter a new password for the user. Select Force user to update to prompt them to change their password again the next time they log in. This is useful for assigning temporary passwords to users who have forgotten theirs.
|
Force Logout
|
Sign the user out of all active sessions. If you suspect a security breach, a password reset alone won't necessarily end active user sessions in OneLogin; unauthorized parties may still be signed in to your user's accounts until you force them to log out.
|
Send Invitation
|
Enter an email address where the user can receive an invitation to activate their OneLogin account. This is useful when onboarding new users who do not yet have access to the company email address associated with OneLogin, as you can enter a personal email to temporarily use instead.
|
Show User Details
|
View the user's OneLogin ID, External ID, objectGUID, Distinguished Name, and sAMAccountName. This information may be useful when configuring the user with an external directory, and can also be viewed under Directory details.
|
Reapply Mappings
|
Prompt OneLogin to check and update the user's mappings.
|
Delete
|
Completely remove the user record from the OneLogin Cloud Directory. If there's any chance that the account will be needed again in the future, you may wish to suspend the user instead, which removes their OneLogin access but does not delete their record.
|
Unlicense
|
Remove the user's licensing; they will not be able to access their OneLogin account or use OneLogin to authenticate any other account. Additionally, they cannot be manually updated or managed until re-licensed, and bulk updates or management operations will not be applied to them. This is useful for preventing suspended and inactive users from taking up a seat license without deleting their account.
|
Download PKI cert
|
Download a copy of the user's PKI certificate file for authenticating their browser as a trusted device.
|
Create New User
|
Create a new user record; this is unrelated to the current user record you're viewing and is the same action as clicking New User from the user directory, but can be useful when adding several new users in a row so you don't have to return to the directory between each user. If adding more than a few users at a time, you may prefer to bulk-import your users from a CSV file.
|
Create New Sub User
|
Create a new user record as a subordinate to the current user you're viewing; the current user will be pre-filled into the new user's Manager field.
|
User Statuses and States
Users occupy a variety of different statuses or states that determine whether their account is licensed and useable. Users who do not occupy one of your OneLogin seat licenses cannot access their account until they receive a license. You can change users' statuses and states individually from the user directory, or in bulk by applying mappings. Both statuses and states can often be used to filter and quickly find users in the user directory, in custom reports, or when creating a mapping.
User Status
A user's status describes the outcome of an operation performed on them.
Active
|
User's account is fully accessible, with all OneLogin functionality
|
Occupies a seat license
|
Awaiting password reset
|
User or admin requested a password reset, but password has not yet been reset
|
Occupies a seat license
|
Locked
|
User has tried to log in with the wrong credentials too many times and has been locked out of their account for the time period defined in their user policy
|
Occupies a seat license
|
Never invited
|
User has been successfully created and is active, but an invitation to log in has not yet been sent
|
Occupies a seat license
|
Never logged in
|
The user is active but has never logged into their account
|
Occupies a seat license
|
Password expired
|
User's password has expired and must be reset
|
Occupies a seat license
|
Password pending
|
User has been created. but a password for them has not been configured
|
Occupies a seat license
|
Suspended/Inactive
|
User was previously active, but has been deactivated
|
Does not occupy a seat license
|
Unactivated
|
User has never been made active.
|
Does not occupy a seat license
|
User State
A user's state describes their current stage in a process, such as account approval.
Unapproved
|
User has been successfully imported from a third-party directory, but has not yet been accepted or rejected by the administrator
|
Does not occupy a seat license
|
Approved
|
User has been successfully imported from a third-party directory and has been accepted by the administrator and made active
|
Occupies a seat license
|
Rejected
|
User has been successfully imported from a third-party directory, but has been rejected by the administrator
|
Does not occupy a seat license
|
Unlicensed
|
An admin or import process attempted to add this user but there was not an available seat license, or an admin manually unlicensed the user to free up a seat license for another user
|
Does not occupy a seat license
|
|