A number of account-level settings, located in Settings > Account Settings, are available for configuration only by the Account Owner. These settings determine broad-based account policies that are unlikely to change with any regularity. Configure Account Settings during the initial implementation of OneLogin.
- Subdomain: Displays the current URL of your OneLogin instance
- Disable SAML Name ID Change: Disables the ability to manually edit the Login field in SAML login, populating it programatically instead.
- Allow assuming users: This allows admins to assume their users' accounts.
- Enable OpenID for users: Allow OneLogin agents to assume user accounts inside your organization.
- Framing protection: Allows granular customization of the website origins that are allowed to i-frame your OneLogin admin console or end user login page. This is called a Content Security Policy, which is a header that controls what resources a user agent can access.This setting applies to frames on both the administration console and the end user experience, including login, portal, and profile.
- If you do not want to allow any part of OneLogin to be i-framed, choose Disallow all framing
- If Allow framing from the following origins is selected, you may enter one or more origin URLs starting with
http:// in the Content Security Policy Origin URLs list. After you click Save, these are the websites that will be allowed to i-frame in your admin console.
- This field automatically converts any URLs into their origin format, so
https://www.website.com without any action from you. For security reasons, we recommend the Origin URL option.
- The fallback radio buttons at the end of the section are designed for users of Internet Explorer, which does not support granular customization of i-framing options. Administrators must choose which option to apply for end users who are browsing with Internet Explorer; we recommend the more secure disallow all option.
Note: It is difficult to identify all instances of OneLogin being i-framed, since it is not possible to identify every instance of a 3rd-party i-frame. We recommend adding your company's known domains to the whitelist Origin URL section, so that only the company's trusted domains are used and clickjacking attacks are prevented.
Some of these options are enabled by default
. You can disable these options, but to re-enable them, you must contact OneLogin Support
- Admin password reveal: Enabled by default. Allows admins to view users' application passwords for company apps that use form-based authentication, but not personal apps.
- Enable password mapping: If you enable this option, OneLogin passes directory passwords to applications. In the app's settings, set the Password parameter value to SSO password so that users' app credentials change every time their OneLogin SSO credentials change.
- Enable directory fallback password cache: Enabled by default. Allows OneLogin to authenticate a user based upon a cached hash of the last successful password.
- Enable smart password: Ease migration from a third-party user directory. See Smart Passwords
- Transfer Account Ownership: The account owner is the only person who can transfer account ownership.
- Multi-Step Login: This feature seperates the entry of the end user's username and password. For more information, see our blog post: Introducting OneLogin's Next-Gen Login Experience.
Setting Up a Password Blacklist
- With multi-step login enabled, an Account Owner can create a password blacklist; this list is used to block keywords and strings to prevent weak user passwords. Using the Password Blacklist improves password security and decreases the risk of company security breaches.
- Go to Settings > Account Settings > Login.
- Enter each strings or keyword you wish to block and click Add Keyword. Note: Keywords and strings must be manually entered at this time.
- Once you complete the step above, you must add it to a User Policy by going to Security > Policies and either creating a new User Policy or selecting an existing User Policy. On the Sign In tab, check Enforce account password blacklist in the OneLogin password section.
Password Blacklist Enforcement
The password blacklist is enforced when the user attempts to reset their password. It doesn't proactively audit current passwords. The password check is case-insensitive and only searches for matching strings. If shark is entered in the Password Blacklist field, and your user changes their password to shark, the user will be shown an error message.
Important! To enable SSO password mapping, you must also enable Enable directory fallback password cache. We recommend enabling SSO password prompt as well.
If your company has a Twilio account, OneLogin can use Twilio to send a new temporary password to the end-user's mobile device. Most accounts configure this option using a regular phone number or short code, but we also support using Twilio Copilot. To set up SMS password reset capabilities, See SMS Password Reset.
- Personal Applications: Allows users to add their own personal apps and password storage to their OneLogin company portal.
- Profile Page: Allows users to upload their own profile photo
- Force Tabs: Forces users to organize their collection of apps into tabs, instead of the default which organizes apps on the same page.
- Secure Notes: For more information, see Secure Notes.
- Password Notifications: Only for OneLogin directory users. Displays a banner notification with link to change password.
The default language selected in Account Settings overrides the profile settings configured by the end-user. The administrator portal remains in English. For more information, see Configuring Localization
Add unlimited email address for anyone who should receive security-related notifications from OneLogin. Learn more at Notifications
Only the account owner can change the billing address for the organization.
Allow access by IP address - The ability to whitelist IPs for VLDAP is limited to account owners.