A number of account-level settings, located in Settings > Account Settings, are available for configuration only by the Account Owner. These settings determine broad-based account policies that are unlikely to change with any regularity. Configure Account Settings during the initial implementation of OneLogin.
Use the notes below to supplement the instructions within the admin interface.
Subdomain: This displays the current URL of your OneLogin instance.
Disable SAML Name ID Change: Disables the ability to manually edit the Login field in SAML login, populating it programatically instead.
Allow assuming users: This allows admins to assume their users' accounts.
Allow external assuming: Allow OneLogin agents to assume user accounts inside your organization.
Enable OpenID for users: Allows users to install and manage OpenID applications.
Framing protection allows granular customization of the website origins that are allowed to i-frame your OneLogin admin console or end user login page. This is called a Content Security Policy, which is a header that controls what resources a user agent can access.
As of August 31, 2021, this setting applies to frames on both the administration console and the end user experience, including login, portal, and profile. Previously, it only applied to the administration console.
Note: it is difficult to identify all instances of OneLogin being i-framed, since it is not possible to identify every instance of a 3rd party i-frame. We recommend adding your company's known domains to the whitelist Origin URL section so only the company's trusted domains are used and clickjacking attacks are prevented.
If you do not want to allow any part of OneLogin to be i-framed, choose Disallow all framing.
If Allow framing from the following origins is selected, you may enter one or more origin URLs starting with
http:// in the Content Security Policy Origin URLs list. After you click Save, these are the websites that will be allowed to i-frame in your admin console.
This field automatically converts any urls into their origin format, so
https://www.website.com without any action from you. For security reasons, we recommend the Origin URL option.
The fallback radio buttons at the end of the section are designed for users of Internet Explorer, which does not support granular customization of i-framing options. Administrators must choose which option to apply for end users who are browsing with Internet Explorer; we recommend the more secure disallow all option.
This tab controls password and login options.
Important! Some of these options are noted, "enabled by default." You can disable these options, but to re-enable them, you must contact OneLogin Support.
Admin password reveal: Enabled by default. Allows admins to view users' application passwords for company apps that use form-based authentication, but not personal apps.
Enable password mapping: If you enable this option, OneLogin passes directory passwords to applications. In the app's settings, set the Password parameter value to SSO password so that users' app credentials change every time their OneLogin SSO credentials change.
Important! You must also Enable directory fallback password cache to enable SSO password mapping, and we recommend that you enable SSO password prompt as well.
Enable directory fallback password cache: Enabled by default. Allows OneLogin to authenticate a user based upon a cached hash of the last successful password.
Enable smart password: Ease migration from a third-party user directory. See Smart Passwords.
Transfer Account Ownership: The account owner is the only person who can transfer account ownership.
Multi-step Login: This feature separates the entry of the end user's username and password, and is automatically enabled on new accounts created before November 1, 2018. For more information, see our blog post, Introducing OneLogin's Next-Gen Login Experience.
Note: You must have multi-step login enabled..
As an Account Owner, you can create a Password Blacklist. This list is used to block keywords and strings to prevent weak user passwords. The Password Blacklist improves password security and decreases the risk of company security breaches.
To enable the Password Blacklist, go to Settings > Account Settings > Login tab.
Add the strings and keywords you wish to block from passwords. Click Add Keyword.
Note: Keywords & strings must be manually entered at this time.
Once you complete the step above, you must add it to a User Policy. Go to Security > Policies > select or create new User Policy. On the Sign In tab, check Enforce account password blacklist in the OneLogin password section.
Password Blacklist Enforcement
The password blacklist is enforced when the user attempts to reset their password. It doesn't proactively audit current passwords. The password check is case-insensitive & only searches for matching strings.
If shark is entered in the Password Blacklist field, and your user changes their password to shark, the following message displays to the user.
Using Twilio, OneLogin can send a new temporary password to the end-user's mobile device. Most accounts configure this option using a regular phone number or short code, but we also support using Twilio Copilot. To set up SMS password reset capabilities, see SMS Password Reset.
The default language selected in Account Settings overrides the profile settings configured by the end-user. The administrator portal remains in English. For more information, see Configuring Localization.
Personal Applications: Allows users to add their own personal apps and password storage to their OneLogin company portal.
Profile Page: Allows users to upload their own profile photo.
Force Tabs: Forces users to organize their collection of apps into tabs, instead of the default which organizes apps on the same page.
Secure Notes: For more information, see Secure Notes.
Password Notification: Only for OneLogin directory users. Displays a banner notification with link to change password.
Add unlimited email addresses for anyone who should receive security-related notifications from OneLogin. Learn more in Notifications.
Billing Information: Only the account owner can change the billing address for the organization.
Allow access by IP address- The ability to whitelist IPs for VLDAP is limited to account owners.