This site requires JavaScript to be enabled
External Customer KB > General > User Policies
User Policies
Article: KB0010420 Published: 11/22/2022 Last modified: 11/22/2022

This document explains how to configure and manage User Policies. 

User policies allow you to apply security restrictions and protocols to individual users or to Groups. User policies offer admins nuanced authentication configurations to provide the appropriate security requirements for your organization.  

OneLogin user policies allow you to configure controls on the features listed below, and more.  

  • Authentication Restrictions: Terms & Conditions, Risk Factors, Password, Browser Extension
  • Choose a Login Flow: Smart Flows allow you to define and customize specific login flows 
  • Account Recovery: allows admins to define user actions involving various types of account management. 
  • Sessions: Allow user to stay signed in, time out based off of Time and/or Inactivity
  • MFA: PKI Certificates, Hardware & Software Tokens, MFA Whitelist & Restrictions
  • IP Whitelist: IP Whitelisting by range or individual IP’s

Create a Policy

Go to Security > Policies.

On the Policies page, you can add a New User Policy, a New App Policy, or select an existing policy to edit.

Configuration Overview

There are seven sections that control each of the security settings and restrictions: Login Flow, Sign In, Password, Session, MFA, IP Addresses, and Customization.

Smart Flows (Preferred Login Flow)

Smart Flows allow you to define and customize specific login flows on a user policy, based on your organization's security and end-user requirements. 

Note: Contact your account manager to enable Smart Flows. You must be on the SmartFactor Authentication plan to use this feature. 

company apps

  • Standard- (ID/Password/MFA) The typical authentication flow deployed by many orgs. 

  • Brute-Force Defense- (ID/MFA/Password) Select this authentication flow to protect your org from bad actors who try to access your org's resources by exhausting all possible password combinations. This flow helps to prevent account lockouts if your org authenticates against active directory.   

  • Passwordless- (ID/MFA)- This passwordless authentication flow is a user friendly approach that requires a username and an auth factor. One of the key benefits of this flow is the ability to use Webauthn and OneLogin Protect. 

Certificates can be used but aren't required for Passwordless and Brute-Force Defense flows. You can't set user policy to dynamically change flows. A user is subject to the single flow defined in the user policy.

To learn more about Smart Flows, see Smart Flows.

Sign In

The Sign In tab provides options for the sign in flow, and includes granular controls for passwords.

Terms and Conditions

If checked, a box appears where you can enter your Terms and Conditions. A user must agree to these prior to their initial login. 

Social Sign-in

If checked, the major social networks appear as options. However, this feature is deprecated if you have multi-step login enabled: all accounts will use multi-step login starting December 31, 2019. In order to allow users to sign in with their social credentials, you must configure a Trusted IdP.  For more information, see Trusted IdP (Relying Party Trust).

Note: If you enable social sign-in, MFA will be disabled for users using social credentials. If you decide to disable one of the social networks, all users using that provider can't sign in and must create a new OneLogin password.

OneLogin Desktop

Apply MFA policy requirement when logging into laptop and desktop devices - When users log in via OneLogin Desktop, this option prompts them for MFA.  

Don’t require browser login for trusted devices - This option uses the OneLogin Desktop certificate as a primary factor and allows users to enjoy a passwordless login into the portal.

Note: if your instance is using the multi-step login flow, when OTP Auth Required is checked under One-time passwords section under the MFA tab, end-users will still be required to provide MFA verification even if this option is checked.

Browser Extension 

Enable users to download browser extensions from their Profile page. Also enable them to add apps to their personal apps or company apps list on their portal or browser extension app drop-down. For more information, see OneLogin Browser Extensions and Adding Apps using the Browser Extension for Chrome.

Security Questions 

Enables security questions as an authentication factor for your users. For more information, see Security Questions.

Auto suspend inactive users 

This option automatically suspends users who haven't used the system for 90 days, including users that received an invitation to join but never logged in. When a user is suspended, an event is logged that provides detailed notes.

Note: If an admin reactivates the user after suspension, they must log in within 24 hours or the user state returns to suspended.


As an additional layer of security, admins can select specific MFA factors for end-user password resets.

Password Settings 

These options define 1) the maximum password age, or amount of time that a user's password remains valid before it must be changed (and can't be reused), 2) enforced password history, or number of unique new passwords that must be associated with a user account before an old password can be reused, 3) the minimum length (current NIST recommendations encourage longer passphrases) and 4) complexity and mix of numbers, letters, and/or special characters.

Note: If you use an LDAP directory, Active Directory, or Google Apps (G Suite) directory with OneLogin and that directory doesn't allow password expiration, your third-party directory will respect OneLogin's policy-based password expiration settings.

Password Restrictions

The Dynamic Password Blacklist allows admins to blacklist any attributes associated with the user profile in passwords. For example, if you choose to blacklist the email attribute, a user can't use their email address as part of their password. This is enforced when a user resets their password; it's not retroactive. 

Note: SmartFactor package is required.

To select password attributes to blacklist, click in the white box to trigger the drop down menu.  

company apps

The table below is a list of the attributes you can blacklist on a user policy.

First Name AD ID
Last Name Ldap Uid
Email Department
Email name part Company
Username Title
OpenID name Phone
AD user name (samAccountName) OneLogin ID
Internal ID Email domain part
userPrincipalName (UPN) UUID
Distinguished Name Any custom attribute


Enforce account password blacklist

As an account owner, you can create a Password Blacklist. This list is used to block keywords and strings to prevent weak user passwords. The Password Blacklist improves password security and decreases the risk of company security breaches. You must have multi-step login enabled.       

To enable the Password Blacklist, go to Settings > Account Settings > Login tab, enter desired strings, and click Add Keyword

Compromised Credentials

Enforce compromised credential check

When enabled, this verifies that the user name and password isn't included in the list of known compromised credentials. The list is dynamic & continuously updated based on the latest known compromised credentials. This is enforced when the user attempts to change their password or clicks Forgot Password. It doesn't proactively audit all of the current passwords your org uses. 

Enforce compromised password check

When enabled, this only verifies that the password isn't included in the list of known compromised passwords. This doesn't check the user name and password combination. 

Note: You must be on a plan that includes SmartFactor to use Compromised Credentials & Compromised Password Check. Contact your account manager if you're interested in the SmartFactor plan. 

Password Reset Redirect 

Users will be redirected to this URL when they initiate password reset.

Note: For org's on Multi-step Login, is the direct link to Password Reset. This allows admins to provide a URL that directs the end user to the Forgot Password page.

Account Recovery

The Account Recovery tab allows admins to define user actions involving various types of account management. 

company apps

Allow users to update their directory password

Users on this policy can update their password in OneLogin. This provides a Forgot Password link on their login page. You can decide which password update options to offer users on this policy, such as Email or another registered authentication factor.

Note: Disable this option if you want your users to use their third-party directory (Active Directory, LDAP, G Suite) password for OneLogin authentication and you want them to update passwords using the third-party directory password-update tools.

This option determines which invitation users receive. See Inviting Users for more information.

If you choose to Allow user to reset password via email, you have the option to Show an email address hint in the password reset flow. This can be helpful for users who don't log in very often or have multiple email addresses.

The hint is an obfuscated email address, for example is displayed as L******@**** To prevent malicious actors from verifying the existence of an email address or username, OneLogin will display a random obfuscated email address for non-existent users.

Allow users to unlock their accounts

Enable users to manually unlock their account, with or without a password reset, if it's been locked. This feature is compatible with orgs that use OneLogin as a directory or Active Directory.

Note: For orgs on Multi-step Login, is the direct link to Account Unlock. The user must be on a user policy that allows account unlock.

Please note the following:

  • Account unlock can't be combined with the default Email Factor. 
  • Contact your account manager to enable this feature.
  • We also moved Select Factors Available from the Password tab to Account Recovery.

This feature addresses situations such as:

  • User incorrectly entered password numerous times and is locked out.
  • An app uses old credentials and then locks the user out. 
  • User changed their password and this causes an old application to send the wrong credentials. User must update the application to send the right credentials. This can result in a locked account. 

The end user can choose from the two options pictured in the screenshot below. 

company apps

Require reCAPTCHA

You can require users to complete reCAPTCHA before they update their passwords or unlock their account. This feature increases your org's security by blocking bot attacks.

Select OTP factors available to reset password

Add MFA requirements for password reset requests.


The Session tab contains the control session login, lockout, and inactivity behavior.

Login Attempts

  • Maximum invalid login attempts: Defines the number of times a user can fail to input incorrect login credentials before they're locked out of their account. If a user successfully resets or changes their password, then the number of invalid attempts gets reset back to 0.

  • Lock effective period: Defines the period of time that a user's lockout period lasts.

    Note: The amount of time listed in the “Lock Effective Period” does not automatically unlock a user account, after the listed amount of time has passed. This is for security reasons. Therefore, once the amount of time has passed, in order for a user account to become unlocked after the amount of time in the User Policy has passed, the user must successfully authenticate into the OneLogin Portal. At this point, OneLogin will evaluate that if the credentials are correct, and assuming the amount of time established has passed, OneLogin will unlock the user’s account.


Note: The Timeout settings imply that the user session expires based on the values defined. 

  • Fixed Time: Define a specific duration of time that a user session is valid, in minutes or hours. 0 implies that the user session won't timeout based on specific time parameters.

  • Inactivity: Define the number of minutes or hours that a user session is active from the time the user is inactive. For example, if 45 Minutes is entered, the user session is terminated if the user is inactive for 45 minutes. 0 implies that a session won't be terminated based on inactivity.

  • Keep me signed in: OneLogin session persists after the browser closes. If you enable this setting, the option appears on the login screen for all users, but only works for users assigned to this policy. If you want to enable this setting, we recommend that you enable it for all users.


The MFA tab includes settings for any Multi-Factor Authentication associated with the policy. 

company apps

Smart MFA 

See below for a video summary of OneLogin's Smart MFA feature.

Smart Access

Suppress if risk is equal to or lesser than risk level - This option, for orgs who upgrade to  SmartFactor Authentication, allows you to reject login attempts based on the risk level of the user.

New Users: If a new user is on a User Policy with Smart Access Deny set to High, they can log in for the first time. This is only true if the user's risk profile matches that of the typical new user. This allows the risk engine to learn the user's login behavior. 

Note: While these labels may imply risk, OneLogin's baseline security always protects our customers.

Smart Access scores the risk of each login attempt with Vigilance AI (our machine learning risk engine). With this setting enabled, you can deny access to users who attempt to authenticate with a risk score that is equal to or lesser than the defined risk level. 

Our vigilance service learns behaviors when your account is Smart MFA enabled. Once this is enabled, risk data appears in the Event Viewer. This score is always recorded, even if it's disabled in the policy. We won’t suppress MFA unless enabled in the policy. This only applies to accounts using multi-step login and subscribed to our SmartFactor Authentication Plan. 

  • Minimal: Minimal risk tolerance, provides your organization with robust security by prompting your users for MFA in most circumstances.

  • Low: Low risk tolerance, extremely strict security standards. MFA is more than likely required when users log in.

  • Medium: Medium risk tolerance, but strict security standards. Your org accepts a medium risk level when users log in. MFA prompts decrease when a user exhibits predictable and secure behavior, such as logging in from the same location every day at the same time.

  • High: Somewhat strict security standards, that favors user experience. Orgs accept a somewhat higher level of risk in exchange for an easier user experience. Doesn't usually require MFA, but presents MFA challenges at appropriate times, such as unusual login locations.

  • Very High: the strictest security standards. User experience is degraded but security risk is greatly reduced. 

Require Trusted Device

Device Trust Check: Provides admins with the ability to prompt for a user certificate, but doesn't require a certificate to log in. If the user is prompted and doesn't submit a certificate, the user can log in. This field provides the end user with the opportunity to submit a PKI or 3rd party certificate. 

If you select Device Trust Check and MFA Bypass for Trusted Devices, then a user on a single policy is prompted for MFA on personal devices, but isn't challenged on corporate devices.

Note: Contact your account manager to enable this feature.

Device Trust Required: Users (including admins) can only sign in to OneLogin if a PKI certificate is installed on their device. You may be locked out, requiring a call to OneLogin support.

Allow Self-installation: Allows the user to install the PKI certificates. Once installed, the user's account is only accessible from a browser with that certificate installed. Note: Legacy PKI certs are still valid. 

Restriction: PKI certs can't be used as MFA to access the OneLogin Portal app.

The user must provide credentials and complete MFA to successfully download the certificate. Once the user completes those steps, they can install the cert on to the device.

Certificate expires in: Defines the duration until the PKI certificate expires.

Note: Users are required to re-open the browser after the certificate is installed.

trusted device

One-time passwords

When OTP Auth Required is checked, enables or disables the multi-factor authentication requirement for users to log in. This setting will require you to add various methods of MFA to your account.

Disable OneLogin Protect push-notifications

When checked, all OneLogin Protect factors in this policy will have push notifications disabled. This can help prevent a push-fatigue attack if the user’s credentials are compromised.

Note: If you have an app policy with OneLogin Protect MFA enabled, then disabling push notifications in the user policy will cause the authentication to require users to manually use OneLogin Protect to generate an OTP, as the app will be unable to use push notifications to request access.

Phone number for SMS

When checked, allows a user to update their phone number through their profile page.

MFA Device Registration

Choose if a user must register a device, if registration is optional, or if they are not prompted at all. This option allows admins to slowly roll out MFA across a larger organization, by choosing optional registration at first, and then once ready, switching to mandatory enrollment. These explain how OneLogin treats MFA device registration: 

MFA Device Management

This setting allows you to limit the ability of end users to manage MFA devices in their portal. By default, the box is checked. Uncheck the box to make manage MFA devices Read Only in the user's profile.

MFA Bypass

Enter IP addresses to allow login attempts from the specified IP addresses to bypass the OTP login requirement. Use spaces to separate multiple IP addresses. You can enter ranges in the format x.x.x.x-x.y.z.w.

Enforcement Settings

  • OTP required for: Defines the OTP requirement for Administrators only, All users, or Configured users only.  For Configured users only, OTP is required if the user is specifically configured for OTP.  If this option is selected, and the user isn't configured for OTP, then OTP will not be required.

  • OTP required at: Defines whether OTP is required for every login or the first login from an unknown browser.

  • Security cookie expiration: (days) Defines duration of the security cookie before the user's OTP credentials must be refreshed.

Note: A user's browser must accept cookies from the OneLogin domain for their login to be remembered. If OneLogin can't identify their cookies, the user is prompted to complete multi-factor authentication. 

MFA Bypass for Trusted Devices

Enable end users to bypass MFA if they use a trusted device. When end users authenticate with a trusted certificate (OneLogin PKI, 3rd Party Cert, OneLogin Desktop), they aren't prompted for MFA. 

The chart below details expected behavior based on Cert, MFA, & Bypass permutations. 




With Cert

Without Cert




Logged in

Login Fail




Prompt for MFA

Login Fail

Cert Check Only



Logged in

Prompt for MFA

Cert Check Only



Prompt for MFA

Prompt for MFA


Smart MFA

When enabled, Smart MFA either prompts or skips MFA depending on the risk level of the user. It prompts a user for MFA if they are exhibiting riskier behavior than usual, like trying to log in from Canada one minute, then Japan the next. If they are exhibiting normal behavior, for example, logging in from the same location at 8am each morning, Smart MFA allows the user to skip MFA. 

Select the acceptable risk level:

  • Low: Low tolerance of risk, extremely strict security standards. MFA is more than likely required with each user login.

  • Medium: Medium tolerance of risk, but strict security standards. Willing to accept a medium level of risk. MFA prompts decrease when a user exhibits predictable and secure behavior, such as logging in from the same location every day at the same time.

  • High: Somewhat strict security standards, while favoring user experience. Willing to accept a somewhat higher level of risk in exchange for an easier user experience. Does not usually require MFA, but will present an MFA challenge at appropriate times, such as unusual login locations.

Monitor Risk Calculation and Login Events

For users on policies that use Smart Access or Smart MFA, every login-related event records the risk reason and the Authentication method used. 

The screenshot below shows a login event for a user on a policy with Risk Level set to low. Because the risk level for the login attempt was calculated as medium, the user was challenged for a second authentication factor.

company apps 

You can view these events in either of the following ways:

  • Go to Users > Users, select a user, and go to the MFA tab.

  • Select a login event and view the event details.

  • Go to Activity > Events, select a login event, and view the event details.

IP Addresses

The IP Addresses tab lets you enter a whitelist of IP addresses. Any login attempts from IP addresses not on this list are denied.

Note: This is IP whitelist extends to all, in contrast to the OTP bypassed for the following IP addresses option on the MFA tab, which simply exempts users from providing secondary authentication factors when they log in from a listed address. Use spaces to separate multiple IP addresses. You can enter ranges in the format x.x.x.x-x.x.x.y.

Check Ignore X-Forwarded-For header IP addresses to ignore IP addresses that are set as part of the Forwarded-For header. Older versions of OneLogin included Forwarded-For IPs in the IP list checks as some organizations might use proxies that set the Forwarded-For header to a user's IP in proxied requests, and may be whitelisting these IP addresses and not the Proxy IP address that makes the connection to OL. For new policies, Forwarded-For IPs are ignored by default.

The Default Policy

Every OneLogin account arrives with a single user policy already created: the Default policy. This policy will be applied to all users in the account unless they are given a different policy individually or through a group policy assignment. There must always be a policy assigned as the default and it cannot be deleted.

To change the default policy:

  1. Go to Security > Policies.

  2. Select a policy that you want to set as the default policy.

  3. Under the dropdown More Options, click Set as default policy.

 The policy is now the default policy.

Assign a Policy

You can assign a policy to users in two ways:

  • Groups - You can assign the policy to a group and then add users to the group, associating the policy to all users who are a member of the group. For more information, see Groups.
  • Manually - You can add the policy to the user directly. This will override any group policies applied to the user.

To manually add a policy to a user:

  1. Go to Users > Users and select a user.

  2. On the Authentication tab, select an existing policy in the User Security Policy drop-down menu.

    The policies will be listed by name. Selecting a policy here will override any group policy currently applied to the user. If no policy is selected, OneLogin will automatically apply the account default policy to the user. Click Save User.




Expand/Collapse Comments
Was this helpful?