This site requires JavaScript to be enabled
External Customer KB > General > OneLogin Domains and IP addresses
OneLogin Domains and IP addresses
Article: KB0010432 Published: 09/07/2022 Last modified: 09/07/2022

This document provides the domains, IP addresses, and ports that OneLogin uses to communicate with other services. 

Use domain allow lists (not IP allow lists) for your end-user systems that access the OneLogin SSO portal and other user interfaces. Use IP allow lists for on-premises agents, like Active Directory Connector, LDAP Connector, and Proxy Agents, as well as for apps provisioned by OneLogin.

North America & European domains

The domains below apply to US and EU shards.

cdn.onelogin.com

portal-cdn.onelogin.com

web-login-v2-cdn.onelogin.com

North America domains

your_domain.onelogin.com
your_domain.admin.us.onelogin.com
your_domain.login.us.onelogin.com
admin.us.onelogin.com
dsl.us.onelogin.com
api.us.onelogin.com (new /1 API)
api.onelogin.com (legacy v1-v3 API)
smux.us.onelogin.com
certs.us.onelogin.com
radius.us.onelogin.com
radius2.us.onelogin.com
ldap.us.onelogin.com
pki-us.onelogin.com
desktop-us.onelogin.com

Backward-compatible North America domains

app.onelogin.com
certs.onelogin.com
cdn.onelogin.com (North American & European)
portal-cdn.onelogin.com (North American & European)
web-login-v2-cdn.onelogin.com (North American & European)

Europe domains

your_domain.onelogin.com
your_domain.admin.eu.onelogin.com
your_domain.login.eu.onelogin.com
admin.eu.onelogin.com
api.eu.onelogin.com (new /1 API)
api-eu.onelogin.com (legacy v1-v3 API)
smux.eu.onelogin.com
radius.eu.onelogin.com
radius2.eu.onelogin.com
ldap.eu.onelogin.com

Ports

Allow the following ports when server components or browsers contact OneLogin:

80 (TCP)

443 (TCP)

1812 (UDP) 

443 (TCP)

636 (TCP)

88 (TCP/UDP)

464 (TCP/UDP)

53 (TCP/UDP)

IP addresses 

Note: These are general IP allow lists that can be used, but isn't limited to, on-premise agents or Active Directory. 

Install Active Directory on a domain-joined Windows server and open your firewall for outbound traffic to the addresses in the table below. 

North America

52.34.255.194/31
52.34.255.196/30
52.34.255.200/29
52.34.255.208/28
52.34.255.224/27
18.216.23.64/26 (18.216.23.64 - 18.216.23.127)
52.24.165.42
52.15.145.203
13.52.4.72/29 (13.52.4.72 - 13.52.4.79)
23.183.112.0/24
23.183.113.0/24
Europe

52.29.255.192/26 (52.29.255.192 - 52.29.255.255) 
52.48.63.0/26 (52.48.63.0 - 52.48.63.63) 
18.130.91.64/29 (18.130.91.64 - 18.130.91.71) 
23.183.112.0/24
23.183.113.0/24

In addition, OneLogin uses two dedicated IP addresses to send email:

167.89.76.151
198.21.5.193

Note: OneLogin customers who connect to web-login-v2-cdn.onelogin.com will access AWS Cloudfront, which has a rotating set of IP addresses. For more information, click here

NAS IP Addresses for RADIUS Servers

Configure RADIUS for authentication on your device using the following settings:

When possible, use the RADIUS server domain name rather than the IP address, as IP addresses may change.

NAS configuration US OneLogin DB shard EU OneLogin DB shard
AAA/RADIUS primary server radius.us.onelogin.com
(52.34.255.206)
radius.eu.onelogin.com
(35.156.138.255)
AAA/RADIUS secondary server radius2.us.onelogin.com
(18.216.23.112)
radius2.eu.onelogin.com
(54.246.141.64)
Authentication scheme PAP, EAP-TTLS/PAP, EAP-PEAP/MSCHAPv2
RADIUS Port UDP/1812
Secret/key Same as the shared secret entered on the OneLogin Radius configuration page

TLS configuration

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-ECDSA-CHACHA20-POLY1305

ECDHE-RSA-CHACHA20-POLY1305

DHE-RSA-AES128-GCM-SHA256

DHE-RSA-AES256-GCM-SHA384

no-sslv3

no-tlsv10

no-tlsv11


Expand/Collapse Comments
:     
Was this helpful?
YesYesNoNo