This document provides the domains, IP addresses, and ports that OneLogin uses to communicate with other services.
Use domain allow lists (not IP allow lists) for your end-user systems that access the OneLogin SSO portal and other user interfaces. Use IP allow lists for on-premises agents, like Active Directory Connector, LDAP Connector, and Proxy Agents, as well as for apps provisioned by OneLogin.
North America & European domains
The domains below apply to US and EU shards.
cdn.onelogin.com
portal-cdn.onelogin.com
web-login-v2-cdn.onelogin.com
North America domains
your_domain.onelogin.com your_domain.admin.us.onelogin.com your_domain.login.us.onelogin.com admin.us.onelogin.com dsl.us.onelogin.com api.us.onelogin.com (new /1 API) api.onelogin.com (legacy v1-v3 API) smux.us.onelogin.com certs.us.onelogin.com radius.us.onelogin.com radius2.us.onelogin.com ldap.us.onelogin.com pki-us.onelogin.com desktop-us.onelogin.com
Backward-compatible North America domains
app.onelogin.com certs.onelogin.com cdn.onelogin.com (North American & European) portal-cdn.onelogin.com (North American & European) web-login-v2-cdn.onelogin.com (North American & European)
Europe domains
your_domain.onelogin.com your_domain.admin.eu.onelogin.com your_domain.login.eu.onelogin.com admin.eu.onelogin.com api.eu.onelogin.com (new /1 API) api-eu.onelogin.com (legacy v1-v3 API) smux.eu.onelogin.com radius.eu.onelogin.com radius2.eu.onelogin.com ldap.eu.onelogin.com
Ports
Allow the following ports when server components or browsers contact OneLogin:
80 (TCP)
443 (TCP)
1812 (UDP)
443 (TCP)
636 (TCP)
88 (TCP/UDP)
464 (TCP/UDP)
53 (TCP/UDP)
IP addresses
Note: These are general IP allow lists that can be used, but isn't limited to, on-premise agents or Active Directory.
Install Active Directory on a domain-joined Windows server and open your firewall for outbound traffic to the addresses in the table below.
North America
|
52.34.255.194/31 52.34.255.196/30 52.34.255.200/29 52.34.255.208/28 52.34.255.224/27 18.216.23.64/26 (18.216.23.64 - 18.216.23.127) 52.24.165.42 52.15.145.203 13.52.4.72/29 (13.52.4.72 - 13.52.4.79) 23.183.112.0/24
|
Europe
|
52.29.255.192/26 (52.29.255.192 - 52.29.255.255) 52.48.63.0/26 (52.48.63.0 - 52.48.63.63) 18.130.91.64/29 (18.130.91.64 - 18.130.91.71) 23.183.112.0/24
|
In addition, OneLogin uses two dedicated IP addresses to send email:
167.89.76.151 198.21.5.193
Note: OneLogin customers who connect to web-login-v2-cdn.onelogin.com will access AWS Cloudfront, which has a rotating set of IP addresses. For more information, click here.
NAS IP Addresses for RADIUS Servers
Configure RADIUS for authentication on your device using the following settings:
When possible, use the RADIUS server domain name rather than the IP address, as IP addresses may change.
NAS configuration |
US OneLogin DB shard |
EU OneLogin DB shard |
AAA/RADIUS primary server |
radius.us.onelogin.com (52.34.255.206) |
radius.eu.onelogin.com (35.156.138.255) |
AAA/RADIUS secondary server |
radius2.us.onelogin.com (18.216.23.112) |
radius2.eu.onelogin.com (54.246.141.64) |
Authentication scheme |
PAP, EAP-TTLS/PAP, EAP-PEAP/MSCHAPv2 |
RADIUS Port |
UDP/1812 |
Secret/key |
Same as the shared secret entered on the OneLogin Radius configuration page |
TLS configuration
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
no-sslv3
no-tlsv10
no-tlsv11 |