This document provides the domains, ports, and IP addresses that OneLogin uses to communicate with other services.
- Use domain allow lists for your end-user systems that access the OneLogin SSO portal and other user interfaces.
- Use IP allow lists for on-premises agents, like Active Directory connectors, LDAP connectors, and proxy agents, as well as for apps provisioned by OneLogin.
Note: We do not support access from anonymous IP addresses.
Domains
your-domain.onelogin.com
|
cdn.onelogin.com
|
portal-cdn.onelogin.com
|
web-login-v2-cdn.onelogin.com
|
North America Domains
your-domain.admin.us.onelogin.com
|
your-domain.login.us.onelogin.com
|
admin.us.onelogin.com
|
dsl.us.onelogin.com
|
api.us.onelogin.com (v1 and v2 API)
|
api.onelogin.com (legacy v.1-v.3 API)
|
smux.us.onelogin.com
|
certs.us.onelogin.com
|
radius.us.onelogin.com
|
radius2.us.onelogin.com
|
ldap.us.onelogin.com
|
pki-us.onelogin.com
|
desktop-us.onelogin.com
|
Backward-Compatible North America Domains
app.onelogin.com
|
certs.onelogin.com
|
Europe Domains
your-domain.admin.eu.onelogin.com
|
your-domain.login.eu.onelogin.com
|
admin.eu.onelogin.com
|
api.eu.onelogin.com (v1 and v2 API)
|
api-eu.onelogin.com (legacy v.1-v.3 API)
|
smux.eu.onelogin.com
|
radius.eu.onelogin.com
|
radius2.eu.onelogin.com
|
ldap.eu.onelogin.com
|
Ports
Allow the following ports when server components or browsers contact OneLogin:
80 (TCP)
|
443 (TCP)
|
1812 (UDP)
|
443 (TCP)
|
636 (TCP)
|
88 (TCP/UDP)
|
464 (TCP/UDP)
|
53 (TCP/UDP)
|
IP Addresses
These are general IP allow lists that can be used in (but aren't limited to) on-premise agents or Active Directory.
OneLogin customers who connect to web-login-v2-cdn.onelogin.com will access AWS Cloudfront, which has a rotating set of IP addresses. Click here for more information.
Install Active Directory on a domain-joined Windows server and open your firewall for outbound traffic to the addresses below.
North America IP Addresses
23.183.113.12
|
23.183.112.12
|
52.34.255.194/31
|
52.34.255.196/30
|
52.34.255.200/29
|
52.34.255.208/28
|
52.34.255.224/27
|
18.216.23.64/26 (18.216.23.64 - 18.216.23.127)
|
52.24.165.42
|
52.15.145.203
|
13.52.4.72/29 (13.52.4.72 - 13.52.4.79)
|
23.183.112.0/24
|
23.183.113.0/24
|
Europe IP Addresses
23.183.113.14
|
23.183.112.14
|
52.29.255.192/26 (52.29.255.192 - 52.29.255.255)
|
52.48.63.0/26 (52.48.63.0 - 52.48.63.63)
|
18.130.91.64/29 (18.130.91.64 - 18.130.91.71)
|
23.183.112.0/24
|
23.183.113.0/24
|
Email IP Addresses
OneLogin uses two dedicated IP addresses to send email:
167.89.76.151
|
198.21.5.193
|
NAS IPs for RADIUS Servers
Configure RADIUS for authentication on your device using the following settings:
When possible, use the RADIUS server domain name rather than the IP address, as IP addresses may change.
NAS Configuration
|
OneLogin - US
|
OneLogin - EU
|
AAA/RADIUS Primary Server
|
Domain: radius.us.onelogin.com
IP: 23.183.113.15
|
Domain: radius.eu.onelogin.com
IP: 23.183.113.18
|
AAA/RADIUS Secondary Server
|
Domain: radius2.us.onelogin.com
IP: 23.183.112.15
|
Domain: radius2.eu.onelogin.com
IP: 23.183.112.18
|
Authentication Scheme
|
PAP or EAP-TTLS/PAP
|
RADIUS Port
|
UDP/1812
|
Secret/Key
|
Enter the Secret string from your OneLogin configuration.
|
TLS configuration
ECDHE-ECDSA-AES128-GCM-SHA256
|
ECDHE-RSA-AES128-GCM-SHA256
|
ECDHE-ECDSA-AES256-GCM-SHA384
|
ECDHE-RSA-AES256-GCM-SHA384
|
ECDHE-ECDSA-CHACHA20-POLY1305
|
ECDHE-RSA-CHACHA20-POLY1305
|
DHE-RSA-AES128-GCM-SHA256
|
DHE-RSA-AES256-GCM-SHA384
|
no-sslv3
|
no-tlsv10
|
no-tlsv11
|
|