This document provides the domains, IP addresses, and ports that OneLogin uses to communicate with other services.
Use domain allow lists (not IP allow lists) for your end-user systems that access the OneLogin SSO portal and other user interfaces. Use IP allow lists for on-premises agents, like Active Directory Connector, LDAP Connector, and Proxy Agents, as well as for apps provisioned by OneLogin.
North America & European domains
The domains below apply to US and EU shards.
cdn.onelogin.com
portal-cdn.onelogin.com
web-login-v2-cdn.onelogin.com
North America domains
your_domain.onelogin.com
your_domain.admin.us.onelogin.com
your_domain.login.us.onelogin.com
admin.us.onelogin.com
dsl.us.onelogin.com
api.us.onelogin.com (new /1 API)
api.onelogin.com (legacy v1-v3 API)
smux.us.onelogin.com
certs.us.onelogin.com
radius.us.onelogin.com
radius2.us.onelogin.com
ldap.us.onelogin.com
pki-us.onelogin.com
desktop-us.onelogin.com
Backward-compatible North America domains
app.onelogin.com
certs.onelogin.com
cdn.onelogin.com (North American & European)
portal-cdn.onelogin.com (North American & European)
web-login-v2-cdn.onelogin.com (North American & European)
Europe domains
your_domain.onelogin.com
your_domain.admin.eu.onelogin.com
your_domain.login.eu.onelogin.com
admin.eu.onelogin.com
api.eu.onelogin.com (new /1 API)
api-eu.onelogin.com (legacy v1-v3 API)
smux.eu.onelogin.com
radius.eu.onelogin.com
radius2.eu.onelogin.com
ldap.eu.onelogin.com
Ports
Allow the following ports when server components or browsers contact OneLogin:
80 (TCP)
443 (TCP)
1812 (UDP)
443 (TCP)
636 (TCP)
88 (TCP/UDP)
464 (TCP/UDP)
53 (TCP/UDP)
IP addresses
Note: These are general IP allow lists that can be used, but isn't limited to, on-premise agents or Active Directory.
Install Active Directory on a domain-joined Windows server and open your firewall for outbound traffic to the addresses in the table below.
North America
|
52.34.255.194/31
52.34.255.196/30
52.34.255.200/29
52.34.255.208/28
52.34.255.224/27
18.216.23.64/26 (18.216.23.64 - 18.216.23.127)
52.24.165.42
52.15.145.203
13.52.4.72/29 (13.52.4.72 - 13.52.4.79)
23.183.112.0/24
|
Europe
|
52.29.255.192/26 (52.29.255.192 - 52.29.255.255)
52.48.63.0/26 (52.48.63.0 - 52.48.63.63)
18.130.91.64/29 (18.130.91.64 - 18.130.91.71)
23.183.112.0/24
|
In addition, OneLogin uses two dedicated IP addresses to send email:
167.89.76.151
198.21.5.193
Note: OneLogin customers who connect to web-login-v2-cdn.onelogin.com will access AWS Cloudfront, which has a rotating set of IP addresses. For more information, click here.
NAS IP Addresses for RADIUS Servers
Configure RADIUS for authentication on your device using the following settings:
When possible, use the RADIUS server domain name rather than the IP address, as IP addresses may change.
| NAS configuration |
US OneLogin DB shard |
EU OneLogin DB shard |
| AAA/RADIUS primary server |
radius.us.onelogin.com
(52.34.255.206) |
radius.eu.onelogin.com
(35.156.138.255) |
| AAA/RADIUS secondary server |
radius2.us.onelogin.com
(18.216.23.112) |
radius2.eu.onelogin.com
(54.246.141.64) |
| Authentication scheme |
PAP, EAP-TTLS/PAP, EAP-PEAP/MSCHAPv2 |
| RADIUS Port |
UDP/1812 |
| Secret/key |
Same as the shared secret entered on the OneLogin Radius configuration page |
TLS configuration
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
no-sslv3
no-tlsv10
no-tlsv11 |