OneLogin Domains and IP addresses

Article: KB0010432 Published: 03/15/2024 Last modified: 03/15/2024

This document provides the domains, ports, and IP addresses that OneLogin uses to communicate with other services.

Use domain allow lists for your end-user systems that access the OneLogin SSO portal and other user interfaces.
Use IP allow lists for on-premises agents, like Active Directory connectors, LDAP connectors, and proxy agents, as well as for apps provisioned by OneLogin.

Note: We do not support access from anonymous IP addresses.

Table of Contents

Domains
- North America Domains
  - Backward-Compatible North America Domains
- Europe Domains
Ports
IP Addresses
TLS configuration

Domains

`your-domain.onelogin.com`
`cdn.onelogin.com`
`portal-cdn.onelogin.com`
`web-login-v2-cdn.onelogin.com`

North America Domains

`your-domain.admin.us.onelogin.com`
`your-domain.login.us.onelogin.com`
`admin.us.onelogin.com`
`dsl.us.onelogin.com`
`api.us.onelogin.com` (v1 and v2 API)
`api.onelogin.com` (legacy v.1-v.3 API)
`smux.us.onelogin.com`
`certs.us.onelogin.com`
`radius.us.onelogin.com`
`radius2.us.onelogin.com`
`ldap.us.onelogin.com`
`pki-us.onelogin.com`
`desktop-us.onelogin.com`

Backward-Compatible North America Domains

`app.onelogin.com`
`certs.onelogin.com`

Europe Domains

`your-domain.admin.eu.onelogin.com`
`your-domain.login.eu.onelogin.com`
`admin.eu.onelogin.com`
`api.eu.onelogin.com` (v1 and v2 API)
`api-eu.onelogin.com` (legacy v.1-v.3 API)
`smux.eu.onelogin.com`
`radius.eu.onelogin.com`
`radius2.eu.onelogin.com`
`ldap.eu.onelogin.com`

Ports

Allow the following ports when server components or browsers contact OneLogin:

`80` (TCP)
`443` (TCP)
`1812` (UDP)
`443` (TCP)
`636` (TCP)
`88` (TCP/UDP)
`464` (TCP/UDP)
`53` (TCP/UDP)

IP Addresses

These are general IP allow lists that can be used in (but aren't limited to) on-premise agents or Active Directory.

OneLogin customers who connect to web-login-v2-cdn.onelogin.com will access AWS Cloudfront, which has a rotating set of IP addresses. Click here for more information.

Install Active Directory on a domain-joined Windows server and open your firewall for outbound traffic to the addresses below.

North America IP Addresses

23.183.113.12	23.183.112.12
52.34.255.194/31	52.34.255.196/30
52.34.255.200/29	52.34.255.208/28
52.34.255.224/27	18.216.23.64/26 (18.216.23.64 - 18.216.23.127)
52.24.165.42	52.15.145.203
13.52.4.72/29 (13.52.4.72 - 13.52.4.79)	23.183.112.0/24
23.183.113.0/24

Europe IP Addresses

23.183.113.14
23.183.112.14
52.29.255.192/26 (52.29.255.192 - 52.29.255.255)
52.48.63.0/26 (52.48.63.0 - 52.48.63.63)
18.130.91.64/29 (18.130.91.64 - 18.130.91.71)
23.183.112.0/24
23.183.113.0/24

Email IP Addresses

OneLogin uses two dedicated IP addresses to send email:

167.89.76.151
198.21.5.193

NAS IPs for RADIUS Servers

Configure RADIUS for authentication on your device using the following settings:

When possible, use the RADIUS server domain name rather than the IP address, as IP addresses may change.

NAS Configuration	OneLogin - US	OneLogin - EU
AAA/RADIUS Primary Server	Domain: `radius.us.onelogin.com` IP: `23.183.113.15`	Domain: `radius.eu.onelogin.com` IP: `23.183.113.18`
AAA/RADIUS Secondary Server	Domain: `radius2.us.onelogin.com` IP: `23.183.112.15`	Domain: `radius2.eu.onelogin.com` IP: `23.183.112.18`
Authentication Scheme	`PAP` or `EAP-TTLS/PAP`
RADIUS Port	`UDP/1812`
Secret/Key	Enter the Secret string from your OneLogin configuration.

TLS configuration

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
no-sslv3
no-tlsv10
no-tlsv11

Feedback

Permalink:

Was this helpful?

Yes

Domains

North America Domains

Backward-Compatible North America Domains

Europe Domains

Ports

IP Addresses

North America IP Addresses

Europe IP Addresses

Email IP Addresses

NAS IPs for RADIUS Servers

NAS Configuration

OneLogin - US

OneLogin - EU

AAA/RADIUS Primary Server

AAA/RADIUS Secondary Server

Authentication Scheme

RADIUS Port

Secret/Key

TLS configuration