OneLogin administrators have three options for configuring user credentials for an app. You set these credential configuration options on the Parameters tab when you are configuring an app for SSO:

• Configured by end-users - Available only for form-based authentication. Select this option to allow users to enter their own credentials the first time they sign into the application. Credentials are securely stored by OneLogin and auto-injected into the sign-in page by the OneLogin browser extension every time a user accesses that app. 
• Configured by admin - Select this option to allow the account administrator to set each user's credentials individually. This can be done manually on a per-user basis, or automatically by mapping the application field-values in the connector to corresponding user attributes. This is the default for SAML-enabled apps, since no password is required. When this option is selected, end-users cannot update credentials themselves.
• Configured by admin and shared by all users - Select this option to allow the account administrator to configure a single set of application credentials that will be used by every user accessing the application. A sample use case is a single set of credentials for a company Twitter account that is used by multiple users. For this configuration, administrators enter one username and password for the application.