A PKI certificate is a file issued by OneLogin and installed in a user's browser. Whenever that user signs into OneLogin with their username and password, OneLogin validates that the PKI certificate installed in their browser matches the one registered to them in OneLogin.
Prerequisites
Users must have an email address registered to their account to use OneLogin PKI based certificates.
Requiring Certificates
Certificate requirements can be configured in any user policy and assigned to users accordingly. You can choose between installing certificates in a user's browser manually or allowing users to install them the next time they sign into OneLogin.
Warning: All users with device trust required, including admins, can only access OneLogin if a PKI certificate is installed on their device. If an administrator account becomes locked out, please contact OneLogin Support for assistance.
Creating and Downloading Certificates
If you choose not to allow self-installations, you need to manually create and install certificates for your users.
-
Go to the user record for the relevant user and select Download PKI Cert from the More Actions menu.
-
-
If this is the first time you're downloading this certificate, create a new password to enter and click Download. Make sure to keep this password in your records, as it will be required to re-download the certificate again.
-
If you are re-downloading this certificate to replace a lost or expired certificate, enter the password you previously created.
Note: When you generate a new certificate, any previous certificates are no longer valid. They are not revoked from existing installations, but cannot be used in new installations.
-
Install the certificate on the user's device, or distribute the certificate to them with a safe distribution method and instruct them to install it on their device. Windows and Mac OS X operating systems handle certificate installation themselves. For Linux, you must use browser-specific certificate installation processes.
Important: Ensure that you or the user deletes the certificate file from their hard drive after the certificate is installed. Certificates should be handled with care, just like a physical authentication token such a USB key.
Browser Compatibility
OneLogin's certificates support Chrome, Firefox, and Safari. Windows and Mac OS have certificate management built into the OS, while browsers on Linux must deal with the certificates themselves.
Note: On Apple iOS devices, apps using Safari View Controller can download OneLogin Protect PKI certificates, but apps using their own web view cannot.
|
Chrome
|
Firefox
|
Safari
|
Linux
|
Built-in
|
Built-in
|
|
Windows
|
Certificate Manager
|
Certificate Manager
|
|
Mac OS X
|
Keychain
|
Keychain
|
Keychain
|
Apple iOS
|
|
|
Keychain
|
|