|
The Enterprise Sandbox allows administrators to create a clone of near-production data to test and validate changes to OneLogin. We designed this with DevOps principles in mind to provide developers with an environment similar to production, but safely disconnected from end users, applications, and directory integrations. This enables you to design, build, and test without affecting the production environment. As deployments become more complex, testing new configurations for hundreds of apps and thousands of users becomes a challenge. To avoid surprises in production, the Enterprise Sandbox enables teams to test within the secure confines of a separate, semi-production environment.
An Enterprise Sandbox can be used to test mappings, user lifecycle and provisioning, or newly released functionality - all without affecting the production environment and with no impact to end users.
Getting Started with OneLogin's Enterprise Sandbox
Take a look at this brief training video to learn more about how to get started!
Watch Now
Prerequisites
- Enterprise Sandbox is a paid feature. Contact your account manager to get started.
- Only account owners or admins assuming account owners can use this feature.
Configuring a Sandbox
-
From the admin console, go to Settings > Sandboxes to view the Sandbox management panel.
-
To start cloning your data, choose the line item for your sandbox.
Note: The usual admin navigation bar is hidden in the sandbox configuration. Click Administration at any time to revert to the previous navigation options.
-
Review or update the sandbox's Settings. If necessary, you can click Assume Account Owner to take on the correct account if you have Assume Users privileges. When ready, click Clone Now.
|
Name
|
Enter a name for this sandbox.
|
|
Description
|
Enter a description for this sandbox.
|
|
Domain Name
|
This is the URL for your sandbox environment; you can log into it with the same credentials used for your production environment.
|
-
A confirmation message appears. There will be a few minutes of downtime as the service provider updates the data.
The duration of the cloning process depends on the complexity of the production account. It is rare for a full clone to exceed 2 hours, but may take a longer period of time for customers with complex production accounts. No cloning job should exceed 24 hours.
-
Go to History to view active & completed cloning jobs. Refresh the page to see the latest status.
-
Once cloning is complete, you can enter the sandbox through Assume Owner or by accessing the Domain Name URL in Settings.
-
To enable other users to access the sandbox, go to Users in the sandbox environment to activate or invite the necessary user accounts as you would in a production environment.
-
To refresh the data in your sandbox with the most current production data, simply clone again. Keep in mind that you will have to activate users again as all users are automatically toggled to Inactive each time a fresh clone initiates.
Difficulty Logging In
If a user has trouble logging in, they may be on a user policy in the production environment that requires MFA but does not allow MFA registration. Create a new policy for your sandbox users that either does not require MFA or permits MFA registration.
You can either create and assign this policy in your production environment so that it is always cloned into new sandboxes, or in the sandbox environment for only temporary usage.
Cloning and Security Considerations
One of the top concerns with copying data from production to sandbox are external integrations. A worst-case scenario is to delete users in a sandbox environment and discover that the integration with your production G Suite was still active and users in G Suite were deleted.
To protect against that scenario, the sync with the sandbox includes these safety measures:
- For all apps, provisioning and SSO are automatically disabled.
- For all directories, directory tokens are replaced with autogenerated values tied to the Account ID of the sandbox.
- Trusted IDPs are cloned, but disabled.
- OneLogin Access is disabled.
- Webhooks are disabled
- All notifications are disabled.
Data Replication
Objects Copied in Sandbox
Data replication in Enterprise Sandboxes includes the following objects:
- Apps
- Branding
- Connectors
- Desktop SSO
- Directories
- Events (past 30 days)
- Groups
- Mappings
- Policies
- Proxy Agents
- Roles
- VPN
- Tabs
- Trusted IdPs
- User Fields
- Users
Objects Not Copied in Sandbox
For privacy, security, and efficiency reasons, the following objects are not copied during cloning:
- API Keys/Credentials
- Certificates
- Events (older than 30 days)
- Personal Apps
- MFA Devices
- MFA Factor Instances
- Secure Notes
- VLDAP*
- RADIUS*
- Privileges*
*Coming in future releases
Frequently Asked Questions
Can I exempt certain records from cloning, for example user records?
Not currently; partial cloning is not supported at this time.
How do I integrate my OneLogin Enterprise Sandbox with test directory/app instances?
Apps and directories can be manually integrated with the sandbox after cloning; automatic integration is not currently supported.
Are there any APIs to manage Enterprise Sandboxes?
Enterprise Sandbox APIs are currently in development and will include List, Get, Update, and Initiate-Clone.
Note: Create and Delete APIs will not be exposed externally as these functions are executed automatically based on purchases of licenses.
If my production environment is in the US shard, can I test it as a sandbox environment in the EU shard?
No; production and sandbox accounts must reside in the same shard.
|