By default, OneLogin acts as your virtual directory in the cloud, which means that manually-created users will be authenticated using their password in OneLogin. You can also integrate with external directories, such as Active Directory and LDAP. OneLogin supports the following types of directories:
The purpose of single sign-on is to have one password that signs you into everything. We call this the SSO password. Where this password resides for a particular user depends on which directory the user is linked to. For example, users that don't belong to a directory will have their SSO password in OneLogin, whereas users synced with Active Directory will have their password stored in Active Directory instead of OneLogin.
You can choose to filter imported users though a staging area before they are turned into live users in OneLogin. This can be quite useful, since Active Directory and LDAP servers can often contain a large number of users that you don't want to import, such as former employees or entries that are incorrectly categorized as users, but are really meeting rooms or printers.
The staging area allows you to manually approve who gets created in as a real user. You can even return a user to the staging area by deleting the user, but be aware that this operation causes the user to lose all of his or her data. The staging area also prevents users you have deleted from getting re-created on subsequent directory syncs.
Users can be imported from any number of directories. For example, you might have your employees in Active Directory and contractors in an LDAP server. You can even integrate with multiple Active Directory instances if you like.
Users that are imported from a directory will automatically be linked to that directory. If it supports authentication, the user will be authenticated against its directory when signing into OneLogin. Active Directory, LDAP and Google Apps all support authentication, but SaaS applications used as a directory do not, and in these cases the user will be signing in with their OneLogin password.
You can change a user's directory association at any time.