User policies enable you to apply security restrictions and protocols to users on an individual or group basis. User policies covers everything from password specifications, session activity controls, multi-factor authentication, and IP address whitelists.
Creating a policy
Begin by going to Settings > Policies.
This will bring you immediately to the Policies page where you can add a New User Policy, a New App Policy, or select an existing policy to edit.
The Sign In tab provides options to control how passwords behave for the policy.
User passwords expire in - Defines the amount of time that a user's password remains valid before it must be changed.
Note. If you use an LDAP directory, Active Directory, or Google Apps (G Suite) directory with OneLogin and that directory doesn't allow password expiration, your third-party directory will respect OneLogin's policy-based password expiration settings.
Enforce password history - Defines the amount of time a user's old password stays in the system and cannot be re-used again.
Minimum password length - Defines the minimum required length of a user's password.
Password complexity - Defines the level of complexity that a password must have from letters, numbers, capital letters, and special characters.
Trusted Devices (appears only if the OneLogin Desktop Service is enabled) - Select Don’t require browser login for trusted devices if you want users who have authenticated to their Mac device to be able to go straight to the OneLogin portal and their SSO-enabled apps without being prompted to log into OneLogin. For more information, see Managing Macs Using OneLogin Desktop.
Browser Password Manager - Allows or disallows the browser from caching passwords for applications that are integrated through form-based authentication.
Browser Extension - Enable users to download browser extensions from their Profile page. Also enable them to add apps to their personal apps or company apps list on their portal or browser extension app drop-down. For more information, see OneLogin Browser Extensions and Adding Apps using the Browser Extension for Chrome.
Security Questions - Enables security questions as an authentication factor for your users. For more information, see Security Questions.
Password Update - Allow Users to Update their Directory Password enables users on this policy to update their password in OneLogin. This will give them a "Forgot Password?" link on their login page. You can decide which options for password updates you want to make available for these users, such as Email or SMS.
Note. You should disable this option if you want your users to use their third-party directory (Active Directory, LDAP, G Suite) password for OneLogin authentication and you want them to update passwords using the third-party directory password-update tools.
This option also determines which invitation is sent to users. See Inviting Users for more information.
By enabling Resetting password unlocks user account, users resetting their password will also force their accounts to unlock, if they had been locked before.
The Session tab contains that control session login, lockout, and inactivity behavior.
Maximum invalid login attempts - Defines the number of times a user can fail to input incorrect login credentials before they are locked out of their account.
Lock effective period - Defines the period of time that a user's lockout period lasts.
Note. If you integrate OneLogin with Active Directory as your user store, and your Active Directory configuration has no lockout duration setting -- or a shorter lockout duration setting -- then OneLogin will unlock the user in Active Directory the first time a user attempts a login after the end of the lockout period set here.
Timeout should occur based on: - Select whether the user's session should timeout after a set period of Time (user must reauthenticate with OneLogin after 2 hours, for example, whether the user is active or not) or after a set period of Inactivity (user must reauthenticate with OneLogin after 2 hours of inactivity, for example). Select the amount of time from the Time Period dropdown.
Session persists when browser is closed - Select to enable a persistent session, allowing users to remain authenticated after they exit their browser. When you enable this option, you must also set the timeout basis (Time or Inactivity) and the time period for the session using the Timeout Period field.
The MFA tab includes settings for any Multi-Factor Authentication associated with the policy.
PKI Certificate Required - Enables or disables user PKI certificates.
Allow self-installation - Allows the user to install the PKI certificates on their own. Once installed, the account will only be accessible by a browser that has the certificate installed.
OTP Auth Required - Enables or disables the OTP requirement for users to login. This setting will require you to add various methods of MFA to your account.
OTP bypassed for the following IP addresses - Entering IP addresses to allow any login attempts at those addresses to bypass the OTP login requirement. Use spaces to separate multiple IP addresses. You can enter ranges in the format x.x.x.x-x.y.z.w.
OTP required for - Defines the OTP requirement for Administrators only, All users, or only users specifically configured for it.
OTP required at - Defines whether OTP is required at every login or only the first login with an unknown browser.
Security cookie expiration - Defines how long the security cookie lasts before the user's OTP credentials must be refreshed.
The IP Addresses tab lets you enter a whitelist of IP addresses, denying login attempts from locations other than those addresses.
Note that this is a blanket IP whitelist, in contrast to the OTP bypassed for the following IP addresses option on the MFA tab, which simply exempts users from providing secondary authentication factors when they log in from a listed address. Use spaces to separate multiple IP addresses. You can enter ranges in the format x.x.x.x-x.x.x.y.
The Default Policy
Every OneLogin account arrives with a single user policy already created: the Default policy. This policy will be applied to all users in the account unless they are given a different policy individually or through a group policy assignment. There must always be a policy assigned as the default and it cannot be deleted.
To change the default policy:
Go to Settings > Policies.
Select a policy that you want to set as the default policy.
Under More Options, click Set as default policy.
The policy is now the default policy.
Assigning a Policy
You can assign a policy to users in two ways:
- Groups - You can assign the policy to a group and then add users to the group, associating the policy to all users who are a member of the group. For more information, see Groups.
- Manually - You can add the policy to the user directly. This will override any group policies applied to the user.
To manually add a policy to a user:
Go to Users > All Users and select a user.
On the Authentication page, select an existing policy in the User Security Policy drop-down menu.
The policies will be listed by name. Selecting a policy here will override any group policy currently applied to the user. If no policy is selected, OneLogin will automatically apply the account default policy to the user.
Click Save User.