User policies enable you to apply security restrictions and protocols to users on an individual or group basis. User policies cover everything from password specifications, session activity controls, multi-factor authentication, and IP address whitelists.
Creating a Policy
Begin by going to Settings > Policies.
This will bring you immediately to the Policies page where you can add a New User Policy, a New App Policy, or select an existing policy to edit.
The Sign In tab provides options to control how passwords behave for the policy.
User passwords expire in - Defines the amount of time that a user's password remains valid before it must be changed.
Note. If you use an LDAP directory, Active Directory, or Google Apps (G Suite) directory with OneLogin and that directory doesn't allow password expiration, your third-party directory will respect OneLogin's policy-based password expiration settings.
Enforce password history - Defines the amount of time a user's old password stays in the system and cannot be re-used again.
Minimum password length - Defines the minimum required length of a user's password.
Password complexity - Defines the level of complexity that a password must have from letters, numbers, capital letters, and special characters.
Trusted Devices (appears only if the OneLogin Desktop Service is enabled) - Select Don’t require browser login for trusted devices if you want users who have authenticated to their Mac device to be able to go straight to the OneLogin portal and their SSO-enabled apps without being prompted to log into OneLogin. For more information, see Managing Macs Using OneLogin Desktop.
Browser Password Manager - Allows or disallows the browser from caching passwords for applications that are integrated through form-based authentication.
Browser Extension - Enable users to download browser extensions from their Profile page. Also enable them to add apps to their personal apps or company apps list on their portal or browser extension app drop-down. For more information, see OneLogin Browser Extensions and Adding Apps using the Browser Extension for Chrome.
Security Questions - Enables security questions as an authentication factor for your users. For more information, see Security Questions.
Password Update - Allow Users to Update their Directory Password enables users on this policy to update their password in OneLogin. This will give them a "Forgot Password?" link on their login page. You can decide which options for password updates you want to make available for these users, such as Email or SMS.
Note. You should disable this option if you want your users to use their third-party directory (Active Directory, LDAP, G Suite) password for OneLogin authentication and you want them to update passwords using the third-party directory password-update tools.
This option also determines which invitation is sent to users. See Inviting Users for more information.
By enabling Resetting password unlocks user account, users resetting their password will also force their accounts to unlock, if they had been locked before.
The Session tab contains the control session login, lockout, and inactivity behavior.
Maximum invalid login attempts - Defines the number of times a user can fail to input incorrect login credentials before they are locked out of their account.
Lock effective period - Defines the period of time that a user's lockout period lasts.
Note. If you integrate OneLogin with Active Directory as your user store, and your Active Directory configuration has no lockout duration setting -- or a shorter lockout duration setting -- then OneLogin will unlock the user in Active Directory the first time a user attempts a login after the end of the lockout period set here.
Timeout should occur based on: - Select whether the user's session should timeout after a set period of Time (user must reauthenticate with OneLogin after 2 hours, for example, whether the user is active or not) or after a set period of Inactivity (user must reauthenticate with OneLogin after 2 hours of inactivity, for example). Select the amount of time from the Time Period dropdown.
Session persists when browser is closed - Select to enable a persistent session, allowing users to remain authenticated after they exit their browser. When you enable this option, you must also set the timeout basis (Time or Inactivity) and the time period for the session using the Timeout Period field.
The MFA tab includes settings for any Multi-Factor Authentication associated with the policy.
Browser PKI Certificates
PKI Certificate Required - Enables or disables user PKI certificates.
Allow self-installation - Allows the user to install the PKI certificates. Once installed, the user's account is only accessible from a browser with that certificate installed.
Certificate expires in - Defines the duration of the PKI certificate.
OTP Auth Required - Enables or disables the OTP requirement for users to login. This setting will require you to add various methods of MFA to your account.
MFA Device Registration
Users without a MFA device must register one before being able to login - Enables or disables the requirement for users to register a MFA device during the login process. Users are prompted to register a MFA device, if no device is registered, when this is enabled. The default setting is enabled. When disabled, users who do not have a registered device will not be able to register one or log in.
OTP bypassed for the following IP addresses - Enter IP addresses to allow login attempts from the specified IP addresses to bypass the OTP login requirement. Use spaces to separate multiple IP addresses. You can enter ranges in the format x.x.x.x-x.y.z.w.
OTP required for - Defines the OTP requirement for Administrators only, All users, or Configured users only. For Configured users only, OTP is required if the user is specifically configured for OTP. If this option is selected, and the user isn't configured for OTP, then OTP will not be required.
OTP required at - Defines whether OTP is required for every login or the first login from an unknown browser.
Security cookie expiration - (days) Defines duration of the security cookie before the user's OTP credentials must be refreshed.
Enable - Enables or disables Adaptive MFA and allows you to set the Risk level.
- No calculated risk - Require MFA if the login's risk factor is calculated as less than 5. Login attempts that fit a pattern of behavior that machine learning recognizes over time as safe (for example, the user is logging in from their home IP address/OS/browser) will eventually be calculated as less than 5.
- Low calculated risk - Require MFA if the login's risk factor is calculated between 5 to 25. This is more strict than No calculated risk. MFA is more likely required with user login.
- Medium calculated risk - Require MFA if the login's risk factor is calculated between 26 to 50. This is more strict than Low calculated risk. MFA requirement is increasingly likely with user login.
Monitoring Risk Calculation and Login Events
For users on policies that use Adaptive Authentication for MFA, every login-related event records the risk calculation, risk reasons, and whether login was passed through with or without a second-factor challenge.
The screenshot below shows a login event for a user on a policy with Risk Level set to Low (calculated risk between 5 - 25 results in MFA requirement). Because the risk level for the login attempt was calculated as 36, the user was challenged for a second authentication factor.
You can view these events in either of the following ways:
Go to Users > All Users, select a user, and go to the MFA tab.
Select a login event and view the event details.
Go to Activity > Events, select a login event, and view the event details.
The IP Addresses tab lets you enter a whitelist of IP addresses, denying login attempts from locations other than those addresses.
Note that this is a blanket IP whitelist, in contrast to the OTP bypassed for the following IP addresses option on the MFA tab, which simply exempts users from providing secondary authentication factors when they log in from a listed address. Use spaces to separate multiple IP addresses. You can enter ranges in the format x.x.x.x-x.x.x.y.
The Default Policy
Every OneLogin account arrives with a single user policy already created: the Default policy. This policy will be applied to all users in the account unless they are given a different policy individually or through a group policy assignment. There must always be a policy assigned as the default and it cannot be deleted.
To change the default policy:
Go to Settings > Policies.
Select a policy that you want to set as the default policy.
Under More Options, click Set as default policy.
The policy is now the default policy.
Assigning a Policy
You can assign a policy to users in two ways:
- Groups - You can assign the policy to a group and then add users to the group, associating the policy to all users who are a member of the group. For more information, see Groups.
- Manually - You can add the policy to the user directly. This will override any group policies applied to the user.
To manually add a policy to a user:
Go to Users > All Users and select a user.
On the Authentication page, select an existing policy in the User Security Policy drop-down menu.
The policies will be listed by name. Selecting a policy here will override any group policy currently applied to the user. If no policy is selected, OneLogin will automatically apply the account default policy to the user.
Click Save User.