The following article assumes that you are installing, managing, and using OneLogin Desktop for Windows 2.x. If you are on OneLogin Desktop for Windows 1.x, we strongly recommend that you upgrade.
OneLogin Desktop for Windows enables your users to log into their Windows 10 computers using their OneLogin credentials and use a certificate as an authentication factor when they access their OneLogin portal page and SSO-enabled apps. In other words, your users can log in once to their Windows devices and go straight to their OneLogin portal or their SSO-enabled apps without having to provide credentials again.
OneLogin Desktop enables you, as the admin, to manage the Mac and Windows devices that use OneLogin Desktop for authentication, without having to set up and maintain your own Active Directory or LDAP directory. You manage devices through a Device Manager dashboard in OneLogin.
In order to enable this authentication process, you run an installer on your users' local machines that automatically configures a new user account that can use OneLogin credentials and authenticates against the OneLogin directory. This new user account has local admin privileges.
The installer also installs a certificate in the cert store of the new user account. If you choose to let your users authenticate directly to OneLogin SSO after logging into their Windows devices, without having to authenticate to the OneLogin portal, OneLogin Desktop uses that certificate to establish trust between OneLogin and the user account on that specific device.
This article includes the following topics:
- System requirements
- Configuring OneLogin to support OneLogin Desktop for Windows
- Installing OneLogin Desktop for Windows
- Uninstalling OneLogin Desktop for Windows
- Upgrading from OneLogin Desktop for Windows 1.0 to 2.0
- Managing devices
- Using OneLogin Desktop for Windows
- Changing your password
- Windows 10 64-bit
- Non-domain-joined machines
- OneLogin subscription that includes Desktop for Windows
- Browsers: The latest versions of Chrome, Internet Explorer, or Edge are required to use the certificate to provide access to the OneLogin portal without having to reauthenticate.
Configuring OneLogin to support OneLogin Desktop for Windows
- Log in to OneLogin as an admin.
- Go to Devices > OneLogin Desktop and select the Windows tab.
- Toggle the Enable OneLogin Desktop Service For Windows button on.
This turns on the VLDAP Service, which makes your OneLogin Cloud Directory into an LDAP server that OneLogin Desktop uses to authenticate Windows users against OneLogin.
This button is available only if your subscription includes OneLogin Desktop.
Note. If you already use the VLDAP service, you may have configured IP address restrictions for it. These do not apply to OneLogin Desktop. If OneLogin applied the IP address whitelist on the VLDAP service configuration page to OneLogin Desktop users, your users would be unable to log into their Windows devices when they are away from the office. For more information, see Using the OneLogin Virtual LDAP Service.
- Download the installer.
- Copy the token.
(Optional) Change the Automatically push new updates setting.
This setting is turned on by default. It pushes new updates to your OneLogin Desktop for Windows installed users automatically so that you don't have to reinstall updates using the downloaded installer.
(Optional) Give your users the ability to go straight to their OneLogin portal or SSO-enabled apps without logging in.
If you want users who have authenticated to their Windows device to be able to go straight to the OneLogin portal and their SSO-enabled apps without being prompted to log into OneLogin, you must create or update a user policy that enables this browser login bypass:
- Click the user policies link or go to Users > Policies.
- Click New User Policy or select an existing user policy to update.
Under Trusted Devices, select Don’t require browser login for trusted devices.
Note that this option appears only if you have already enabled the OneLogin Desktop Service for Windows in step 3, above.
- Assign the policy to the appropriate users.
For more information about creating and assigning user policies, see User Policies.
Installing OneLogin Desktop for Windows
If you want your users to install OneLogin Desktop on their Windows computers themselves, you must distribute the installer that you downloaded and the token that you copied from the OneLogin Desktop page in the OneLogin admin portal. We recommend, however, that admins perform the installation.
To install OneLogin Desktop using the Windows installer:
- Copy the downloaded
OneLoginDesktop.msiinstaller to the device.
Run the installer, clicking Next on each page except as noted below.
- Accept the Terms.
- On the Enter your token page, enter the token that was copied from the OneLogin Devices > OneLogin Desktop page.
To install OneLogin Desktop from the command line:
You can use the command line to install OneLogin Desktop on one device or silently on multiple devices in your network
Run your preferred variation of the following from the command line.
msiexec -i OneLoginDesktop.msi OLENV=https://dsl.us.onelogin.com REGTOKEN=yourtoken /l*v t.txt
(For accounts resident in OneLogin's EU database shard, use
When installation is complete, a new user account will be present on each client device, with a certificate installed in the new account's certificate store. Users can now log into their devices with that account, using their OneLogin email (or username) and password.
Uninstalling OneLogin Desktop for Windows
To uninstall, do one of the following:
msiexec -x OneLoginDesktop.msifrom the command line
- Go to the Start menu, select All apps, and find OneLogin Desktop. Right-click on the app and click Uninstall from the drop-down menu that appears.
Upgrading from OneLogin Desktop for Windows 1.0 to version 2.0
To upgrade from OneLogin Desktop for Windows 1.0 to version 2.0 you must:
Upgrades from Windows 2.x to a later version are automatic, as long as the admin selected the Automatically push new updates option on the Devices > OneLogin Desktop page in the admin portal.
OneLogin provides a Devices dashboard that lets you manage the Mac and Windows devices that use OneLogin Desktop for authentication. Go to Devices > Devices.
You can search by user or device name and filter by device type (operating system) and status (Trusted or Registered).
A Trusted user/device is one that can use a certificate as an authentication factor in place of passwords and MFA when authenticating to the OneLogin portal or SSO-enabled apps. A Trusted user account/device is one that allows the user to log in using their OneLogin credentials and go straight to their OneLogin portal or SSO-enabled, browser-based apps without authenticating again using the browser. By definition, a Trusted user account is one that is assigned to a User Policy enabled for Trusted devices.
A Registered user/device is one that has had OneLogin Desktop installed but no certificate installed. Registered users authenticate against OneLogin to access their user account on their device, but cannot skip authentication when accessing the OneLogin portal or SSO-enabled apps.
Click a user/device row to view details, unbind, and remove device access for a user.
Click Unbind user from device to free up the device to be bound to another user. The next user in your organization to log in to the device using their OneLogin credentials will then be bound to the device. The device will remain in the devices list on the Devices dashboard.
Click Remove to unbind a device from the current user and delete it from the list on the Devices dashboard.
Important! If you want to remove the OneLogin Desktop user account from the device itself, you must uninstall OneLogin Desktop from the device by running the following from the command line:
msiexec -x OneLoginDesktop.msi
If you want to deny a user the ability to bind to a device that has OneLogin Desktop installed, you must delete or suspend that user in OneLogin.
You can also view a user’s OneLogin Desktop-authenticated devices by going to the Devices tab on the user record (Users > All Users > select the user).
Using OneLogin Desktop for Windows
Logging in for the first time
Once OneLogin Desktop is installed on your Windows computer, you can log in to the OneLogin Desktop user account using your OneLogin email (or username) and password. The account will be labeled "OneLogin."
The first OneLogin user in your organization to log in will be bound to the new OneLogin Desktop account.
Accessing the OneLogin portal or SSO-enabled apps
If your admin has given you the ability to skip OneLogin browser authentication when you're logged in to your Windows computer with your OneLogin credentials, open your browser and go to your OneLogin portal.
The first time you try to authenticate to OneLogin from your browser (whether you are logging in to your OneLogin portal or trying to access an app through OneLogin SSO), you will be prompted to Log in with OneLogin Desktop or accept the OneLogin certificate that was installed, depending on your browser.
You will be prompted to log in with OneLogin Desktop or accept the certificate each time you restart your browser or clear your browser cache.
Firefox does not allow certificates to be used to authenticate to a third party like OneLogin; therefore it does not support OneLogin "Machine SSO" in this release, and you must log in to OneLogin using your OneLogin portal login page.
Changing your password
You cannot change your password on your Windows computer. You must change it using OneLogin.
To change your password:
Open a browser and log in to your OneLogin portal.
Go to your user Profile page.
- Select Change Password.
Enter your current password and your new password.
Log out and back into your OneLogin Desktop account on your Windows computer.
Who can log into the device once OneLogin Desktop is installed?
The first user to log into the new account using OneLogin account credentials will be “bound” to the device and to OneLogin. After initial login, no other user will be able to use their OneLogin credentials to access the machine unless your OneLogin admin unbinds or removes the user account/device from the device list at Devices > Devices.
Your device can, however, support multiple accounts that are not managed by OneLogin -- an admin account for example.
What will happen to my data and settings when the installer is creating a new profile?
Your data will remain under the local account, and your settings will be copied from the local account to the new account created by OneLogin Desktop installer.
What happens if I have Desktop SSO enabled for my organization? Will I be logged into the device automatically ?
No, Desktop SSO and OneLogin Desktop for Windows are separate features. Users will still have to enter their credentials when logging into the device.
How do I change my password?
You change the password for your OneLogin-managed account on the Profile page (User menu > Profile) in the OneLogin portal.
What happens if I try to change my password locally, on the device?
If you change your password locally, your new password will work to log you in after you lock the device. But once you sign out of the device, OneLogin sets the password back to your OneLogin password.
What happens after I change my password in OneLogin?
If your device is connected to the internet, then you simply use your new password when you log in. If your device is offline, you must continue to use your old password until you are connected to the internet.
How do I remove a user's access to a device?
You can unbind the user from the device or remove the user/device from the Devices dashboard; once another user has logged in to the OneLogin Desktop account on the device, that second user will be bound to it and the first user will have no access. Alternatively, you can suspend or delete the user in OneLogin.
What happens when I uninstall OneLogin Desktop?
When you uninstall OneLogin Desktop, all OneLogin software is removed from the device, and the OneLogin user account is converted into a local account. However, the user account remains “bound” to the device in OneLogin, and if you reinstall OneLogin Desktop, only the bound user account can access the device using OneLogin credentials. If you want another OneLogin user to have access to the device, your admin must unbind the user account from the device on the Devices > Devices dashboard page.
If your admin uninstalls OneLogin Desktop after a user session is no longer active, and then wants to reinstall OneLogin Desktop and log in again as the still-bound user, the admin must change the user’s password locally on the device.
Do I need to restart my device after uninstalling?
No, you do not need to restart your device