Once you have installed Active Directory Connectors for your OneLogin-Active Directory integration, you must configure the integration between Active Directory and OneLogin.
To complete this configuration, do the following:
- Verify prerequisites
- Verify your Active Directory connection
- (Optional) Map Active Directory attributes to sync with OneLogin attributes
- (Optional) Switch the synchronization direction to export from OneLogin to Active Directory
- Select the Organizational Units (OUs) that you want to sync from Active Directory to OneLogin
- Set advanced Active Directory Connector settings
Before you perform the configuration described in this article, you must install at least one Active Directory Connector.
Verify your Active Directory connection
Log in to OneLogin as an admin.
Go to Users > Directories, and select the directory.
On the Connector Instances tab, verify that the Active Directory Connector instance is successfully connected.
The Status should show the word "Connected" in green. If you have installed only one Active Directory Connector instance for this Active Directory domain, both User Sync and Auth should show a check mark. For additional Active Directory Connector instances on the same Active Directory domain, only Auth should show a check mark.
Map Active Directory attributes to sync with OneLogin attributes
By default, OneLogin provides a few key directory attributes that will be imported from Active Directory to OneLogin during sync. OneLogin provides default mappings of these Active Directory fields to the OneLogin fields that will hold the synchronized values. You can add more mappings and set mappings to synchronize in the opposite direction, from OneLogin to Active Directory.
To review and update directory attribute mappings, go to the Directory Attributes tab.
In addition to the default mappings listed on this tab, OneLogin also syncs the following fields from Active Directory to OneLogin:
|Active Directory Field||OneLogin Field|
You cannot change the attributes in these default mappings or the defaults listed on the Directory Attributes tab. But you can map other Active Directory attributes to custom OneLogin fields:
Create a custom user field.
See Custom User Fields.
- On the Directory Attributes tab, click the + (plus) button above the information panel.
A new attribute row is added to the bottom of the list.
- Select the AD Directory Field from the left drop-down, and then select your custom field from the OneLogin Field drop-down.
Switch the synchronization direction to export from OneLogin to Active Directory
By default, attributes are imported from Active Directory to OneLogin during sync. But you can also set user attributes to be exported from OneLogin to Active Directory. Here are two typical scenarios in which you might switch the sync direction from the default:
You manage your user records in your HR system, like Workday or UltiPro, but you use Active Directory to manage access to network resources.
You configure a Workday or UltiPro directory connector to import users and their attributes to OneLogin, and then configure an Active Directory Connector to export users and their attributes from OneLogin to Active Directory. OneLogin functions as an intermediary in the process of syncing users from the HR system to OneLogin. For more details about this scenario, see Provisioning from Workday to Active Directory using Custom Reports.
You maintain some user records in your HR system and others in Active Directory, and you want them both in sync.
For example, you could use Active Directory to manage the attributes included in the default mappings (like first name, last name, email, distinguishedName, memberOf, and so forth), and use Workday to manage attributes that tend to get updated using your HR system, like title, manager name, employee ID, and location, as in the example depicted in the screenshot below. Note that the arrows indicate the direction of sync. The default mappings point from the Active Directory field to the OneLogin field, and the remaining mappings point from the OneLogin custom field (which hold values imported from Workday) to Active Directory fields:
To switch the sync direction:
Go to Advanced tab, select Exporting Users, and save your changes.
Return to this tab and simply click the arrow on an attribute row to switch directions.
You must change one attribute row at a time.
Select the Organizational Units (OUs) that you want to sync from Active Directory to OneLogin
Go to the OU Selection tab to select the AD organizational units that you want to import into OneLogin.
The tab should display your domain's Base DN in the format
The tab opens with the tree expanded only to show nodes that have been selected. Therefore the first time you open the tab, only the top level node is displayed.
Expand the tree by selecting the plus button. After you have selected OUs and saved the page, the tree expands to display only the branches and nodes that include selected OUs. To view child nodes, click the plus button to expand the node. To view sibling nodes, click the ellipsis button.
The following screenshot shows the default tree view, showing only branches that include selected nodes.
The following screenshot shows the same tree, expanded after clicking the bottom ellipsis button (in line with the Stor node). Note that all of the siblings of the Stor node are now displayed.
Set advanced Active Directory Connector settings
Go to the Advanced tab to fine-tune your Active Directory Connector settings.
Base DN: If all of your OneLogin-synced Organizational Units are on one domain controller, enter the domain controller info (DC=yourcompany, DC=com) in the Base DN field to improve Active Directory Connector performance.
Mappings: Turn the toggle on to enable OneLogin to assign OneLogin role and group membership -- among other user attributes -- based on user membership in AD security groups. For more information, see Mappings.
Stage users: Turn the toggle on to move Active Directory users to OneLogin's staging environment (requiring manual approval of users) during sync. Turn it off to convert synced AD users automatically to active OneLogin users, without an approval step. If this option is on, you will see imported users listed as Unapproved in Users > All Users. You can activate them one-by-one from their user details page, or you can approve all unapproved users by clicking More Actions and selecting Approve all users from the drop-down menu.
Sync User Status from Active Directory: Select to ensure that users you disable in AD are disabled in OneLogin and deprovisioned from their apps.
Ignore computed user access control: Select to tell OneLogin not to use the Computed User Access Control attribute (msDS-User-Account-Control-Computed) in Active Directory to determine whether a user should be locked out, based on Group Policy.
Enable Smart Password: Select if you are migrating from an LDAP directory to this Active Directory and you want to capture your user's LDAP password in Active Directory without forcing them to do a password reset.
This option works for any user who already has a record in Active Directory. When your user authenticates to OneLogin using their LDAP credentials, OneLogin does a password reset in the background and provisions the user password to Active Directory. The password is never stored in OneLogin.
OneLogin takes the user's AD domain from the Base DN value that you enter on this tab. If that value is empty, OneLogin takes the domain from the Distinguished Name (DN) as synced from the LDAP directory and stored in the OneLogin user record. In a multi-domain environment, the
dc= value in the DN must match the user's Active Directory domain for password provisioning to work.
Enable auto-switch sync failover: Select if you have multiple Active Directory Connectors configured for this Active Directory and you want to fail over automatically to another Active Directory Connector if the Active Directory Connector responsible for synchronization fails. For more information, see Installing Additional Active Directory Connectors for High Availability.
Login username attribute: Select the attribute that your users should use as their user name on your company's branded OneLogin login page. The default is email address. Note that the default, unbranded login page always uses email address as the user name; if you don't brand your OneLogin login page, the setting here won't apply.
Exporting users: Select if you want to export any user attributes from OneLogin to Active Directory. To configure user attribute export to AD, you must also switch the sync direction for each attribute on the Directory Attributes tab.
Delete users in AD...: Choose what you want OneLogin to do when a user is deleted in Active Directory:
- unaffected in OneLogin
- suspended in OneLogin (users are set to Inactive but their user record remains)
- deleted in OneLogin (user record is completely deleted from OneLogin directory)
Account owners are never suspended or deleted, regardless of your selection here.
Enforce OneLogin password expiration policies: enable to make Active Directory respect OneLogin's policy-based password expiration settings, if the OneLogin policy is more restrictive. When you enable this setting, the most restrictive password policy always wins: if OneLogin's password expiration interval is shorter than your Active Directory's, OneLogin's is applied. If your Active Directory password expiration interval is shorter, its policy is applied.