How does this affect me?
The previously provided range of IP addresses should be removed from any explicit allow list and be replaced with the new range.
This document provides the domains, IP addresses, and ports that OneLogin uses to communicate with other services.
Use domain allow lists (not IP allow lists) for your end-user systems that access the OneLogin SSO portal and other user interfaces. Use IP allow lists for on-premises agents, like Active Directory Connector, LDAP Connector, and Proxy Agents, as well as for apps provisioned by OneLogin.
North America & European domains
The domains below apply to US and EU shards.
cdn.onelogin.com
portal-cdn.onelogin.com
web-login-v2-cdn.onelogin.com
North America domains
your_domain.onelogin.com
your_domain.admin.us.onelogin.com
your_domain.login.us.onelogin.com
admin.us.onelogin.com
dsl.us.onelogin.com
api.us.onelogin.com (new /1 API)
api.onelogin.com (legacy v1-v3 API)
smux.us.onelogin.com
certs.us.onelogin.com
radius.us.onelogin.com
radius2.us.onelogin.com
ldap.us.onelogin.com
pki-us.onelogin.com
desktop-us.onelogin.com
Backward-compatible North America domains
app.onelogin.com
certs.onelogin.com
cdn.onelogin.com (North American & European)
portal-cdn.onelogin.com (North American & European)
web-login-v2-cdn.onelogin.com (North American & European)
Europe domains
your_domain.onelogin.com
your_domain.admin.eu.onelogin.com
your_domain.login.eu.onelogin.com
admin.eu.onelogin.com
api.eu.onelogin.com (new /1 API)
api-eu.onelogin.com (legacy v1-v3 API)
smux.eu.onelogin.com
radius.eu.onelogin.com
radius2.eu.onelogin.com
ldap.eu.onelogin.com
Ports
Allow the following ports when server components or browsers contact OneLogin:
80 (TCP)
443 (TCP)
1812 (UDP)
443 (TCP)
636 (TCP)
88 (TCP/UDP)
464 (TCP/UDP)
53 (TCP/UDP)
IP addresses
Note: These are general IP allow lists that can be used, but isn't limited to, on-premise agents or Active Directory.
Install Active Directory on a domain-joined Windows server and open your firewall for outbound traffic to the addresses in the table below.
| North America | 52.34.255.194/31 52.34.255.196/30 52.34.255.200/29 52.34.255.208/28 52.34.255.224/27 18.216.23.64/26 (18.216.23.64 - 18.216.23.127) 52.24.165.42 52.15.145.203 13.52.4.72/29 (13.52.4.72 - 13.52.4.79) 23.183.112.0/24 23.183.113.0/24 |
| Europe | 52.29.255.192/26 (52.29.255.192 - 52.29.255.255) 52.48.63.0/26 (52.48.63.0 - 52.48.63.63) 18.130.91.64/29 (18.130.91.64 - 18.130.91.71) 23.183.112.0/24 23.183.113.0/24 |
| NAS configuration | US OneLogin DB shard | EU OneLogin DB shard |
| AAA/RADIUS primary server | radius.us.onelogin.com (52.34.255.206) | radius.eu.onelogin.com (35.156.138.255) |
| AAA/RADIUS secondary server | radius2.us.onelogin.com (18.216.23.112) | radius2.eu.onelogin.com (54.246.141.64) |
| Authentication scheme | PAP, EAP-TTLS/PAP, EAP-PEAP/MSCHAPv2 | |
| RADIUS Port | UDP/1812 | |
| Secret/key | Same as the shared secret entered on the OneLogin Radius configuration page | |
TLS configuration
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
no-sslv3
no-tlsv10
no-tlsv11
OneLogin strongly advises all customers to update their allow list to ensure proper functionality of our solutions and reduce risk. Failure to do so may result in unexpected issues or reduced functionality.
Thank You,
One Identity
A Quest Software business
© 2024 ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center