This document explains how to configure and manage User Policies.
User policies allow you to apply security restrictions and protocols to individual users or to Groups. User policies offer admins nuanced authentication configurations to provide the appropriate security requirements for your organization.
OneLogin user policies allow you to configure controls on the features listed below, and more.
Go to Security > Policies.
On the Policies page, you can add a New User Policy, a New App Policy, or select an existing policy to edit.
There are seven sections that control each of the security settings and restrictions: Login Flow, Sign In, Password, Session, MFA, IP Addresses, and Customization.
Smart Flows allow you to define and customize specific login flows on a user policy, based on your organization's security and end-user requirements.
Note: Contact your account manager to enable Smart Flows. You must be on the SmartFactor Authentication plan to use this feature.
Standard- (ID/Password/MFA) The typical authentication flow deployed by many orgs.
Brute-Force Defense- (ID/MFA/Password) Select this authentication flow to protect your org from bad actors who try to access your org's resources by exhausting all possible password combinations. This flow helps to prevent account lockouts if your org authenticates against active directory.
Passwordless- (ID/MFA)- This passwordless authentication flow is a user friendly approach that requires a username and an auth factor. One of the key benefits of this flow is the ability to use Webauthn and OneLogin Protect.
Certificates can be used but aren't required for Passwordless and Brute-Force Defense flows. You can't set user policy to dynamically change flows. A user is subject to the single flow defined in the user policy.
To learn more about Smart Flows, see Smart Flows.
The Sign In tab provides options for the sign in flow, and includes granular controls for passwords.
Terms and Conditions
If checked, a box appears where you can enter your Terms and Conditions. A user must agree to these prior to their initial login.
If checked, the major social networks appear as options. However, this feature is deprecated if you have multi-step login enabled: all accounts will use multi-step login starting December 31, 2019. In order to allow users to sign in with their social credentials, you must configure a Trusted IdP. For more information, see Trusted IdP (Relying Party Trust).
Note: If you enable social sign-in, MFA will be disabled for users using social credentials. If you decide to disable one of the social networks, all users using that provider can't sign in and must create a new OneLogin password.
Apply MFA policy requirement when logging into laptop and desktop devices - When users log in via OneLogin Desktop, this option prompts them for MFA.
Don’t require browser login for trusted devices - This option uses the OneLogin Desktop certificate as a primary factor and allows users to enjoy a passwordless login into the portal.
Note: if your instance is using the multi-step login flow, when OTP Auth Required is checked under One-time passwords section under the MFA tab, end-users will still be required to provide MFA verification even if this option is checked.
Enable users to download browser extensions from their Profile page. Also enable them to add apps to their personal apps or company apps list on their portal or browser extension app drop-down. For more information, see OneLogin Browser Extensions and Adding Apps using the Browser Extension for Chrome.
Enables security questions as an authentication factor for your users. For more information, see Security Questions.
Auto suspend inactive users
This option automatically suspends users who haven't used the system for 90 days, including users that received an invitation to join but never logged in. When a user is suspended, an event is logged that provides detailed notes.
Note: If an admin reactivates the user after suspension, they must log in within 24 hours or the user state returns to suspended.
As an additional layer of security, admins can select specific MFA factors for end-user password resets.
These options define 1) the maximum password age, or amount of time that a user's password remains valid before it must be changed (and can't be reused), 2) enforced password history, or number of unique new passwords that must be associated with a user account before an old password can be reused, 3) the minimum length (current NIST recommendations encourage longer passphrases) and 4) complexity and mix of numbers, letters, and/or special characters.
Note: If you use an LDAP directory, Active Directory, or Google Apps (G Suite) directory with OneLogin and that directory doesn't allow password expiration, your third-party directory will respect OneLogin's policy-based password expiration settings.
The Dynamic Password Blacklist allows admins to blacklist any attributes associated with the user profile in passwords. For example, if you choose to blacklist the email attribute, a user can't use their email address as part of their password. This is enforced when a user resets their password; it's not retroactive.
Note: SmartFactor package is required.
To select password attributes to blacklist, click in the white box to trigger the drop down menu.
The table below is a list of the attributes you can blacklist on a user policy.
|First Name||AD ID|
|Last Name||Ldap Uid|
|Email name part||Company|
|AD user name (samAccountName)||OneLogin ID|
|Internal ID||Email domain part|
|Distinguished Name||Any custom attribute|
Enforce account password blacklist
As an account owner, you can create a Password Blacklist. This list is used to block keywords and strings to prevent weak user passwords. The Password Blacklist improves password security and decreases the risk of company security breaches. You must have multi-step login enabled.
To enable the Password Blacklist, go to Settings > Account Settings > Login tab, enter desired strings, and click Add Keyword.
Enforce compromised credential check
When enabled, this verifies that the user name and password isn't included in the list of known compromised credentials. The list is dynamic & continuously updated based on the latest known compromised credentials. This is enforced when the user attempts to change their password or clicks Forgot Password. It doesn't proactively audit all of the current passwords your org uses.
Enforce compromised password check
When enabled, this only verifies that the password isn't included in the list of known compromised passwords. This doesn't check the user name and password combination.
Note: You must be on a plan that includes SmartFactor to use Compromised Credentials & Compromised Password Check. Contact your account manager if you're interested in the SmartFactor plan.
Password Reset Redirect
Users will be redirected to this URL when they initiate password reset.
Note: For org's on Multi-step Login,
https://subdomain.onelogin.com/login2#action=password_reset is the direct link to Password Reset. This allows admins to provide a URL that directs the end user to the Forgot Password page.
The Account Recovery tab allows admins to define user actions involving various types of account management.
Allow users to update their directory password
Users on this policy can update their password in OneLogin. This provides a Forgot Password link on their login page. You can decide which password update options to offer users on this policy, such as Email or another registered authentication factor.
Note: Disable this option if you want your users to use their third-party directory (Active Directory, LDAP, G Suite) password for OneLogin authentication and you want them to update passwords using the third-party directory password-update tools.
This option determines which invitation users receive. See Inviting Users for more information.
If you choose to Allow user to reset password via email, you have the option to Show an email address hint in the password reset flow. This can be helpful for users who don't log in very often or have multiple email addresses.
The hint is an obfuscated email address, for example Lee.firstname.lastname@example.org is displayed as L******@****o.com. To prevent malicious actors from verifying the existence of an email address or username, OneLogin will display a random obfuscated email address for non-existent users.
Allow users to unlock their accounts
Enable users to manually unlock their account, with or without a password reset, if it's been locked. This feature is compatible with orgs that use OneLogin as a directory or Active Directory.
Note: For orgs on Multi-step Login,
onelogin.com/login2#action=unlock_account is the direct link to Account Unlock. The user must be on a user policy that allows account unlock.
Please note the following:
This feature addresses situations such as:
The end user can choose from the two options pictured in the screenshot below.
You can require users to complete reCAPTCHA before they update their passwords or unlock their account. This feature increases your org's security by blocking bot attacks.
Select OTP factors available to reset password
Add MFA requirements for password reset requests.
The Session tab contains the control session login, lockout, and inactivity behavior.
Maximum invalid login attempts: Defines the number of times a user can fail to input incorrect login credentials before they're locked out of their account.
Lock effective period: Defines the period of time that a user's lockout period lasts.
Note: If you integrate OneLogin with Active Directory as your user store, and your Active Directory configuration has no lockout duration setting - or a shorter lockout duration setting - then OneLogin unlock the user in Active Directory the first time a user attempts a login after the end of the lockout period set here.
Note: The Timeout settings imply that the user session expires based on the values defined.
Fixed Time: Define a specific duration of time that a user session is valid, in minutes or hours. 0 implies that the user session won't timeout based on specific time parameters.
Inactivity: Define the number of minutes or hours that a user session is active from the time the user is inactive. For example, if 45 Minutes is entered, the user session is terminated if the user is inactive for 45 minutes. 0 implies that a session won't be terminated based on inactivity.
Keep me signed in: OneLogin session persists after the browser closes. If you enable this setting, the option appears on the login screen for all users, but only works for users assigned to this policy. If you want to enable this setting, we recommend that you enable it for all users.
The MFA tab includes settings for any Multi-Factor Authentication associated with the policy.
See below for a video summary of OneLogin's Smart MFA feature.
Suppress if risk is equal to or lesser than risk level - This option, for orgs who upgrade to SmartFactor Authentication, allows you to reject login attempts based on the risk level of the user.
New Users: If a new user is on a User Policy with Smart Access Deny set to High, they can log in for the first time. This is only true if the user's risk profile matches that of the typical new user. This allows the risk engine to learn the user's login behavior.
Note: While these labels may imply risk, OneLogin's baseline security always protects our customers.
Smart Access scores the risk of each login attempt with Vigilance AI (our machine learning risk engine). With this setting enabled, you can deny access to users who attempt to authenticate with a risk score that is equal to or lesser than the defined risk level.
Our vigilance service learns behaviors when your account is Smart MFA enabled. Once this is enabled, risk data appears in the Event Viewer. This score is always recorded, even if it's disabled in the policy. We won’t suppress MFA unless enabled in the policy. This only applies to accounts using multi-step login and subscribed to our SmartFactor Authentication Plan.
Minimal: Minimal risk tolerance, provides your organization with robust security by prompting your users for MFA in most circumstances.
Low: Low risk tolerance, extremely strict security standards. MFA is more than likely required when users log in.
Medium: Medium risk tolerance, but strict security standards. Your org accepts a medium risk level when users log in. MFA prompts decrease when a user exhibits predictable and secure behavior, such as logging in from the same location every day at the same time.
High: Somewhat strict security standards, that favors user experience. Orgs accept a somewhat higher level of risk in exchange for an easier user experience. Doesn't usually require MFA, but presents MFA challenges at appropriate times, such as unusual login locations.
Require Trusted Device
Device Trust Check: Provides admins with the ability to prompt for a user certificate, but doesn't require a certificate to log in. If the user is prompted and doesn't submit a certificate, the user can log in. This field provides the end user with the opportunity to submit a PKI or 3rd party certificate.
If you select Device Trust Check and MFA Bypass for Trusted Devices, then a user on a single policy is prompted for MFA on personal devices, but isn't challenged on corporate devices.
Note: Contact your account manager to enable this feature.
Device Trust Required: Users (including admins) can only sign in to OneLogin if a PKI certificate is installed on their device. You may be locked out, requiring a call to OneLogin support.
Allow Self-installation: Allows the user to install the PKI certificates. Once installed, the user's account is only accessible from a browser with that certificate installed. Note: Legacy PKI certs are still valid.
Restriction: PKI certs can't be used as MFA to access the OneLogin Portal app.
The user must provide credentials and complete MFA to successfully download the certificate. Once the user completes those steps, they can install the cert on to the device.
Certificate expires in: Defines the duration until the PKI certificate expires.
Note: Users are required to re-open the browser after the certificate is installed.
When OTP Auth Required is checked, enables or disables the multi-factor authentication requirement for users to log in. This setting will require you to add various methods of MFA to your account.
Phone number for SMS
When checked, allows a user to update their phone number through their profile page.
MFA Device Registration
Choose if a user must register a device, if registration is optional, or if they are not prompted at all. This option allows admins to slowly roll out MFA across a larger organization, by choosing optional registration at first, and then once ready, switching to mandatory enrollment. These explain how OneLogin treats MFA device registration:
Enter IP addresses to allow login attempts from the specified IP addresses to bypass the OTP login requirement. Use spaces to separate multiple IP addresses. You can enter ranges in the format x.x.x.x-x.y.z.w.
OTP required for: Defines the OTP requirement for Administrators only, All users, or Configured users only. For Configured users only, OTP is required if the user is specifically configured for OTP. If this option is selected, and the user isn't configured for OTP, then OTP will not be required.
OTP required at: Defines whether OTP is required for every login or the first login from an unknown browser.
Security cookie expiration: (days) Defines duration of the security cookie before the user's OTP credentials must be refreshed.
Note: A user's browser must accept cookies from the OneLogin domain for their login to be remembered. If OneLogin can't identify their cookies, the user is prompted to complete multi-factor authentication.
MFA Bypass for Trusted Devices
Enable end users to bypass MFA if they use a trusted device. When end users authenticate with a trusted certificate (OneLogin PKI, 3rd Party Cert, OneLogin Desktop), they aren't prompted for MFA.
The chart below details expected behavior based on Cert, MFA, & Bypass permutations.
Prompt for MFA
Cert Check Only
Prompt for MFA
Cert Check Only
Prompt for MFA
Prompt for MFA
When enabled, Smart MFA either prompts or skips MFA depending on the risk level of the user. It prompts a user for MFA if they are exhibiting riskier behavior than usual, like trying to log in from Canada one minute, then Japan the next. If they are exhibiting normal behavior, for example, logging in from the same location at 8am each morning, Smart MFA allows the user to skip MFA.
Select the acceptable risk level:
Low: Low tolerance of risk, extremely strict security standards. MFA is more than likely required with each user login.
Medium: Medium tolerance of risk, but strict security standards. Willing to accept a medium level of risk. MFA prompts decrease when a user exhibits predictable and secure behavior, such as logging in from the same location every day at the same time.
High: Somewhat strict security standards, while favoring user experience. Willing to accept a somewhat higher level of risk in exchange for an easier user experience. Does not usually require MFA, but will present an MFA challenge at appropriate times, such as unusual login locations.
For users on policies that use Smart Access or Smart MFA, every login-related event records the risk reason and the Authentication method used.
The screenshot below shows a login event for a user on a policy with Risk Level set to low. Because the risk level for the login attempt was calculated as medium, the user was challenged for a second authentication factor.
You can view these events in either of the following ways:
Go to Users > Users, select a user, and go to the MFA tab.
Select a login event and view the event details.
Go to Activity > Events, select a login event, and view the event details.
The IP Addresses tab lets you enter a whitelist of IP addresses. Any login attempts from IP addresses not on this list are denied.
Note: This is IP whitelist extends to all, in contrast to the OTP bypassed for the following IP addresses option on the MFA tab, which simply exempts users from providing secondary authentication factors when they log in from a listed address. Use spaces to separate multiple IP addresses. You can enter ranges in the format x.x.x.x-x.x.x.y.
Every OneLogin account arrives with a single user policy already created: the Default policy. This policy will be applied to all users in the account unless they are given a different policy individually or through a group policy assignment. There must always be a policy assigned as the default and it cannot be deleted.
To change the default policy:
Go to Security > Policies.
Select a policy that you want to set as the default policy.
Under the dropdown More Options, click Set as default policy.
The policy is now the default policy.
You can assign a policy to users in two ways:
To manually add a policy to a user:
Go to Users > Users and select a user.
On the Authentication tab, select an existing policy in the User Security Policy drop-down menu.
The policies will be listed by name. Selecting a policy here will override any group policy currently applied to the user. If no policy is selected, OneLogin will automatically apply the account default policy to the user. Click Save User.