OneLogin Capabilities
Last updated: October 8, 2024
After this article...
You'll understand the capabilities our OneLogin integration provides, and how Lumos interacts with the OneLogin API.
View users
The mapping between OneLogin user statuses and Lumos user account statuses is below.
OneLogin User Status | OneLogin User State | Lumos Account Status |
Active (1) | Approved (1) | Active |
Password expired (4) | Approved (1) | Active |
Awaiting password reset (5) | Approved (1) | Active |
Suspended (2) | Any | Suspended |
Locked (3) | Any | Suspended |
Active (1), Password expired (4), or Awaiting password reset (5) | Anything but Approved (1) | Suspended |
Unknown | Any | Access created |
Deleted (OneLogin no longer returns a user) | N/A | Deprovisioned |
Anything else | Anything else | Discovered |
Reconciling Employment Status
If you're using OneLogin as your User Source (π Importing User Sources), Lumos will set theΒ Employment Status value for a Lumos User from OneLogin using the following logic.
OneLogin User Status | Lumos User Employment Status |
Unactivated (0) | Inactive |
Active (1) | Active |
Suspended (2) | Suspended |
Locked (3) | Suspended |
Password expired (4) | Active |
Awaiting password reset (5) | Active |
Password Pending (7) | Staged |
Security questions required (8) | Staged |
deleted (OneLogin no longer returns a user) | Deprovisioned |
OneLogin API endpoint: https://developers.onelogin.com/api-docs/2/users/list-users (we use the status and state field from the user)
View last login
In Lumos, the Last Login value for a OneLogin user account represents the last time the user logged into...OneLogin.
OneLogin API endpoint: https://developers.onelogin.com/api-docs/1/users/get-users (we use the last_login on the user)
Downgrade a user
AppStore | Offboarding | Access Reviews | License Management |
N/A | β | β | β |
In Lumos, downgrading a OneLogin user changes theirΒ Account Status to Suspended after the next sync.
In OneLogin, this action changes the user's state to Unlicensed (3).
This action reclaims a license in OneLogin.
OneLogin API endpoint: https://developers.onelogin.com/api-docs/1/users/set-state (we change it to 3)
Suspend a user
AppStore | Offboarding | Access Reviews | License Management |
N/A | β | β | β |
In Lumos, suspending a OneLogin user marks their Account Status as "Suspended".
In OneLogin, this action logs the user out and locks their account. This prevents them from logging into...OneLogin.
This action does not reclaim a license in OneLogin.
OneLogin API endpoints:
https://developers.onelogin.com/api-docs/1/users/log-user-out
https://developers.onelogin.com/api-docs/1/users/lock-user-account
Deprovision a user
AppStore | Offboarding | Access Reviews | License Management |
N/A | β | β | β |
In Lumos, deprovisioning a OneLogin user marks their Account Status as "Deprovisioned".
In OneLogin, this action permanently removes the user and their data from OneLogin.
This action reclaims a license in OneLogin.
OneLogin API endpoint:Β https://developers.onelogin.com/api-docs/2/users/delete-user
View managed application assignments and activity
Lumos surfaces all of the applications that you manage in OneLogin in theΒ Apps tab and the users assigned to the application in theΒ Accounts tab for that application.
For each account, Lumos shows the following info:
Account Status
The provisioning status of the user's account in the service provider, as reported by OneLogin.
OneLogin Provisioning State | Lumos Account Status |
Provisioned | Active |
Provisioned Pending Approval | Staged |
Deleted | Deprovisioned |
Disabled | Deprovisioned |
Unknown | Access Created |
N/A (OneLogin gives us no assignment data for the user + app, but did at one point) | Suspended |
Anything else | Discovered |
OneLogin API endpoint: https://developers.onelogin.com/api-docs/2/users/get-user-apps (this comes from the provisioning_state for the user's application assignment. We also add a query parameter of ignore_visibility=true to pull in all apps assigned to the user, regardless of portal visibility.)
Last Login
This represents the last time the user logged into the app via OneLogin.
OneLogin API endpoint: https://developers.onelogin.com/api-docs/1/events/event-resource (we use the latest USER_LOGGED_INTO_APP event)
Groups
These are the OneLogin Roles to which an employee is assigned that grant access to this app. If this value is blank, the user is directly assigned to the app.
OneLogin API endpoints:
https://developers.onelogin.com/api-docs/2/roles/list-roles (we query by app_id)
https://developers.onelogin.com/api-docs/2/roles/get-role-users
Assign users to managed applications and roles
AppStore | Offboarding | Access Reviews | License Management |
β | β | β | β |
Lumos can automatically assign users to applications or roles managed via OneLogin after they're approved.
A few notes on assignment:
Lumos cannot assign a user directly to an application, only to a OneLogin Role that provides access to an application. This is a OneLogin API limitation.
Lumos only allows you to assign users to roles that provide access to a single application. If a role provides access to multiple applications, the role assignment will not be attempted and the access request will be marked as failed in the Activity Log.
The table below documents the different scenarios where Lumos can assign a user to a OneLogin role.
Situation | Outcome | OneLogin API endpoint |
When someone is approved for access to a permission linked to a OneLogin role via the AppStore. | Lumos assigns the user to the OneLogin role |
Unassign users from managed applications and roles
AppStore | Offboarding | Access Reviews | License Management |
β | β | β | β * |
* Not available in Inactivity Workflows. seeπ Inactivity Workflows 101
Lumos can unassign users from OneLogin roles that provide access to applications.
The table below summarizes the different scenarios where users can be unassigned from OneLogin apps or roles in Lumos.
Situation | Outcome | OneLogin API endpoint |
When approved time-based access to a permission linked to a OneLogin role expires. | Lumos unassigns the user from the OneLogin role. | |
When you clickΒ Deactivate Account > Unassign User from App for user account(s) when viewing a single OneLogin app (not in an access review) | Lumos unassigns the user from any OneLogin roles that provide access to the app. Note: Lumos can only remove access to the app if it was provided via a OneLogin Role and only if the Role provides access to a single application. If any of these conditions are not met, the removal will fail. OneLogin's API does not allow unassignment of a user from an application unless the assignment is managed via roles. |