Get started with OneLogin application requests
Before you begin
To complete this guide, you’ll need:
- ConductorOne Super Administrator or Connector Administrator role
- A OneLogin account
Estimated time: 10 minutes
Step 1: Integrate your OneLogin instance
Start by integrating your OneLogin instance with ConductorOne. Use the OneLogin connector to sync OneLogin to ConductorOne.
Once connected, ConductorOne ingests all of the users, apps, groups, and other entitlements and resources from OneLogin.
Step 2: Convert an OneLogin app to a managed app
Before managing access to an OneLogin app, you’ll need to begin managing it with ConductorOne.
Navigate to Applications and click the Unmanaged apps tab.
Find the application you want to enable for self-service or lifecycle management.
Click Manage.
Don’t stress. Converting an app from unmanaged to managed in ConductorOne does not change any configuration in the IdP.
Once an application is managed, you can enforce access controls, run user access reviews, and drive lifecycle management for the app.
Step 3: Configure the app entitlements (optional)
Every managed application in ConductorOne comes with a Credential resource. This “access entitlement” is used to manage account level access to application. In OneLogin, at a minimum, this means that the user is assigned to the OneLogin app.
Additionally, applications configured in OneLogin may use groups to SCIM roles and permissions to the connected application. ConductorOne can easily convert these linked entitlements into resources and entitlements in your ConductorOne instance.
If groups are assigned to the application in OneLogin, you will see a Linked entitlements banner on the Setup and Entitlements tabs for the app. To convert these linked entitlements from OneLogin into in-app entitlements in the ConductorOne app:
Click the Configure button on the banner. The Configure linked entitlements drawer opens.
For each entitlement, select one of the following options:
- Skip: Do nothing with the linked entitlement.
- Link entitlement: Create a relationship between the entitlement in OneLogin and an existing entitlement in the app.
- Create role: Turn the entitlement into a new role in the ConductorOne app, and associate the OneLogin group with the Member entitlement.
Once you’ve decided what to do with each entitlement, click Save.
ConductorOne will now create the resources and entitlements in the managed app, and importantly, will set a binding for that entitlement to the OneLogin group (we’ll get to bindings later). For now, just know that this allows us to perform magic!
Step 4: Configure the app and entitlements for self service
Now we’ll configure the application and any entitlements we created in Step 3 so they’re ready for self-service requests.
Navigate to the app’s Setup tab
In the Entitlement configuration rules section of the page, click Edit.
In the configuration rules pane, click the toggle to Enable configuration rules.
If you want to make the app itself requestable, click Credential in the selected resources.
If you want to make the roles or other entitlements you created in Step 3 requestable, select those resource types.
Use the Catalogs dropdown to select Everyone.
Finally, check the box at the bottom of the screen and click Apply.
Step 5: Request your OneLogin app and roles
Now we’re ready it give it a whirl!
In the navigation panel, open App directory and click Browse access.
Find the application you just created.
If you’ve made the application requestable, you’ll see a Request button on the app. If you’ve made individual roles or entitlements requestable, you’ll see those on the app.
Select the app or a role you want to request, and click Request.
Enter the justification and click Request.
Success!
The request will be auto-approved based on the policy, and you will be provisioned access by assigning you to the application and the correct groups in OneLogin!