Create OpenID Connect App
Log in to your OneLogin account and click on Administration at the top.
Navigate to Applications on the top menu. Click the Add App button:
On the Find Application page, search for openid. Select Openid Connect by OneLogin, Inc.
On the App Configuration page, name the app and select a logo:
From the Configuration tab, set set the Redirect URI's to Pomerium's redirect url (
Set the application type to Web and the token endpoint to be POST.
Under Token Timeout settings set Refresh Token to 60 minutes (or whatever value makes sense for your organization). Note, however, if you don't enable refresh tokens the user will be prompted to authenticate whenever the access token expires which can result in a poor user experience.
Select Save to complete the application configuration.
OneLogin will not make your new application accessible to members of your organization automatically. You can assign access to individual users (as shown below).
Update your Pomerium configuration:
- Environment Variables
idp_client_id: 'REDACTED' # Your OneLogin application ID
idp_client_secret: 'REDACTED' # Your OneLogin application secret
IDP_CLIENT_ID="REDACTED" # Your OneLogin application ID
IDP_CLIENT_SECRET="REDACTED" # Your OneLogin application secret
After reloading Pomerium, you should be able to see any login events from your OneLogin events dashboard.
groups claim can be added to tokens returned from Okta by following the Okta documentation.
Now when users login they will have a claim named
groups that contains their groups and the
claim PPL criterion can be used for authorization:
- from: 'https://verify.localhost.pomerium.io'
- claim/groups: admin
- Custom Claim (Open Source)
- Directory Sync (Enterprise)
Custom Claim (Open Source)
Unfortunately, OneLogin does not yet support getting groups data using a custom claim. Groups must be loaded by using a plugin to fetch directory information (see Enterprise's Directory Sync).
Directory Sync (Enterprise)
Create OneLogin Credentials
In order for Pomerium to validate group membership, we'll also need to configure API Credentials in OneLogin.
From the Administration dashboard, navigate to Developers → API Credentials and select New Credential.
Name the new credential and give it "Read users" access:
A Group's ID will be used to affirm a user's group membership.
Configure Pomerium Enterprise Console
Under Settings → Identity Providers, select "Onelogin" as the identity provider and set the Client ID and Client Secret.