OneLogin Integration
Connect IronWiFi to OneLogin to authenticate WiFi users with their OneLogin credentials. This integration enables SAML single sign-on for captive portals and RADIUS authentication for WPA-Enterprise networks.
Features
- SAML Single Sign-On - Enterprise SSO for captive portals
- User Synchronization - Import users from OneLogin
- Group Synchronization - Sync roles and groups
- RADIUS Authentication - WPA-Enterprise with OneLogin credentials
- Auto-provisioning - Create users on first login
Prerequisites
- OneLogin administrator account
- IronWiFi account with Connector access
- OneLogin plan that supports SAML (Professional or Enterprise)
SAML Single Sign-On Setup
Step 1: Create OneLogin Application
- Log into OneLogin Admin Portal
- Navigate to Applications > Applications
- Click Add App
- Search for "SAML Test Connector (IdP w/ attr)" or "SAML Custom Connector (Advanced)"
- Click on the connector
- Click Save
Step 2: Configure Application Details
- In the Configuration tab
- Set Display Name: IronWiFi
- Add Icon (optional)
- Click Save
Step 3: Configure SAML Settings
Navigate to the Configuration tab and enter:
| Field | Value |
|---|---|
| Audience (EntityID) | |
| Recipient | |
| ACS (Consumer) URL | |
| ACS (Consumer) URL Validator | |
Step 4: Configure Parameters (Attributes)
In the Parameters tab, add custom attributes:
| Field Name | Flags | Value |
|---|---|---|
| Include in SAML assertion | ||
| firstName | Include in SAML assertion | First Name |
| lastName | Include in SAML assertion | Last Name |
Step 5: Download SAML Metadata
- Navigate to the SSO tab
- Note these values:
- Issuer URL (Entity ID)
- SAML 2.0 Endpoint (HTTP) (SSO URL)
- Download the X.509 Certificate
Alternative: Download the full metadata file
- Copy the Issuer URL
- Append to the URL
/metadata - Download the XML metadata file
Step 6: Configure IronWiFi
- Navigate to Connectors > Add Connector
- Select OneLogin (SAML)
- Choose upload method:
- Upload Metadata File: Upload the XML file
- Manual Configuration: Enter details manually:
- IdP Entity ID:
{Issuer URL} - IdP SSO URL:
{SAML 2.0 Endpoint} - Certificate: Paste the X.509 certificate
- IdP Entity ID:
- Click Save
Step 7: Assign Users and Roles
In OneLogin:
- Go to the IronWiFi application
- Navigate to the Users tab
- Click Add Users or Add Roles
- Select users or roles to grant access
- Save assignments
User Synchronization
Automatically sync users from OneLogin to IronWiFi.
Step 1: Generate API Credentials
- In OneLogin, navigate to Developers > API Credentials
- Click New Credential
- Set Name: IronWiFi Connector
- Grant permissions:
- Manage users (Read users)
- Manage roles (Read roles)
- Copy the Client ID and Client Secret
Step 2: Configure IronWiFi Connector
- Edit your OneLogin connector
- Navigate to User Sync Settings
- Enter:
- OneLogin Subdomain (e.g., )
yourcompany - API Client ID
- API Client Secret
- OneLogin Subdomain (e.g.,
- Configure sync options:
- Auto-sync: Enable scheduled synchronization
- Sync interval: Hourly, daily, or weekly
- Include disabled users: Yes/No
- Click Save
Step 3: Run Initial Sync
- Click Sync Now
- Monitor progress in the sync log
- Review imported users in Users section
Synchronization Mapping
User Attributes
| OneLogin | IronWiFi |
|---|---|
| Username | |
| firstname | First Name |
| lastname | Last Name |
| status | Status (enabled/disabled) |
| role | Group |
| custom_attributes | Custom Fields |
Sync Settings
| Setting | Description |
|---|---|
| Auto-sync | Scheduled automatic synchronization |
| Sync interval | Frequency: hourly, daily, weekly |
| Filter by role | Only sync users with specific roles |
| Include suspended | Import suspended OneLogin users |
Group Mapping
Map OneLogin roles to IronWiFi groups:
- In the connector, navigate to Group Mapping
- Add mapping rules:
- OneLogin Role → IronWiFi Group
- Example: "WiFi Users" → "Guest WiFi"
- Enable Auto-create groups
- Save and run sync
RADIUS Authentication
Enable WPA-Enterprise authentication using OneLogin credentials:
Requirements
- OneLogin Professional or Enterprise plan
- RADIUS authentication add-on enabled
Step 1: Enable RADIUS in OneLogin
- Navigate to Security > Authentication Factors
- Enable RADIUS
- Configure RADIUS settings:
- Primary RADIUS server
- Shared secret
- Note the RADIUS server details
Step 2: Configure IronWiFi for RADIUS
- In the OneLogin connector
- Navigate to RADIUS Settings
- Enter:
- OneLogin RADIUS server IP/hostname
- RADIUS shared secret
- Authentication port: 1812 (default)
- Enable RADIUS Proxy Mode
- Save configuration
Step 3: Test RADIUS Authentication
- Configure a test device for WPA-Enterprise (PEAP-MSCHAPv2)
- Enter OneLogin username and password
- Attempt to connect
- Verify authentication in IronWiFi logs
Captive Portal Integration
Enable OneLogin SSO for guest WiFi:
- Navigate to Captive Portals > your portal
- Go to Authentication Providers
- Enable OneLogin SAML
- Select your OneLogin connector
- Configure post-authentication behavior:
- Auto-approve authenticated users
- Create user accounts automatically
- Add OneLogin domains to Walled Garden:
- Save portal configuration
Testing the Integration
SAML Testing
- Open your captive portal URL
- Click the OneLogin login button
- Enter OneLogin credentials
- Verify redirect back to portal
- Confirm WiFi access granted
User Sync Testing
- Create a test user in OneLogin
- Run manual sync in IronWiFi
- Verify user appears in Users list
- Check user attributes are correct
- Verify group membership
RADIUS Testing
- Configure device for WPA-Enterprise:
- SSID: Your network
- Security: WPA2-Enterprise
- Authentication: PEAP
- Inner authentication: MSCHAPv2
- Enter OneLogin credentials
- Connect to network
- Verify authentication in IronWiFi logs
Advanced Configuration
Conditional Access
Enforce OneLogin policies for WiFi access:
- In OneLogin, create a Policy
- Set conditions:
- IP address ranges
- Device compliance
- MFA requirements
- Apply policy to IronWiFi application
- Users not meeting conditions are denied
Multi-Factor Authentication
Require MFA for WiFi access:
- In OneLogin, enable MFA for the IronWiFi app
- Configure MFA factors:
- OneLogin Protect (push notifications)
- SMS
- Authenticator apps
- Users must complete MFA during login
- RADIUS authentication may not support MFA
Custom Attribute Mapping
Map custom OneLogin fields to IronWiFi:
- In OneLogin, create custom user fields
- In IronWiFi connector, add attribute mappings:
- OneLogin custom field → IronWiFi custom field
- Save and sync
- Verify attributes in user profiles
Session Management
Control user session behavior:
| Setting | Description | Configuration |
|---|---|---|
| Session duration | How long users stay logged in | Set in Captive Portal settings |
| Re-authentication | Force re-login interval | Configure in OneLogin policy |
| Simultaneous sessions | Multiple device limits | Set in IronWiFi user group |
| Session timeout | Idle timeout period | Configure in portal settings |
Troubleshooting
SAML Authentication Errors
Error: Invalid SAML Response
- Verify the ACS URL is correct in OneLogin
- Check Entity ID matches between systems
- Ensure certificate is valid and not expired
Error: User Not Found
- Verify user is assigned to IronWiFi app
- Check attribute mapping (email must be provided)
- Confirm user status is active in OneLogin
Error: Invalid Signature
- Re-download X.509 certificate from OneLogin
- Verify certificate format (PEM)
- Check for whitespace or formatting issues
User Sync Issues
No Users Syncing
- Verify API credentials are correct
- Check API permissions (Manage users, Manage roles)
- Review sync filters and role restrictions
- Check network connectivity to OneLogin
Partial User Sync
- Review role filter settings
- Check for suspended users if excluded
- Verify attribute data exists in OneLogin
- Review sync logs for specific errors
Group Mapping Not Working
- Confirm role names match exactly
- Enable auto-create groups
- Check group mapping rules
- Verify roles are assigned to users
RADIUS Authentication Failures
Authentication Rejected
- Verify RADIUS server details are correct
- Check shared secret matches
- Confirm user credentials in OneLogin
- Review IronWiFi authentication logs
Timeout During Authentication
- Check network connectivity to OneLogin RADIUS
- Verify firewall allows UDP 1812/1813
- Test RADIUS server availability
- Check for NAT/routing issues
Certificate Validation Errors
- Ensure trusted root certificates are installed
- Verify certificate chain is complete
- Check certificate hasn't expired
Performance Issues
Slow SAML Login
- Check network latency to OneLogin
- Verify DNS resolution works
- Review OneLogin policy evaluation complexity
Sync Taking Too Long
- Reduce sync frequency
- Filter users by role
- Enable incremental sync
- Review API rate limits
Security Best Practices
- Use Strong Shared Secrets - Generate random, complex RADIUS secrets
- Enable MFA - Require multi-factor authentication where possible
- Rotate Credentials - Regularly rotate API credentials and secrets
- Monitor Logs - Review authentication and sync logs regularly
- Apply Least Privilege - Grant minimal API permissions needed
- Test Regularly - Verify integration after OneLogin updates
- Restrict by Role - Only sync and allow necessary user roles
- Use HTTPS - Ensure all communications use TLS/SSL
- Backup Configuration - Document all settings and credentials
- Implement Alerts - Set up notifications for sync and auth failures
Rate Limits and Quotas
Be aware of OneLogin API limits:
| Resource | Limit |
|---|---|
| API Calls | 5,000 per hour (Professional plan) |
| SAML Assertions | Unlimited |
| User Sync | Depends on plan and user count |
To avoid rate limiting:
- Adjust sync frequency based on user count
- Use incremental sync where available
- Monitor API usage in OneLogin dashboard
Support Resources
- OneLogin Developer Documentation
- OneLogin SAML Toolkit
- OneLogin API Reference
- IronWiFi Support: support@ironwifi.com
Related Documentation
Was this page helpful?