Learn how to make your existing OneLogin deployment passwordless.


Capabilities overview

idemeum Passwordless MFA integrates with OneLogin to enable:

  • Remote identity verification - digitally verify identity of employees to make every login trusted. Right from the mobile app, verify email, phone number, or government ID. idemeum app is not just an authenticator, it is an employee owned identity that you can trust.
  • Passwordless onboarding - employees are onboarded into organization without any passwords. No need to send credentials over email or chat, employees simply install mobile application and create digital identity.
  • Passwordless access - employees access any corporate application with biometrics. Every login is protected by Multi-Factor authentication - biometrics (something you are) and certificates (something you have).

High-level architecture overview

idemeum integrates with OneLogin in minutes - no need to synchronize users or deploy any connectors or servers. Just federate with OneLogin using SAML and connect idemeum to your user source system.

In the diagram above, we see the deployment where OneLogin is deployed as a primary IDP and all applications are federated directly with OneLogin. When user is trying to authenticate to a corporate application, the sign in request is sent first to OneLogin, and is then subsequently redirected to idemeum. idemeum performs Passwordless Multi-Factor authentication and returns necessary user information to OneLogin, which in turn forwards that user information to federated application. As a result users can access application without any passwords.

Upon the very first login, idemeum onboards and verifies employee information with user source system. idemeum can use personal email address, phone number, or ID document to onboard new employees. You can learn more about onboarding here.


In order to integrate idemeum with OneLogin you will first need to obtain SAML metadata parameters for your idemeum tenant. Specifically you will need:

  • Identity Provider SSO URL
  • Identity Provider Entity ID
  • Public X509 certificate (PEM format)

Instructions for how to obtain these SAML metadata parameters are below.

How to obtain SAML metadata for idemeum
SAML metadata is the data that describes the information needed to communicate between your SaaS application and idemeum in order to enable Single Sign-On. Based on SAML terminology SaaS application is called Service Provider (SP) and idemeum will be Identity Provider (IDP). Typically you will be a…

Configure OneLogin

Create Trusted IdP

  • Access your OneLogin admin dashboard and navigate to Authentication -> Trusted IdPs
  • Click New Trust to create an integration
  • First give Trusted IdP a name
  • Scroll down to the configurations section. In the Issuer field enter Identity Provider Entity ID that you obtained in the prerequisites section.
  • Make sure you enable Sign users into OneLogin checkbox
  • Now scroll down to SAML configurations section. In the IdP Login URL paste Identity Provider SSO URL that you obtained in the prerequisites section.
  • Also copy SP Entity ID value as you will need it for idemeum configuration
  • Now scroll down to Trusted IdP Certificate. In the X.509 Certificate field paste the Public X509 certificate (PEM format) that you obtained in the prerequisites section.
  • You can now scroll all the way back up and Enable Trusted IdP
  • Save the configuration

Enable Trusted IdP for users

You have several options for how to enable Trusted IdP for your OneLogin users depending on how you want to roll out passwordless across your organization.

  1. You can make Trusted IdP a default authenication for all users
  2. You can enable Trusted IdP only for users that match certain mappings
  3. You can offer sign in with Trusted IdP on a login page as an option

Default Trusted IdP

In this option every user will automatically be redirected to idemeum for authentication when they access OneLogin portal.

  • Navigate to Authnetication -> Trusted IdPs
  • Choose Trusted IdP that you want to make default
  • Click on More actions -> Set as default Trusted IdP

Use mappings for Trusted IdP

In this option only users matching certain criteria will be authenticated using idemeum.

  • Navigate to Users -> Mappings
  • Click Add new mapping
  • Choose your criteria for selecting users and enable Trusted IdP that you configured for these users
  • Click Save
  • Reapply all mappings after saving configuration

Login option

In this option login with idemeum will be available as an option on OneLogin screen.

  • Navigate to Authentication -> Trusted IdPs
  • Edit Trusted IdP that you configured
  • Scroll to Login Options

Configure log out URL

When the user logs out of OneLogin we also need to make sure the user is logged out from idemeum. For that to happen we need to configure logout URL.

  • Navigate to Settings -> Account settings
  • Click Login in the left menu
  • Scroll down to the bottom. Enter the following URL into the Logout URL field -> https://<your idemeum tenant>/api/logout-redirect
  • Save settings

Configure idemeum

Connect to user source system

  • As a first step you need to connect your idemeum tenant to your user source system. You can leverage our integrations portal to find detailed guides for each user source that we support.
User source - idemeum integrations
Integration with user source of data, including HRMS and cloud directories.

Configure user onboarding

  • You also need to decide how you would like to onboard your new employees into passwordless MFA. You can use personal email address, phone number, or ID document.
  • Navigate to Security settings in your idemeum portal to configure onboarding

You can learn more about passwordless onboarding in our documentation section.

Passwordless onboarding
Learn how employees can onboard into organization without needing any passwords. Simply install idemeum Passwordless MFA and verify digital identity.

Set up OneLogin app

  • Navigate to Applications in idemeum admin portal and choose OneLogin
  • Click SAML
Now you will be using SAML values obtained from OneLogin when setting up a Trusted IdP
  • Enter your OneLogin tenant URL in the form https://<your domain>
  • Paste SP Entity ID that you obtained from OneLogin configuration into Audience URI
  • Save configuration

Test Passwordless MFA

  • Open incognito browser window and navigate to your OneLogin tenant URL. In case of default Trusted IDP configuration you will be immediately redirected to idemeum.  You will see the QR code that you will need to scan with the idemeum application.
  • Once you scan the QR code with idemeum application and approve the sign in, you will be redirected to OneLogin application catalog.
Table of Contents
Great! Next, complete checkout for full access to idemeum integrations.
Welcome back! You've successfully signed in.
You've successfully subscribed to idemeum integrations.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.