This document provides a step-by-step introduction for configuring OneLogin to work with Keyless. In this guide Keyless will be set up as both an OpenID Connect service provider and a OpenID Connect identity provider for OneLogin

Configure Authentication Identity Provider

In order to enable your users to authenticate into OneLogin dashboard via Keyless you’ll need to configure Keyless as a trusted IdP on OneLogin.

As part of the onboarding process you’ll receive the following pieces of information from keyless to complete a Trusted IdP configuration.


Login Icon URI

Can be used as the logon Icon for Keyless authentication on OneLogin Login page



OIDC issuer URI


Authentication Endpoint

OIDC authorization endpoint URI


Token Endpoint

OIDC token endpoint URI


User Information Endpoint

OIDC userinfo endpoint URI


Client Id

OIDC Client ID


Client Secret

OIDC Client Secret


The steps are as follows

  • Create a new Trusted IDP: Go to Authentication → Trusted IdPs → New Trust

  • Provide a name for the Trusted IdP configuration e.g. Keyless

  • Check Enable Trusted IDP

  • Check Show In Logon Panel, this will require you to choose an icon (default Keyless icon provided in onboarding package)

  • Fill in issuer URI

  • Check the following options:

    • Sign users into OneLogin

    • Sign users into additional applications

    • Send Subject Name ID or Login Hint in Auth Request

  • On User attribute section:

    • Fill in {tidp.preferred_username}

    • Select Email in User Attribute Mapping

  • Select OIDC as authentication protocol type and fill in the following fields in OIDC Configuration section (OIDC endpoint URIs, Client ID & Secret valued are provided in Keyless onboarding package)

    • Authentication Endpoint

    • Select POST as Token Endpoint Authentication Method

    • Token Endpoint

    • User Information Endpoint

    • In Scopes field type in: openid email profile

    • On Client Id & Client Secret fields fill in the values provided by Keyless

  • Click Save and that would complete our configuration

Configure Enrolment Service Provider

To enable enrolment of your users to Keyless we’ll need to configure a client application on OneLogin. Parameters required to create the application on OneLogin are provided in your Keyless onboarding package. Once the application is configured you’ll need to send some configuration information back to Keyless to complete the configuration on Keyless end.

Following are the pieces of information from Keyless (provided in your onboarding package) required to configure OneLogin Application:


Login URL

OIDC Client configuration


Redirect URI

OIDC redirect URI


Post Logout Redirect URI



Keyless Enrolment URL

URL to Keyless Enrolment page for end users


Following are the Steps to configure the application:

Go to Applications → Add App

  • Search OIDC on Find Applications and select OpenId Connect (OIDC)

  • On Configuration screen provide a display name and uncheck Visible in portal and click Save

  • Under Configuration tab provide the following parameters provided by Keyless

    • Login Url

    • Redirect URIs (a single URI)

    • Post Logout URIs (a single URI)

  • Under SSO tab make note of the following 3-pieces of information that need to be sent back to Keyless for configuration on the Keyless end

    • Client ID

    • Client Secret

    • Issuer URL

  • Make sure that Application Type is Web

  • Token Endpoint section Authentication Method is POST

  • Additionally on Users tab select the relevant Users/Groups to enable these users/groups to be enabled to get enrolled on to Keyless

  • Click Save to complete the configuration.

Your users now can use the Keyless enrolment URL provided to enrol their devices with Keyless

🏁Post Integration

Last updated