OneLogin

Connect OneLogin to authenticate end users with your Char widget. Create an OIDC application in OneLogin and configure Char for token validation.

Prerequisites

A OneLogin account with admin access
Access to create applications in OneLogin Admin Portal
Access to the Char dashboard

Quick Links

OneLogin Admin Portal

OIDC Documentation

OpenID Connect developer guide

API Credentials

API credentials documentation

OneLogin SDK

OneLogin SDK reference

SDK References

oidc-client-ts

TypeScript OIDC client library

react-oidc-context

React context for OIDC authentication

Configuration Steps

Create an OIDC Application in OneLogin

Sign in to the OneLogin Admin Portal
Navigate to Applications → Applications
Click Add App
Search for “OpenID Connect” or “OIDC”
Select OpenId Connect (OIDC) from the results
Click Save

Configure Application Settings

On the Configuration tab:

Setting	Value
Login URL	Your application’s login page URL
Redirect URI’s	Your callback URLs (e.g., `https://yourapp.com/callback`)
Post Logout Redirect URI	Your logout redirect URL
Token Endpoint	Web
Application Type	Single Page App (SPA)

Click Save.

Configure SSO Settings

On the SSO tab:

Note your Client ID
Set Token Endpoint Authentication Method to None (for SPA)
Under Token, ensure ID Token is enabled
Click Save

Find your Client ID and configure SSO settings

Note Your Subdomain and Client ID

From OneLogin:

Subdomain: Your OneLogin subdomain (e.g., acme from acme.onelogin.com)
Client ID: Found on the SSO tab of your application
Region: Note if you’re using US (us) or EU (eu) region

The issuer URL format depends on your region:

US: https://{subdomain}.onelogin.com/oidc/2
EU: https://{subdomain}.eu.onelogin.com/oidc/2

Configure Char

In the Char Dashboard:

Navigate to Settings → Integration
Under SSO Configuration, select Custom OIDC as the provider
Enter your configuration:

Field	Value
Client ID	Your OneLogin Client ID
Issuer URL	`https://{subdomain}.onelogin.com/oidc/2`

Click Test Connection to verify
Click Save Changes

Configuration Reference

Char Field	OneLogin Value	Example
Provider Type	Custom OIDC	`custom_oidc`
Client ID	Application Client ID	`a1b2c3d4-e5f6-7890-abcd-ef1234567890`
Issuer URL	OIDC issuer	`https://acme.onelogin.com/oidc/2`

OneLogin uses /oidc/2 in the issuer URL path. This is the OIDC 2.0 endpoint. Don’t omit this suffix.

Token Requirements

Char validates OneLogin tokens with these requirements:

Claim	Requirement
`iss`	Must match `https://{subdomain}.onelogin.com/oidc/2`
`aud`	Must include your configured Client ID
`sub`	Required - OneLogin user ID
`exp`	Must not be expired

Standard OneLogin ID Token Claims

Claim	Description
`sub`	OneLogin user ID
`email`	User’s email address
`preferred_username`	User’s username
`name`	User’s full name
`given_name`	First name
`family_name`	Last name
`groups`	User’s group memberships (if configured)
`params`	Custom parameters (if configured)

Example: Obtaining and Passing the Token

OIDC Client (oidc-client-ts)
React (react-oidc-context)
Implicit Flow (Legacy)

import { UserManager } from 'oidc-client-ts';
import "@mcp-b/embedded-agent/web-component";

const userManager = new UserManager({
  authority: 'https://acme.onelogin.com/oidc/2',
  client_id: 'your-client-id',
  redirect_uri: window.location.origin + '/callback',
  response_type: 'code',
  scope: 'openid profile email groups',
});

// After callback handling
userManager.getUser().then((user) => {
  if (user && user.id_token) {
    const agent =
      document.querySelector("webmcp-agent") ?? document.createElement("webmcp-agent");

    if (!agent.isConnected) {
      document.body.appendChild(agent);
    }

    agent.setAttribute("auth-token", user.id_token);
  }
});

import { AuthProvider, useAuth } from 'react-oidc-context';
import { useEffect } from 'react';
import "@mcp-b/embedded-agent/web-component";

const oidcConfig = {
  authority: 'https://acme.onelogin.com/oidc/2',
  client_id: 'your-client-id',
  redirect_uri: window.location.origin + '/callback',
  scope: 'openid profile email groups',
};

function App() {
  const auth = useAuth();

  useEffect(() => {
    if (auth.isAuthenticated && auth.user?.id_token) {
      const agent = document.querySelector("webmcp-agent");
      if (agent) {
        agent.setAttribute("auth-token", auth.user.id_token);
      }
    }
  }, [auth.isAuthenticated, auth.user]);

  return <webmcp-agent />;
}

function Root() {
  return (
    <AuthProvider {...oidcConfig}>
      <App />
    </AuthProvider>
  );
}

import "@mcp-b/embedded-agent/web-component";

// Parse ID token from URL hash (implicit flow)
function getIdTokenFromHash() {
  const hash = window.location.hash.substring(1);
  const params = new URLSearchParams(hash);
  return params.get('id_token');
}

const idToken = getIdTokenFromHash();

if (idToken) {
  const agent =
    document.querySelector("webmcp-agent") ?? document.createElement("webmcp-agent");

  if (!agent.isConnected) {
    document.body.appendChild(agent);
  }

  agent.setAttribute("auth-token", idToken);

  // Clean URL
  history.replaceState(null, '', window.location.pathname);
}

Including Groups in Token

To include group memberships in the ID token:

In OneLogin Admin, go to your OIDC application
Navigate to Parameters tab
Click Add Parameter
Configure:

Setting	Value
Field name	`groups`
Include in SAML assertion	Unchecked
Include in OpenID Connect assertion	Checked
Value	User Roles (or Groups)

Click Save

// Groups are now included in the token
const tokenClaims = parseJwt(idToken);
console.log('User groups:', tokenClaims.groups);

Custom Parameters

Add custom claims to your tokens:

Navigate to your application’s Parameters tab
Click Add Parameter
Configure:

Setting	Value
Field name	Your custom claim name
Include in OpenID Connect assertion	Checked
Value	Select source (User attribute, Macro, etc.)

Click Save

Example for adding department:

// Custom department claim
const tokenClaims = parseJwt(idToken);
console.log('Department:', tokenClaims.department);

OneLogin Regions

OneLogin has multiple regional deployments:

Region	Admin URL	Issuer URL
US	`admin.us.onelogin.com`	`https://{subdomain}.onelogin.com/oidc/2`
EU	`admin.eu.onelogin.com`	`https://{subdomain}.eu.onelogin.com/oidc/2`

Ensure you use the correct regional URL for your OneLogin instance. EU customers must include .eu in the issuer URL.

Troubleshooting

INVALID_ISSUER error

The issuer URL doesn’t match:

Include /oidc/2 suffix: The issuer URL must include /oidc/2
Check region: EU customers must use {subdomain}.eu.onelogin.com
Verify subdomain: Ensure the subdomain matches exactly
No trailing slash: The URL should not end with /

INVALID_AUDIENCE error

The token’s audience doesn’t match:

Verify the Client ID matches exactly (including hyphens)
Check that you’re using the ID token, not the access token
Ensure the application type is set correctly (SPA for public clients)

JWKS_FETCH_FAILED error

Char couldn’t reach OneLogin’s JWKS endpoint:

JWKS endpoint: https://{subdomain}.onelogin.com/oidc/2/certs
Verify your subdomain is correct
Check regional endpoint if applicable
Use Test Connection in the dashboard

Groups claim missing

If groups aren’t in the token:

Verify the groups parameter is configured on the application
Ensure Include in OpenID Connect assertion is checked
Request the groups scope in your authentication request

User not assigned to application

If users can’t authenticate:

In OneLogin Admin, go to Users → select user → Applications
Ensure the user is assigned to the OIDC application
Or configure the application with Self Service enabled

Directory Integration

OneLogin can sync users from various directories:

Active Directory: Via OneLogin AD Connector
LDAP: Direct LDAP integration
Google Workspace: Via API integration
Workday: HR-driven provisioning

Directory attributes can be mapped to custom token claims using the Parameters feature.

Security Best Practices

Enable MFA in OneLogin policies
Configure session timeout appropriately for your security requirements
Use role-based access to control which users can access your application
Enable Smart Hooks for additional authentication logic
Monitor sign-in events in OneLogin Events
Review application access regularly
Configure IP restrictions if needed for your organization
Enable Account Recovery securely

Introduction

How-to Guides

Explanation

Prerequisites

Quick Links

OneLogin Admin Portal

OIDC Documentation

API Credentials

OneLogin SDK

SDK References

oidc-client-ts

react-oidc-context

Configuration Steps

Configuration Reference

Token Requirements

Standard OneLogin ID Token Claims

Example: Obtaining and Passing the Token

Including Groups in Token

Custom Parameters

OneLogin Regions

Troubleshooting

Directory Integration

Security Best Practices

Introduction

How-to Guides

Explanation

​Prerequisites

​Quick Links

OneLogin Admin Portal

OIDC Documentation

API Credentials

OneLogin SDK

​SDK References

oidc-client-ts

react-oidc-context

​Configuration Steps

​Configuration Reference

​Token Requirements

​Standard OneLogin ID Token Claims

​Example: Obtaining and Passing the Token

​Including Groups in Token

​Custom Parameters

​OneLogin Regions

​Troubleshooting

​Directory Integration

​Security Best Practices

Prerequisites

Quick Links

SDK References

Configuration Steps

Configuration Reference

Token Requirements

Standard OneLogin ID Token Claims

Example: Obtaining and Passing the Token

Including Groups in Token

Custom Parameters

OneLogin Regions

Troubleshooting

Directory Integration

Security Best Practices