OneLogin
Sym provides both a first-party Access Strategy for moving users in and out of OneLogin roles as well as several SDK convenience methods to help customize your access rules.
Connect Sym with your AWS Secrets Manager
Follow the Manage Secrets with AWS Secrets Manager tutorial to connect your AWS Secrets Manager with the Sym Runtime.
Create a OneLogin API User and Credentials
We recommend that you create a dedicated OneLogin user with administrative access to Roles that your integrations will manage.
To do this, use the OneLogin Admin Console to create a new user, then give the user "Super User" privileges. Once the user is created, you will need to sign in as this user and create an API credential pair with "Manage all" privileges.

Permissions required for the OneLogin API credential pair
Regarding Super User Privileges
Currently, only Super User privileges provide the ability to assign and remove users from OneLogin roles. Please see their docs for more information about the different privilege levels.
Share your OneLogin Credential Pair with Sym
Follow the Share Secrets with the Sym Runtime tutorial to share your OneLogin Client Secret with Sym. We recommend using the plain style secret.
# Note: This example snippet shows only the OneLogin specific resources.
resource "aws_secretsmanager_secret" "onelogin_client_secret" {
name = "main/onelogin-client-secret"
description = "API Client Secret for Sym to call OneLogin APIs"
tags = {
# This SymEnv tag is required and MUST match the SymEnv tag in the
# aws_iam_policy.secrets_manager_access in your `secrets.tf` file
SymEnv = local.environment_name
}
}
resource "sym_secret" "onelogin_client_secret" {
# `sym_secrets` is defined in "Manage Secrets with AWS Secrets Manager"
source_id = sym_secrets.this.id
path = aws_secretsmanager_secret.onelogin_client_secret.name
}
Add a OneLogin Integration
Define a sym_integration
resource with type = onelogin
. This Integration will specify the OneLogin Client ID and Client Secret, and is necessary for the OneLogin SDK methods and Access Strategy.
external_id
: This is your OneLogin Domain.client_id
: This must be set to the Client ID you received when you created your OneLogin API Credential Pair above.client_secret
: This must be set to the ID of asym_secret
referencing your OneLogin API Credential Pair Client Secret.
resource "sym_integration" "onelogin" {
type = "onelogin"
name = "main-onelogin-integration"
# This is your OneLogin Domain.
external_id = "sym-example.onelogin.com"
settings = {
# This Client ID was created as part of your OneLogin API Credential Pair.
client_id = "0a1b2c3d4e5f67890a1b2c3d4e5f67890a1b2c3d4e5f6789"
# This secret was defined in the previous step.
client_secret = sym_secret.onelogin_client_secret.id
}
}
Next Steps
With your OneLogin API Credential Pair and Integration configured, you can now:
- Use the OneLogin SDK Integration
- Configure a OneLogin Access Strategy
Updated 6 months ago