OneLogin SDK Integration

The Sym SDK provides convenience methods for interacting with OneLogin in your


Did you configure your OneLogin Integration?

Before continuing, make sure you followed the instructions on the main OneLogin page to set up your OneLogin API Key and Integration.

Before continuing, you will need to have:

  • Connected Sym with AWS Secrets Manager
  • Configured your OneLogin API Credential Pair with Sym
  • Defined a OneLogin Integration resource

Add your OneLogin Integration to your Environment

If you are writing an for your OneLogin Access Strategy, then your OneLogin Integration will be implicitly available, and you can use the SDK methods without additional configuration.

However, if you wish to use the OneLogin SDK methods in a different Flow (e.g. an Approval-Only Flow), then you must specify the Integration in your Environment.

resource "sym_environment" "this" {
  name            = "main"
  runtime_id      =
  error_logger_id =

  integrations = {
    slack_id =

    # This is required to use OneLogin SDK methods in
    # for non-OneLogin strategies.
    onelogin_id =

Using OneLogin in your Flows

For more information on the supported methods in the onelogin module, please visit the Sym SDK OneLogin Docs.

Example Implementations

Only members of the requested Role can approve requests

from sym.sdk.annotations import hook
from sym.sdk.integrations import onelogin
from sym.sdk.templates import ApprovalTemplate

def on_approve(event):
    # Get the role details from the target in the request payload
    requested_role_id = event.payload.fields["target"].settings["role_id"]
    role_name = event.payload.fields["target"].label

    # Only allow members of the role to approve requests
    if not onelogin.is_user_in_group(event.user, group_id=requested_role_id):
        return ApprovalTemplate.ignore(message=f"Only members of {role_name} may approve requests for {role_name}")

DM members of a OneLogin Role

from sym.sdk.annotations import reducer
from sym.sdk.integrations import onelogin, slack
from sym.sdk.notifications import Notification

def get_request_notifications(event):
    # Get the role details from the target in the request payload
    role_name = event.payload.fields["target"].name
    # Requests for the "super_special" role get DM'd to managers
    if role_name == "super_special":
        # Get the users in the "Managers" OneLogin Role
        managers = onelogin.users_in_role(role_id=599800)
        return [Notification(destinations=[])]
    # Otherwise all other requests go to the regular requests channel
    return [Notification(destinations=["#onelogin-requests")])]