OneLogin SDK Integration

The Sym SDK provides convenience methods for interacting with OneLogin in your


Did you configure your OneLogin Integration?

Before continuing, make sure you followed the instructions on the main OneLogin page to set up your OneLogin API Key and Integration.

Before continuing, you will need to have:

  • Connected Sym with AWS Secrets Manager
  • Configured your OneLogin API Credential Pair with Sym
  • Defined a OneLogin Integration resource

Add your OneLogin Integration to your Environment

If you are writing an for your OneLogin Access Strategy, then your OneLogin Integration will be implicitly available, and you can use the SDK methods without additional configuration.

However, if you wish to use the OneLogin SDK methods in a different Flow (e.g. an Approval-Only Flow), then you must specify the Integration in your Environment.

resource "sym_environment" "this" {
  name            = "main"
  runtime_id      =
  error_logger_id =

  integrations = {
    slack_id =

    # This is required to use OneLogin SDK methods in
    # for non-OneLogin strategies.
    onelogin_id =

Using OneLogin in your Flows

For more information on the supported methods in the onelogin module, please visit the Sym SDK OneLogin Docs.

Example Implementations

Only members of the requested Role can approve requests

from sym.sdk.annotations import hook
from sym.sdk.integrations import onelogin
from sym.sdk.templates import ApprovalTemplate

def on_approve(event):
  # Get the role details from the target in the request payload
  requested_role_id = event.payload.fields["target"].settings["role_id"]
  role_name = event.payload.fields["target"].label

  # Only allow members of the role to approve requests
  if not onelogin.is_user_in_group(event.user, group_id=requested_role_id):
    return ApprovalTemplate.ignore(message=f"Only members of {role_name} may approve requests for {role_name}")

DM members of a OneLogin Role

from sym.sdk.annotations import reducer
from sym.sdk.integrations import onelogin

def get_approvers(event):
  # Get the role details from the target in the request payload
  role_name = event.payload.fields["target"].name
  # Requests for the "super_special" role get DM'd to managers
  if role_name == "super_special":
    # Get the users in the "Managers" OneLogin Role
    managers = onelogin.users_in_role(role_id=599800)
  # Otherwise all other requests go to the regular requests channel