> ## Documentation Index
> Fetch the complete documentation index at: https://docs.keephq.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# OneLogin Authentication

This document provides comprehensive information about the OneLogin integration in Keep

## Overview

Keep supports OneLogin as an authentication provider, enabling:

* Single Sign-On (SSO) via OneLogin
* OAuth2/OIDC authentication flow
* Token refresh capabilities
* Role-based access control through custom claims
* Session management through NextAuth.js

## Environment Variables

### Backend Environment Variables

| Variable                    | Description                                           | Example                               |
| --------------------------- | ----------------------------------------------------- | ------------------------------------- |
| `AUTH_TYPE`                 | Set to `"ONELOGIN"` to enable OneLogin authentication | `ONELOGIN`                            |
| `ONELOGIN_ISSUER`           | The issuer URL for your OneLogin application          | `https://company.onelogin.com/oidc/2` |
| `ONELOGIN_CLIENT_ID`        | Client ID of your OneLogin application                | `abc123def456ghi789`                  |
| `ONELOGIN_CLIENT_SECRET`    | Client Secret of your OneLogin application            | `abcd1234efgh5678ijkl9012`            |
| `ONELOGIN_ADMIN_ROLE`       | Role to be mapped to a keep admin role                | `KeepAdmin`                           |
| `ONELOGIN_NOC_ROLE`         | Role to be mapped to a keep noc role                  | `KeepNoc`                             |
| `ONELOGIN_WEBHOOK_ROLE`     | Role to be mapped to a keep webhook role              | `KeepWebhook`                         |
| `ONELOGIN_AUTO_CREATE_USER` | Whether to try and create autocreate users in keep    | `True`                                |

### Frontend Environment Variables

| Variable                 | Description                                           | Example                               |
| ------------------------ | ----------------------------------------------------- | ------------------------------------- |
| `AUTH_TYPE`              | Set to `"ONELOGIN"` to enable OneLogin authentication | `ONELOGIN`                            |
| `ONELOGIN_ISSUER`        | The issuer URL for your OneLogin application          | `https://company.onelogin.com/oidc/2` |
| `ONELOGIN_CLIENT_ID`     | Client ID of your OneLogin application                | `abc123def456ghi789`                  |
| `ONELOGIN_CLIENT_SECRET` | Client Secret of your OneLogin application            | `abcd1234efgh5678ijkl9012`            |

## OneLogin Configuration

### Creating a OneLogin Application

1. Sign in to your OneLogin Admin Console
2. Navigate to **Applications**
3. Click **Add App**
4. Search for **OpenId Connect (OIDC)** and select it
5. Click **Save**

### Application Settings

1. **Display Name**: Enter a name for your application (e.g., "Keep")
2. **Redirect URIs**: Enter your app's callback URL, e.g., `https://your-keep-domain.com/api/auth/callback/onelogin`
3. **Login URL**: Enter your app's login URL, e.g., `https://your-keep-domain.com/signin`
4. **Role Mapping**:
   * Go to the Parameters tab
   * Map the groups to user roles or groups with the default value being semicolon delimited input values
5. Go to the **SSO** tab and configure:
   * **Application Type**: Web
   * **Token Endpoint**: Client Secret Post
6. **Access**:
   * Assign to appropriate roles or users
7. Click **Save**
8. Copy the client id, client secret and issuer URL from the SSO tab