Log in to your OneLogin account and head to the dashboard.
Click Apps on the top menu. Select the Add apps menu item.
On the Find Application page, search for openid. Select Openid Connect by OneLogin, Inc.
On the App Configuration page, name the app and select a logo. Select Save.
Next, set set the Redirect URI's setting to be Pomerium's redirect url
Set the application type to Web and the token endpoint to be POST.
Under Token Timeout settings set Refresh Token to 60 minutes (or whatever value makes sense for your organization). Note, however, if you don't enable refresh tokens the user will be prompted to authenticate whenever the access token expires which can result in a poor user experience.
OneLogin's OIDC implementation supports the
groups which can return either the user's group or role which can be used within pomerium to enforced group-based ACL policy.
To return the user's Active Directory field, configure the group to return
member_of. In the Default if no value field, select User Roles and Select Semicolon Delimited in the adjacent field. Select Save
Alternatively, groups can return the roles a user is assigned. In the Default if no value field, select User Roles and Select Semicolon Delimited in the adjacent field. Select Save
Finally, configure Pomerium with the identity provider settings retrieved in the previous steps. Your environmental variables should look something like this.
IDP_PROVIDER="onelogin" IDP_PROVIDER_URL="https://openid-connect.onelogin.com/oidc" IDP_CLIENT_ID="9e613ce0-1622-0137-452d-0a93c31f8392142934" IDP_CLIENT_SECRET="3e86ef0cc21b6dcf10c1d91e032568617d37e9fe1609ffd8042d3c25a560c36c"
After reloading Pomerium, you should be able to see any login events from your OneLogin events dashboard.