App Resource
The app resource represents an app in OneLogin.
An app payload is broken into sections which group together common attributes such as parameters, sso settings and configuration. The attributes in each section change based on the type of app that has been returned. See below for samples of SAML and OpenId Connect apps.
Resource Elements
{
"id": 775664,
"name": "A Sample App",
"visible": true,
"description": "",
"notes": "",
"icon_url": "/images/missing_connector_icon/square/old_original.png",
"auth_method": 8,
"policy_id": null,
"allow_assumed_signin": false,
"tab_id": 196885,
"connector_id": 108419,
"created_at": "2018-04-12T21:50:42Z",
"updated_at": "2019-05-16T19:20:34Z",
"role_ids": [
192513
],
"provisioning": {},
"sso": {},
"configuration": {},
"parameters": {},
"enforcement_point": {}
}id |
Apps unique ID in OneLogin. | Integer |
connector_id |
ID of the apps underlying connector. | Integer |
name |
App name. | String |
description |
Freeform description of the app. | String |
notes |
Freeform notes about the app. | String |
policy_id |
The security policy assigned to the app. | Integer |
brand_id |
The custom login page branding to use for this app. Applies to app initiated logins via OIDC or SAML. | Integer |
icon_url |
A link to the apps icon url. | String |
visible |
Indicates if the app is visible in the OneLogin portal. | Boolean |
auth_method |
An ID indicating the type of app.
|
Integer |
tab_id |
ID of the OneLogin portal tab that the app is assigned to. | Integer |
created_at |
The date the app was created. | ISO-8601 Date Time |
updated_at |
The date the app was last updated. | ISO-8601 Date Time |
role_ids |
List of Role IDs that are assigned to the app. On App Create or Update the entire array is replaced with the values provided. | Array |
allow_assumed_signin |
Indicates whether or not administrators can access the app as a user that they have assumed control over. | Boolean |
provisioning |
See provisioning section below for attributes of this object. | Object |
sso |
See sso section below for attributes of this object. | Object |
configuration |
See configuration section below for attributes of this object. | Object |
parameters |
See parameters section below for attributes of this object. | Object |
enforcement_point |
See enforcement point section below for attributes of this object. | Object |
Provisioning
{
"provisioning": {
"enabled": false
},
}enabled |
Indicates if provisioning is enabled for this app. | Boolean |
SSO
The attributes included in the sso section are determined by the type of app.
All of the attributes of the `sso` object are read only.
OpenId Connect
{
"sso": {
"client_id": "78d1d040-20c9-0136-5146-067351775fae92920"
},
}client_id |
The OpenId Connect Client Id. Note that client_secret is only returned after Creating an App. | String |
SAML
{
"sso": {
"metadata_url": "https://app.onelogin.com/saml/metadata/5772393d-2ad3-47d6-a64f-2339b1028291",
"acs_url": "https://sharkbytes.onelogin.com/trust/saml2/http-post/sso/928532",
"sls_url": "https://sharkbytes.onelogin.com/trust/saml2/http-redirect/slo/928532",
"issuer": "https://app.onelogin.com/saml/metadata/5772393d-2ad3-47d6-a64f-2339b1028291",
"certificate": {
"value": "c6d814d032f000d9c03bc79727265",
"id": 170216,
"name": "My Companies SAML Certificate"
}
}
}metadata_url |
ID of the apps underlying connector. | String |
acs_url |
App name. | String |
issuer |
Freeform description of the app. | String |
certificate |
The certificate used for signing.
|
Object |
Configuration
The attributes included in the configuration section are determined by the type of app. This is not a complete list of possible configuration attributes. Custom configuration attributes may exist for different types of connectors.
OpenId Connect
{
"configuration": {
"redirect_uri": "https://localhost:3000/callback",
"refresh_token_expiration_minutes": 1,
"login_url": "",
"oidc_application_type": 0,
"token_endpoint_auth_method": 1,
"access_token_expiration_minutes": 1
}
}redirect_uri |
Comma or newline separated list of valid redirect uris for the OpenId Connect Authorization Code flow. | String |
login_url |
The OpenId Connect Client Id. Note that client_secret is only returned after Creating an App. | String |
oidc_application_type |
|
Integer |
token_endpoint_auth_method |
|
Integer |
access_token_expiration_minutes |
Number of minutes the refresh token will be valid for. | Integer |
refresh_token_expiration_minutes |
Number of minutes the refresh token will be valid for. | Integer |
SAML
{
"configuration": {
"provider_arn": null,
"signature_algorithm": "SHA-1"
"certificate_id": 123456
}
}signature_algorithm |
One of the following
|
String |
certificate_id |
When creating apps the default certificate will be used unless the `certificate_id` attribute is applied in the `configuration` object. | Integer |
Parameters
The parameters section contains parameterized attributes that have defined at the connector level as well as custom attributes that have been defined specifically for this app. Regardless of how they are defined, all parameters have the following attributes.
Each parameter is an object with the key for the object being set as the parameters short name.
{
"parameters": {
"the_short_name": {
"values": null,
"user_attribute_mappings": null,
"provisioned_entitlements": false,
"skip_if_blank": false,
"id": 89806,
"default_values": null,
"attributes_transformations": null,
"label": "RoleSessionName",
"user_attribute_macros": null,
"include_in_saml_assertion": true
}
}
}user_attribute_mappings string |
A user attribute to map values from For custom attributes prefix the name of the attribute with `custom_attribute_`. e.g. To get the value for custom attribute `employee_id` use `custom_attribute_employee_id`. |
user_attribute_macros string |
When `user_attribute_mappings` is set to `_macro_` this macro will be used to assign the parameter value. |
label string |
The can only be set when creating a new parameter. It can not be updated. |
include_in_saml_assertion string |
When true, this parameter will be included in a SAML assertion payload. |
Enforcement Points
For apps that connect to a OneLogin Access Enforcement Point the following enforcement_point object will be included with the app payload.
{
"enforcement_point": {
"require_sitewide_authentication": false,
"conditions": "",
"session_expiry_fixed": {
"value": 30,
"unit": "minutes"
},
"session_expiry_inactivity": {
"value": 10,
"unit": "minutes"
},
"permissions": "allow",
"token": "b491c647f5e0cff854ad606722ac98342b4b0882",
"target": "",
"resources": [
{
"resource_id": 809,
"conditions": null,
"is_path_regex": null,
"permissions": "allow",
"require_auth": false,
"path": "/"
}
],
"context_root": "",
"use_target_host_header": false,
"vhost": "",
"landing_page": "",
"case_sensitive": false
}
}require_sitewide_authentication |
Require user authentication to access any resource protected by this enforcement point. | Boolean |
conditions |
If access is conditional, the conditions that must evaluate to true to allow access to a resource. For example, to require the user must be authenticated and have either the role Admin or User: |
String |
session_expiry_fixed |
|
Object |
session_expiry_inactivity |
|
Object |
permissions |
Specify to always `allow`, `deny` access to resources, of if access is `conditional`. | String |
token |
Can only be set on create. Access Gateway Token. | String |
target |
A fully-qualified URL to the internal application including scheme, authority and path. The target host authority must be an IP address, not a hostname. | String |
resources |
Array of resource objects
|
Array |
context_root |
The root path to the application, often the name of the application. Can be any name, path or just a slash (“/”). The context root uniquely identifies the application within the enforcement point. | Boolean |
use_target_host_header |
Use the target host header as opposed to the original gateway or upstream host header. | Boolean |
vhost |
A comma-delimited list of one or more virtual hosts that map to applications assigned to the enforcement point. A VHOST may be a host name or an IP address. VHOST distinguish between applications that are at the same context root. | String |
landing_page |
The location within the context root to which the browser will be redirected for IdP-initiated single sign-on. For example, the landing page might be an index page in the context root such as index.html or default.aspx. The landing page cannot begin with a slash and must use valid URL characters. | String |
case_sensitive |
The URL path evaluation is case insensitive by default. Resources hosted on web servers such as Apache, NGINX and Java EE are case sensitive paths. Web servers such as Microsoft IIS are not case-sensitive. | Boolean |
Postman Collection
- Clicking Run in Postman button navigates to the page where you can fork the collection to your workspace. Forking the collection into your workspace will enable you to contribute to the source collection using pull requests. You can also view the collection in a public workspace if you like and even import a copy of the collection using the links present on the screen.
Have a Question?
Found a problem or a bug? Submit a support ticket.
Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.
Have a product idea or request? Share it with us in our Ideas Portal.