See api-docs Menu

App Resource

The app resource represents an app in OneLogin.

An app payload is broken into sections which group together common attributes such as parameters, sso settings and configuration. The attributes in each section change based on the type of app that has been returned. See below for samples of SAML and OpenId Connect apps.




Resource Elements

{
    "id": 775664,
    "name": "A Sample App",
    "visible": true,
    "description": "",
    "notes": "",
    "icon_url": "/images/missing_connector_icon/square/old_original.png",
    "auth_method": 8,
    "policy_id": null,
    "allow_assumed_signin": false,
    "tab_id": 196885,
    "connector_id": 108419,
    "created_at": "2018-04-12T21:50:42Z",
    "updated_at": "2019-05-16T19:20:34Z",
    "role_ids": [
        192513
    ],
    "provisioning": {},
    "sso": {},
    "configuration": {},
    "parameters": {},
    "enforcement_point": {}
}
id Apps unique ID in OneLogin. Integer
connector_id ID of the apps underlying connector. Integer
name App name. String
description Freeform description of the app. String
notes Freeform notes about the app. String
policy_id The security policy assigned to the app. Integer
brand_id The custom login page branding to use for this app. Applies to app initiated logins via OIDC or SAML. Integer
icon_url A link to the apps icon url. String
visible Indicates if the app is visible in the OneLogin portal. Boolean
auth_method An ID indicating the type of app.

  • 0 - Password
  • 1 - OpenId
  • 2 - SAML
  • 3 - API
  • 4 - Google
  • 6 - Forms Based App
  • 7 - WSFED
  • 8 - OpenId Connect

Integer
tab_id ID of the OneLogin portal tab that the app is assigned to. Integer
created_at The date the app was created. ISO-8601 Date Time
updated_at The date the app was last updated. ISO-8601 Date Time
role_ids List of Role IDs that are assigned to the app. On App Create or Update the entire array is replaced with the values provided. Array
allow_assumed_signin Indicates whether or not administrators can access the app as a user that they have assumed control over. Boolean
provisioning See provisioning section below for attributes of this object. Object
sso See sso section below for attributes of this object. Object
configuration See configuration section below for attributes of this object. Object
parameters See parameters section below for attributes of this object. Object
enforcement_point See enforcement point section below for attributes of this object. Object

Provisioning

{
  "provisioning": {
    "enabled": false
  },
}
enabled Indicates if provisioning is enabled for this app. Boolean

SSO

The attributes included in the sso section are determined by the type of app.

All of the attributes of the `sso` object are read only.

OpenId Connect

{
  "sso": {
    "client_id": "78d1d040-20c9-0136-5146-067351775fae92920"
  },
}
client_id The OpenId Connect Client Id. Note that client_secret is only returned after Creating an App. String

SAML

{
  "sso": {
    "metadata_url": "https://app.onelogin.com/saml/metadata/5772393d-2ad3-47d6-a64f-2339b1028291",
    "acs_url": "https://sharkbytes.onelogin.com/trust/saml2/http-post/sso/928532",
    "sls_url": "https://sharkbytes.onelogin.com/trust/saml2/http-redirect/slo/928532",
    "issuer": "https://app.onelogin.com/saml/metadata/5772393d-2ad3-47d6-a64f-2339b1028291",
    "certificate": {
      "value": "c6d814d032f000d9c03bc79727265",
      "id": 170216,
      "name": "My Companies SAML Certificate"
    }
  }
}
metadata_url ID of the apps underlying connector. String
acs_url App name. String
issuer Freeform description of the app. String
certificate The certificate used for signing.
  • id
  • name
  • value
Object

Configuration

The attributes included in the configuration section are determined by the type of app. This is not a complete list of possible configuration attributes. Custom configuration attributes may exist for different types of connectors.

OpenId Connect

{
    "configuration": {
        "redirect_uri": "https://localhost:3000/callback",
        "refresh_token_expiration_minutes": 1,
        "login_url": "",
        "oidc_application_type": 0,
        "token_endpoint_auth_method": 1,
        "access_token_expiration_minutes": 1
    }
}
redirect_uri Comma or newline separated list of valid redirect uris for the OpenId Connect Authorization Code flow. String
login_url The OpenId Connect Client Id. Note that client_secret is only returned after Creating an App. String
oidc_application_type
  • 0 - Web
  • 1 - Native / Mobile
Integer
token_endpoint_auth_method
  • 0 - Basic
  • 1 - POST
  • 2 - None / PKCE
Integer
access_token_expiration_minutes Number of minutes the refresh token will be valid for. Integer
refresh_token_expiration_minutes Number of minutes the refresh token will be valid for. Integer

SAML

{
    "configuration": {
        "provider_arn": null,
        "signature_algorithm": "SHA-1"
        "certificate_id": 123456
    }
}
signature_algorithm One of the following
  • SHA-1
  • SHA-256
  • SHA-348
  • SHA-512
String
certificate_id When creating apps the default certificate will be used unless the `certificate_id` attribute is applied in the `configuration` object. Integer

Parameters

The parameters section contains parameterized attributes that have defined at the connector level as well as custom attributes that have been defined specifically for this app. Regardless of how they are defined, all parameters have the following attributes.

Each parameter is an object with the key for the object being set as the parameters short name.

{
    "parameters": {
        "the_short_name": {
            "values": null,
            "user_attribute_mappings": null,
            "provisioned_entitlements": false,
            "skip_if_blank": false,
            "id": 89806,
            "default_values": null,
            "attributes_transformations": null,
            "label": "RoleSessionName",
            "user_attribute_macros": null,
            "include_in_saml_assertion": true
        }
    }
}

user_attribute_mappings

string

A user attribute to map values from

For custom attributes prefix the name of the attribute with `custom_attribute_`.

e.g. To get the value for custom attribute `employee_id` use `custom_attribute_employee_id`.

user_attribute_macros

string

When `user_attribute_mappings` is set to `_macro_` this macro will be used to assign the parameter value.

label

string

The can only be set when creating a new parameter. It can not be updated.

include_in_saml_assertion

string

When true, this parameter will be included in a SAML assertion payload.

Enforcement Points

For apps that connect to a OneLogin Access Enforcement Point the following enforcement_point object will be included with the app payload.

{
  "enforcement_point": {
    "require_sitewide_authentication": false,
    "conditions": "",
    "session_expiry_fixed": {
        "value": 30,
        "unit": "minutes"
    },
    "session_expiry_inactivity": {
        "value": 10,
        "unit": "minutes"
    },
    "permissions": "allow",
    "token": "b491c647f5e0cff854ad606722ac98342b4b0882",
    "target": "",
    "resources": [
        {
            "resource_id": 809,
            "conditions": null,
            "is_path_regex": null,
            "permissions": "allow",
            "require_auth": false,
            "path": "/"
        }
    ],
    "context_root": "",
    "use_target_host_header": false,
    "vhost": "",
    "landing_page": "",
    "case_sensitive": false
  }
}
require_sitewide_authentication Require user authentication to access any resource protected by this enforcement point. Boolean
conditions

If access is conditional, the conditions that must evaluate to true to allow access to a resource. For example, to require the user must be authenticated and have either the role Admin or User:

{
  "type": "roles",
  "roles": [ "Admin", "User" ]
}
String
session_expiry_fixed
{
  "value": 20,
  "unit": 1
}

  • unit:

    0 = Seconds
    1 = Minutes
    2 = Hours

  • value:

    When Unit = 0 or 1 value must be 0-60
    When Unit = 2 value must be 0-24

Object
session_expiry_inactivity
{
  "value": 20,
  "unit": 1
}

  • unit:

    0 = Seconds
    1 = Minutes
    2 = Hours

  • value:

    When Unit = 0 or 1 value must be 0-60
    When Unit = 2 value must be 0-24

Object
permissions Specify to always `allow`, `deny` access to resources, of if access is `conditional`. String
token Can only be set on create. Access Gateway Token. String
target A fully-qualified URL to the internal application including scheme, authority and path. The target host authority must be an IP address, not a hostname. String
resources

Array of resource objects

{
  "path": "/",
  "require_authentication": "no",
  "permission": "allow"
}

  • path: string
  • is_path_regex: boolean
  • require_auth: boolean
  • permissions: string [allow|deny|conditions]
  • conditions: string (text), only exists if permissions == conditions

Array
context_root The root path to the application, often the name of the application. Can be any name, path or just a slash (“/”). The context root uniquely identifies the application within the enforcement point. Boolean
use_target_host_header Use the target host header as opposed to the original gateway or upstream host header. Boolean
vhost A comma-delimited list of one or more virtual hosts that map to applications assigned to the enforcement point. A VHOST may be a host name or an IP address. VHOST distinguish between applications that are at the same context root. String
landing_page The location within the context root to which the browser will be redirected for IdP-initiated single sign-on. For example, the landing page might be an index page in the context root such as index.html or default.aspx. The landing page cannot begin with a slash and must use valid URL characters. String
case_sensitive The URL path evaluation is case insensitive by default. Resources hosted on web servers such as Apache, NGINX and Java EE are case sensitive paths. Web servers such as Microsoft IIS are not case-sensitive. Boolean

Postman Collection

Replace sample variables indicated by {{ }} with your actual values.

Run in Postman

    Clicking Run in Postman button navigates to the page where you can fork the collection to your workspace. Forking the collection into your workspace will enable you to contribute to the source collection using pull requests. You can also view the collection in a public workspace if you like and even import a copy of the collection using the links present on the screen.

Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.