Use IP Allowlisting to enforce zero trust policies for specific SaaS Applications integrated with OneLogin

Use a OneLogin App Policy IP Address Allow List to require a CSE Service Tunnel when authenticating to a SaaS Application

  • Updated on

Overview

This guide explains how to use a OneLogin App Policy to require that end users have a CSE Service Tunnel established before they can authenticate to a specific SaaS application through OneLogin. The result is equivalent to the Entra ID IP allowlisting flow: authentication is permitted only when the request originates from the CSE Access Tier egress IP addresses.

Compared with Entra ID, OneLogin IP allowlisting is simpler to configure. OneLogin restricts access with a single App Policy IP Address Allow List, rather than a combination of Named Locations and Conditional Access policies.

Prerequisites

  • A OneLogin account with Admin privileges.
  • The SaaS application(s) you want to protect already integrated with OneLogin.
  • A CSE Service Tunnel that users connect through.

Steps

Step 1: Register a Service Tunnel for the public domains

1.1 Register a Service Tunnel for Public Domains.

1.2 Configure the Service Tunnel to include the OneLogin authentication domains and the domains of the SaaS application(s) you are protecting, so that this traffic is routed through CSE. For the current OneLogin domains and IP addresses, see OneLogin Domains and IP Addresses.

Step 2: Identify the CSE Access Tier egress IP addresses

2.1 Determine the public egress IP address(es) of the Access Tier(s) that serve the Service Tunnel. These are the source IPs OneLogin sees for tunneled traffic, and the addresses you will allow in Step 3.

Step 3: Create a OneLogin App Policy with an IP Address Allow List

3.1 In the OneLogin Admin Portal, navigate to Security > Policies, and select New App Policy.

3.2 Enter a descriptive policy name (for example, CSE Service Tunnel Required), and select Save.

3.3 In the App Policy settings, locate the IP Address Allow List, and enter the CSE Access Tier egress IP address(es) from Step 2.

Note: Leaving the allow list blank permits access from any IP address. Optionally, enable Ignore X-Forwarded-For header IP addresses so that OneLogin evaluates the connecting source IP rather than a forwarded-header value.

Step 4: Assign the App Policy to the SaaS application

4.1 Navigate to Applications, and select the application you want to protect.

4.2 Open the Access tab.

4.3 Under Policy, select the App Policy you created in Step 3.

4.4 Select Save. The policy then applies to all users of that application.

Note: To allow exceptions for specific user groups, use role-based App Policies so that different roles can have different IP requirements for the same application.

Expected behaviour

If the user does NOT have the Service Tunnel connection established, OneLogin sees a non-allowed source IP and blocks access to the application. Once the user establishes the Service Tunnel, the request originates from an allowed Access Tier IP and authentication succeeds.

References