OneLogin

OneLogin's identity management (IDM) platform is among the most mature in the segment, with a comprehensive feature set that spans each of the key areas your business should address. With a focus on small to midsized business (SMB) customers, OneLogin is intuitive enough for admins who don't have technical experience managing identities in the cloud. Better still, it doesn't cut corners on security.

With only a few exceptions, we found OneLogin easy to navigate and configure. The fact that it comes with competitive pricing helps, too. However, a few capability gaps make OneLogin a tough sell for businesses needing maximum flexibility when securing authentication attempts. This is what keeps it from sharing our Editors' Choice honors with Okta and VMware Workspace One Access.

Integrations and Setup

A couple of IDMs make it a point to integrate with cloud HR systems such as Workday, BambooHR, or UltiPro to streamline or even automate employee onboarding. Okta does this exceptionally well, but OneLogin takes it a step further by integrating with Student Information System (SIS) platforms like PowerSchool to facilitate identity management for complex scenarios involving students, faculty, and staff. OneLogin can leverage these integrations to create new identities and provide access to applications or make changes to existing users and their application access when their roles change within your organization.

OneLogin makes getting set up to pull users and groups from your existing Active Directory environment super simple. After downloading the connector and pasting in the authentication code, the platform initiates a connection and lets you select which users you wish to import. The directory connection is not quite as sophisticated as other solutions'—you can't limit the users synchronized to a specific security group or LDAP filter—but for customers that don't need that level of control this is a nonissue. You do have the ability to simply stage synchronized users (via an extra management step) rather than creating them as full OneLogin users.

One feature OneLogin retains that other IDM suites have moved away from is mappings, which use rule-based conditions to manage identities—for example, setting an attribute value based on a user's group membership or setting a role for users in a specific department. This level of automation is incredibly flexible yet doesn't require intricate knowledge of LDAP or a scripting language. The tool even can validate a rule by comparing it against specific users.

Policies and Authentication

OneLogin takes a slightly different strategy than the competition when it comes to authentication policies, which in our opinion, are the most critical aspect of an IDM. Rather than simply creating individual policies that enforce authentication requirements when certain conditions are met (such as specific users attempting to access a particular application), OneLogin keeps user and application policies separate. Moreover, application policies may be applied conditionally to applications based on user roles (which can be automatically assigned using mappings).

At first, I thought the separation of user and app policies a helpful distinction, but as I dug further into OneLogin I found it creates some limitations. User policies contain things like password requirements, session expiration, and MFA (multifactor authentication) settings, as well as terms of use and system use notifications (both required for various enterprise use cases).

Policies specific to an application contain options such as an IP whitelist, forced authentication (rather than allowing a single sign-on experience), and required MFA. The limitations I mentioned involve situations where you may want to enforce MFA authentication for a set of applications based on specific conditions such as risk score or device status. Due to how OneLogin applies policies, there is no way to meet this business requirement.

Another critical element for enterprise users on which OneLogin could improve is mobile device management (MDM) or Universal Endpoint Management (UEM). To be clear, OneLogin supports leveraging services like VMWare Workspace One UEM (formerly Airwatch), MobileIron, or Microsoft Intune to establish device trust. My complaint is that there is no obvious path within the OneLogin admin console to achieve this, and even the OneLogin knowledge base offers sparse guidance. Compared to the likes of Okta, Microsoft Azure AD, or VMWare Workspace One Access, the process to enable device trust is like printing a MapQuest map in the era of GPS.

MFA factors are plentiful in OneLogin, with options ranging from old-school (SMS, email, security questions, and even automated phone calls) to various authenticator apps, like Google Authenticator, Duo, Yubikey devices, and even RSA SecurID. OneLogin Protect enables MFA simply by installing the application on a mobile device and registering with the user's account for an easy MFA solution.

Pricing and Plans

OneLogin offers both bundle and a-la-carte pricing. The Advanced bundle includes SSO, Advanced Directory, and MFA features for $4 monthly per user (rather than the $6 each of those offerings would run individually). The Professional bundle adds Lifecycle Management and HR integration for $8 monthly per user. Additional add-ons of note include SmartFactor authentication, which adds logic and AI to MFA for $5 monthly per user, and Access, which supports on-premises and homegrown apps for $4 monthly per user.

I like OneLogin's intuitive feel, and its mappings are a very clean way to manage identities. But IDM suites are all about how and when you require additional security, and OneLogin's policies just don't match the flexibility of Okta or VMware. That said, my only major complaint with OneLogin is how it handles conditional MFA, so if that's not a feature you need, the platform is certainly worth a look.