Cerbos authorization for OneLogin
OneLogin provides enterprise SSO, directory integration, and OIDC/SAML-based authentication. Cerbos uses OneLogin's user roles, group memberships, and custom attributes from OIDC tokens to evaluate fine-grained authorization policies at the application layer.
SSO claims as policy inputs
Use OneLogin roles, groups, and custom attributes from OIDC tokens as principal attributes in Cerbos authorization policies
Directory-backed authorization
OneLogin syncs with Active Directory and LDAP, giving Cerbos policies access to directory-sourced group and role data
Enterprise SSO integration
Users authenticate once through OneLogin SSO while Cerbos handles fine-grained resource-level authorization within each application
How Cerbos works with OneLogin
OneLogin handles authentication, confirming who a user is. Cerbos handles authorization, deciding what that user can do. Together they give you a complete access control stack without coupling identity logic to business rules.
Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. Policies are decoupled from application code so product and security teams can update permissions without a release cycle.
Because Cerbos runs as a stateless Policy Decision Point (PDP) next to your application, authorization checks are sub-millisecond and scale horizontally with your infrastructure.
How Cerbos works with OneLogin
- Users authenticate via OneLogin, OneLogin handles single sign-on through its portal, supporting MFA, adaptive authentication, and directory integration. User roles and group memberships are included in the OIDC token claims.
- Validate the OneLogin-issued token, Your application validates the OIDC token and extracts the user's roles, groups, and any custom attributes configured in OneLogin's user mappings.
- Send identity and resource context to Cerbos, Pass the OneLogin user attributes, roles, and group memberships as principal attributes alongside the target resource and desired action to the Cerbos PDP.
- Cerbos evaluates policies and returns a decision, Cerbos evaluates your YAML policies against the OneLogin identity data and resource attributes, returning allow or deny. Your application enforces the result.
FAQ
How does Cerbos work with OneLogin?
OneLogin authenticates users via SSO and issues OIDC tokens containing roles, groups, and custom user attributes. Your application validates the token, extracts these claims, and passes them to Cerbos as principal attributes. Cerbos evaluates them against your policies alongside resource attributes to make authorization decisions.
Can I use OneLogin roles and groups in Cerbos policies?
Yes. OneLogin assigns roles to users and maps them to application-specific groups. These appear as claims in the OIDC token. Pass them to Cerbos as principal attributes, and your policies can use role and group membership for access control decisions.
Does Cerbos replace OneLogin's application access policies?
No. OneLogin controls which users can access which applications through its SSO policies. Cerbos adds resource-level authorization within those applications. OneLogin determines whether a user can reach your app. Cerbos determines what they can do once they are there.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + OneLogin
- Cerbos extends OneLogin roles with fine-grained, attribute-based permissions
- Policies defined in human-readable YAML, managed as code
- Authorization logic decoupled from application code
- Sub-millisecond policy evaluation via stateless PDP
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.