Single Sign-On with OneLogin
This guide explains how to enable single sign-on (SSO) for applications being proxied by F5 NGINX Plus. The solution uses OpenID Connect as the authentication mechanism, with OneLogin as the Identity Provider (IdP) and NGINX Plus as the Relying Party (RP), or OIDC client application that verifies user identity.
This guide applies to NGINX Plus Release 34 and later. In earlier versions, NGINX Plus relied on an njs-based solution, which required NGINX JavaScript files, key-value stores, and advanced OpenID Connect logic. In the latest NGINX Plus version, the new OpenID Connect module simplifies this process to just a few directives.
Prerequisites
-
An OneLogin account with administrator privileges.
-
An NGINX Plus subscription and NGINX Plus Release 34 or later. For installation instructions, see Installing NGINX Plus.
-
A domain name pointing to your NGINX Plus instance, for example,
demo.example.com.
Configure OneLogin
Create a OneLogin OIDC Application
-
Log in to your OneLogin admin console, for example,
https://<subdomain>.onelogin.com. -
In the navigation bar, select Applications.
-
Click the Add App button.
-
On the Find Applications page, search for OpenID Connect (OIDC) and then select it.
-
Enter a Display Name, for example,
NGINX Demo App. -
Select Save.
-
-
In the app navigation, select Configuration.
-
In Redirect URIs, add the callback URI for your NGINX Plus instance, for example,
https://demo.example.com/oidc_callback. -
Select Save.
-
-
In the app navigation, select SSO.
-
Copy the Client ID. You will need it later when configuring NGINX Plus.
-
Select Show client secret and copy the Client Secret. You will need it later when configuring NGINX Plus.
-
Copy the Issuer URL, or OpenID Connect Discovery URL. You will need it later when configuring NGINX Plus. For OneLogin, the Issuer ID generally structured as:
https://<subdomain>.onelogin.com/oidc/2See Provider Configuration for details.
-
You will need the values of Client ID, Client Secret, and Issuer in the next steps.
Assign Users and Groups
-
In the app navigation, select Users > Roles.
-
Add users and groups who should have access to this application.
Set up NGINX Plus
With Onelogin configured, you can enable OIDC on NGINX Plus. NGINX Plus serves as the Rely Party (RP) application — a client service that verifies user identity.
-
Ensure that you are using the latest version of NGINX Plus by running the
nginx -vcommand in a terminal:nginx -vThe output should match NGINX Plus Release 34 or later:
nginx version: nginx/1.27.4 (nginx-plus-r34) -
Ensure that you have the values of the Client ID, Client Secret, and Issuer obtained during Onelogin Configuration.
-
In your preferred text editor, open the NGINX configuration file (
/etc/nginx/nginx.conffor Linux or/usr/local/etc/nginx/nginx.conffor FreeBSD). -
In the
http {}context, make sure your public DNS resolver is specified with theresolverdirective: By default, NGINX Plus re‑resolves DNS records at the frequency specified by time‑to‑live (TTL) in the record, but you can override the TTL value with thevalidparameter:http { resolver 10.0.0.1 ipv4=on valid=300s; # ... } -
In the
http {}context, define the OneLogin provider namedoneloginby specifying theoidc_provider {}context:http { resolver 10.0.0.1 ipv4=on valid=300s; oidc_provider onelogin { # ... } # ... } -
In the
oidc_provider {}context, specify:-
your actual OneLogin Client ID obtained in OneLogin Configuration with the
client_iddirective -
your Client Secret obtained in OneLogin Configuration with the
client_secretdirective -
the Issuer URL obtained in OneLogin Configuration with the
issuerdirectiveThe
issueris typically your OneLogin OIDC URL:https://<subdomain>.onelogin.com/oidc/2. -
Important: All interaction with the IdP is secured exclusively over SSL/TLS, so NGINX must trust the certificate presented by the IdP. By default, this trust is validated against your system’s CA bundle (the default CA store for your Linux or FreeBSD distribution). If the IdP’s certificate is not included in the system CA bundle, you can explicitly specify a trusted certificate or chain with the
ssl_trusted_certificatedirective so that NGINX can validate and trust the IdP’s certificate.
http { resolver 10.0.0.1 ipv4=on valid=300s; oidc_provider onelogin { issuer https://<subdomain>.onelogin.com/oidc/2; client_id <client_id>; client_secret <client_secret>; } # ... } -
-
Make sure you have configured a server that corresponds to
demo.example.com, and there is a location that points to your application (see Step 10) athttp://127.0.0.1:8080that is going to be OIDC-protected:http { # ... server { listen 443 ssl; server_name demo.example.com; ssl_certificate /etc/ssl/certs/fullchain.pem; ssl_certificate_key /etc/ssl/private/key.pem; location / { # ... proxy_pass http://127.0.0.1:8080; } } # ... } -
Protect this location with OneLogin OIDC by specifying the
auth_oidcdirective that will point to theoneloginconfiguration specified in theoidc_provider {}context in Step 5:# ... location / { auth_oidc onelogin; # ... proxy_pass http://127.0.0.1:8080; } # ... -
Pass the OIDC claims as headers to the application (Step 10) with the
proxy_set_headerdirective. These claims are extracted from the ID token returned by OneLogin:-
$oidc_claim_sub- a uniqueSubjectidentifier assigned for each user by OneLogin -
$oidc_claim_emailthe e-mail address of the user -
$oidc_claim_name- the full name of the user -
any other OIDC claim using the
$oidc_claim_variable
# ... location / { auth_oidc onelogin; proxy_set_header sub $oidc_claim_sub; proxy_set_header email $oidc_claim_email; proxy_set_header name $oidc_claim_name; proxy_pass http://127.0.0.1:8080; } # ... -
-
Create a simple test application referenced by the
proxy_passdirective which returns the authenticated user’s full name and email upon successful authentication:# ... server { listen 8080; location / { return 200 "Hello, $http_name!\nEmail: $http_email\nSub: $http_sub\n"; default_type text/plain; } } -
Save the NGINX configuration file and reload the configuration:
nginx -s reload
Complete Example
This configuration example summarizes the steps outlined above. It includes only essential settings such as specifying the DNS resolver, defining the OIDC provider, configuring SSL, and proxying requests to an internal server.
http {
# Use a public DNS resolver for Issuer discovery, etc.
resolver 10.0.0.1 ipv4=on valid=300s;
oidc_provider onelogin {
# The 'issuer' is typically your OneLogin OIDC base URL
# e.g. https://<subdomain>.onelogin.com/oidc/2
issuer https://<subdomain>.onelogin.com/oidc/2;
# Replace with your actual OneLogin Client ID and Secret
client_id <client_id>;
client_secret <client_secret>;
}
server {
listen 443 ssl;
server_name demo.example.com;
ssl_certificate /etc/ssl/certs/fullchain.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
location / {
# Protect this path with OneLogin OIDC
auth_oidc onelogin;
# Forward OIDC claims to the upstream as headers if desired
proxy_set_header sub $oidc_claim_sub;
proxy_set_header email $oidc_claim_email;
proxy_set_header name $oidc_claim_name;
proxy_pass http://127.0.0.1:8080;
}
}
server {
listen 8080;
location / {
return 200 "Hello, $http_name!\nYour email is $http_email\nSub: $http_sub\n";
default_type text/plain;
}
}
}Testing
-
Open
https://demo.example.com/in a browser. You will be automatically redirected to the OneLogin sign-in page. -
Enter valid OneLogin credentials of a user who has access the application. Upon successful sign-in, OneLogin redirects you back to NGINX Plus, and you will see the proxied application content (for example, “Hello, Jane Doe!”).
If you restricted access to a group of users, be sure to select a user who has access to the application.
Legacy njs-based OneLogin Solution
If you are running NGINX Plus R33 and earlier or if you still need the njs-based solution, refer to the Legacy njs-based OneLogin Guide for details. The solution uses the nginx-openid-connect GitHub repository and NGINX JavaScript files.
See Also
Revision History
- Version 1 (March 2025) – Initial version (NGINX Plus Release 34)