In this lab we will walk through how to deploy OneLogin with AWS Control Tower. We will be effectively deploying the landing zone v2.x using StackSets.


  1. This lab requires an AWS account with Administrator privileges and Control Tower.
  2. This lab assumes you already have an OneLogin account. If you don’t, you can sign up for a free account to access AWS console –

See how OneLogin integrates AWS here: (


1. Add a new Amazon Web Services Application to OneLogin

1.1) Login to OneLogin as an administrator and click on Administration at the upper right of the console

1.2) Select Applications then Add Application

1.3) Search for AWS and select the Amazon Web Services (AWS) Multi Account

1.4) Set a name for the App and choose Save

1.5) Go to the Configuration section.Click on the “Generate Token” and note down the generated value, you will need it on step 2.5 d. Choose Save

1.6) Note down the OneLogin IdP metadata link. Choose More Actions, right click on SAML Metadata and select Copy Link Location. You will need it on step 2.5 c)

Keep this tab open, we will get back to this in section-3.

2. Deploy OneLogin within AWS Control Tower

Architecture Overview

2.1) Download the CloudFormation template aws-onelogin-integration.template

2.2) Go to the CloudFormation StackSet console in the Management account and click Create StackSet

2.3) Select Upload a template file, select the aws-onelogin-integration.template which will be uploaded to S3 and then click on Next

2.4) Set a name for your StackSet, for example OneloginCTIntegration

2.5) Let’s configure the template parameters now.

a) Determine if you require those roles or not for the Control Tower integration. By default its creation is done, otherwise select false in its related field

b) Set the OneLogin Identity Provider Metadata URL you copied from your OneLogin AWS application configuration in Step 1.5

c) Set the OLExternalId, that will be assigned to the Role that will use OneLogin to extract the Role List. You generated that value in Step 1.4

Then Click Next

2.6) In Configure StackSet options page, under the Permission section, choose Self service permissions and for the IAM Admin Role ARN, Select AWSControlTowerStackSetRole from the list under IAM role name. Type in AWSControlTowerExecution for IAM Execution role name and click on Next

2.7) Specify the Accounts and Region to deploy into, and click Next
- Accounts
- Organizational Units (OUs)
- or a CSV list of valid accounts.

These are the accounts that you want to federate the users through OneLogin.

2.8) Review, Acknowledge the IAM box, and [Submit]

2.9) Wait for all of the instances to be created successfully.

3. Complete Your AWS Multi-Account Configuration in OneLogin doc

3.1) Configure OneLogin application
  1. Go back to OneLogin dashboard, tab you left open in Section 1, and set the External Role Name with the Name of the Role you used in the template on Step 2.1 (by default was OLGetRoles).
  2. Also add the List of SAML Identity Providers created by the StackSet.
    • Its format is arn:aws:iam::[account_id]:saml-provider/[idp_name]
    • where [account_id] is the AWS account you selected for Identity management on Step 2.7 and
    • [idp_name] is the name you used on the template on Step 2.1 (default is OLIDP).

    TIP: You can lookup your IdP ARN in your AWS account/IAM Console/Identity providers - Direct link

  3. click on Save
  4. Go back to the Configuration tab and choose Enable under API Connection.

3.2) Refresh the entitlements in OneLogin applicaiton
  1. Choose the Provisioning on the left sidebar
  2. Select Enable provisioning
  3. Under Entitlements, click Refresh.
  4. When you refresh entitlements, OneLogin uses the AWS API to get your AWS accounts and roles that have been enabled for OneLogin SSO.

  5. Click on Save

3.3) [Optional] Map Onelogin roles to AWS Multi account app and provide additional app security policy if needed.

  1. Go to the Access tab to assign the OneLogin roles that should have access to the AWS Multi Account app and provide any app security policy that you want to apply

  2. For example you can attach a policy to the app to require multi-factor authentication.
  3. You can also go to Users, All Users to add the app to individual user accounts.

3.4) Create Rules on OneLogin to assign to AWS acount/role(s).

  1. Go the Rules tab, choose Add Rule
  2. Type in the Name
  3. Click Save.

3.5) Reapply the provisioning mappings
  1. Expland the More Actions button on top-right and select Reapply provisioning mappings from the drop-down menu.
  2. Important! You must reapply mappings any time you create or update rules. In order for a user’s AWS accounts and roles to be included in the SAML assertion when they use OneLogin SSO to log into AWS, they must first have been subject to a provisioning event, like reapplying a provisioning mapping.

  3. Repeat for each group of OneLogin users that requires access to a particular set of AWS account | role pairs.
  4. Note: You can also assign individual OneLogin users to AWS account | role pairs by selecting the account | role pairs directly on the user’s login record for the app, as long as you’ve already given the user access to your AWS Multi Account app in OneLogin. Go to the Users tab in the AWS Multi Account app edit page, select the user from the User list, select the roles you want to assign from the Available values list, click the right arrow to add them to the Selected values list, and click Save.

3.6) Log in to AWS accounts using OneLogin SSO

Now when your users log in to AWS using OneLogin SSO. They will be presented with an AWS page that lets them choose from among the accounts and roles you’ve given them access to.

they will be presented with an AWS page that lets them choose from among the accounts and roles you’ve given them access to.