A major contributor to this article appears to have a close connection with its subject. (September 2017) (Learn how and when to remove this template message)
This article relies too much on references to primary sources. (September 2017) (Learn how and when to remove this template message)
|Founders||Thomas Pedersen, Christian Pedersen|
|Headquarters||San Francisco, CA|
OneLogin, Inc. is a cloud-based identity and access management (IAM) provider focused on selling to businesses and other organizations. The company's goals are to use IAM to secure user access to applications and devices, reduce IT time on user onboarding and offboarding, and increase end user productivity through single sign-on (SSO).
OneLogin's Open Source SAML Toolkits are now used by over 300 app vendors and over 70 SaaS vendors to make their apps more secure. OneLogin integrates with multiple cloud applications, most recently Namely, Workplace by Facebook and RemedyForce.
OneLogin was founded in 2009 in San Francisco by Thomas and Christian Pedersen. The brothers were involved with the on-demand help desk application, Zendesk, before launching OneLogin. Through their interactions with Zendesk customers, the founders realized that companies were encountering security and productivity challenges moving into the cloud. This is where the idea came to build an identity and access management solution that was secure and easy to use. OneLogin officially launched in 2010. In August 2017, OneLogin appointed Brad Brooks as chief executive officer.
OneLogin’s product line-up includes the following:
- Single Sign-On
- Cloud Directory
- User Provisioning
- Multi-factor Authentication (MFA)
- Adaptive Authentication
- Mobile Identity Management
- Virtual LDAP
- Cloud RADIUS
- Desktop Authentication
- Web Access Management (WAM)
OneLogin customers use the company’s service to manage millions of user identities in dozens of countries. The company serves customers from a range of industries including technology, education, retail, financial services, manufacturing, media, health and life sciences, and services. Some representative customers of OneLogin include Steelcase, Pinterest, Dell Services, San Jose Unified School District, Practice Fusion, Acuris, Fairfax Media, Sonnen, Kreditech, Berklee College of Music, and Berwin Leighton Paisner.
Integrations and Partnerships
The OneLogin API provides endpoints for SAML, OpenID Connect, SCIM, and OAuth. There are also SAML Toolkits for Java, Python, Ruby, and PHP, made available on the company's public GitHub repositories. These toolkits are actively developed by dozens of contributors. These SAML toolkits have been downloaded more than three million times.
OneLogin provides single sign-on for cloud applications including Microsoft Office 365, Google G Suite, Salesforce.com, Amazon Web Services, ServiceNow, and Workplace by Facebook. Users may sign in to its single sign-on service using their credentials from Google, Facebook, LinkedIn, and Twitter. The company's offerings also integrate with the following directories: Active Directory, ADFS, LDAP, Google G Suite Directory, Workday, Ultimate Software UltiPro, and Namely. OneLogin sends data to Security Information and Event Management (SIEM) systems, including Splunk, Sumo Logic, and ELK/Elastic.
OneLogin Protect, a mobile application for multi-factor authentication, runs on iOS and Android devices. OneLogin integrates with third-party MFA providers Duo Security, Google Authenticator, RSA SecurID, Symantec VIP Access, Yubico Yubikey, Gemalto SafeNet, Swivel Pinsafe, VASCO DIGIPASS and IDENTIKEY, and FireID Security. OneLogin Desktop Authentication runs on Windows and Mac computers.
OneLogin SSO Browser Extensions run on Google Chrome, Microsoft Edge and Internet Explorer, Safari, and Firefox. OneLogin integrates with RADIUS to authenticate into network appliances including WiFi access points and VPN servers, including those from Cisco Meraki and Juniper. OneLogin Web Access Management integrates with Apache, Microsoft IIS, and Tomcat. OneLogin integrates with cloud access security brokers (CASBs) Cisco Cloudlock, Skyhigh, and Bitglass.
- $4.7M Series A in June 2010
- $13M Series B in October 2013
- $25M Series C in December 2014
- $10M Series C May 2017
- $22.5M Series C in June 2018
In December 2015, OneLogin acquired San Diego-based Cafésoft, a provider of on-premise Web Access Management (WAM) software. The technology enables OneLogin to extend Single Sign-on to applications running on-premises.
In June 2016, OneLogin acquired Santa Clara, California-based Portadi, a cloud-based password management tool. The technology enables OneLogin to automatically populate customer’s OneLogin single sign-on portals with applications as employees manually sign into them.
In November 2016, OneLogin acquired London-based Sphere Secure Workspace, a software vendor with container technology that runs on mobile devices.
In June 2017, OneLogin acquired Auckland, New Zealand-based ThisData, a developer-focused cloud security company specializing in account takeover detection. The technology has been used to enable OneLogin’s adaptive authentication solution, which uses machine learning to intelligently score the risk of each login attempt, and challenges users making high-risk logins to use an additional authentication factor.
Awards and Recognition
In December 2015, OneLogin was named a "Best Place to Work" by Glassdoor.
In January 2016, OneLogin was ranked 28th on Deloitte’s Technology Fast 500, a ranking of the 500 fastest growing technology, media, telecommunications, life sciences and energy tech companies in North America.
In March 2016, OneLogin was named to the "Fast 50" privately held Internet security, networking, and storage companies by JMP Securities LLC.
OneLogin has been named a "Top Workplace" by the Bay Area News Group and the Great Place to Work series.
In July 2017, Gartner Peer Insights ranked OneLogin #1 among Access Management providers. The company has been mentioned in USA Today, TechCrunch, The Wall Street Journal, Forbes, Bloomberg, Marketwatch, The Atlantic, and Fortune.
OneLogin maintains the following certifications:
- SOC 2 Type 2
- SOC 1 Type 2
- ISO 27017:2015
- ISO 27018:2014
- ISO 20001:2013
- Skyhigh Enterprise-Ready
- CSA STAR
- TRUSTe Certified Privacy
- U.S. Privacy Shield
- EU Model Contract Clauses
OneLogin has published the scope of its compliance with:
OneLogin reports on the current and historic availability of its service at onelogin.com/trust, with backup availability status pages at onelogin.status.io and onelogineu.status.io. OneLogin runs in multiple Amazon Web Services (AWS) datacenters in the US, as well as in AWS Dublin and AWS Frankfurt.
OneLogin remained available and performant during the October 2016 attack on Dyn, a major provider of DNS services, which brought down many websites, including Spotify, Twitter, Reddit, and The New York Times, in part by using redundant DNS providers.
OneLogin regularly performs penetration tests and network scans, anti-phishing programs, and runs a bug bounty program and vulnerability disclosure program.
OneLogin Security Breach, August 2016
In August 2016, OneLogin reported that "an unauthorised user gained access to one of our standalone systems, which we use for log storage and analytics.". The single user accessed the service for a month or more, and may have been able to see Secure Notes unencrypted. To remediate, OneLogin fixed the cleartext logging bug, locked down access to the log management system, and reset passwords.
OneLogin Security Breach, May 2017
On May 31, 2017, OneLogin detected and stopped unauthorized access in their US data region. According to a OneLogin blog post on the breach, "a threat actor used one of our AWS keys to gain access to our AWS platform via an API from an intermediate host with another, smaller service provider in the US."
OneLogin staff detected the intrusion in seven hours. This seven hour Time to Detection (TTD) was faster than Cisco’s estimated industry average of 100–200 days to detect a breach and FireEye’s 146 days to detect a breach, and slightly faster than Cisco’s best median TTD of nine hours to discover security issues.
OneLogin staff shut down the affected instances as well as the compromised AWS keys within several minutes to stop the intrusion and confirmed there were no other active threats. This was significantly faster than the industry average of 100–120 days to remediate existing vulnerabilities.
The company has since improved its monitoring of AWS API endpoint signals, strengthened AWS key management, enhanced infrastructure and application encryption, expanded threat hunting activities and created additional in-app risk mitigation tools.
- "(Press Release) OneLogin Pioneers First-Ever HR-driven Identity Integration with Namely - OneLogin". OneLogin. Retrieved 2017-09-26.
- "(Press Release) OneLogin Announces Integration Partnership with Workplace by Facebook - OneLogin". OneLogin. Retrieved 2017-09-26.
- "(Press Release) How to take the Pain out of IT Service Management". OneLogin. Retrieved 2017-09-26.
- Kepes, Ben. "From Copenhagen To The Valley - OneLogin's Journey". Forbes. Retrieved 3 August 2017.
- "(Press Release) OneLogin Appoints Brad Brooks as Chief Executive Officer". GlobeNewsWire. Retrieved 11 August 2017.
- "(Press Release) OneLogin Customers". Customer Stories. Retrieved 3 August 2017.
- "ruby-saml". RubyGems.org. Retrieved 10 August 2017.
- "(Press Release) App Catalog". OneLogin App Catalog. OneLogin. Retrieved 11 August 2017.
- "(Press Release) Social Sign-In". Social Sign-In. OneLogin. Retrieved 11 August 2017.
- "(Press Release) Adding Multi-Factor Authentication". Adding Multi-Factor Authentication. OneLogin. Retrieved 11 August 2017.
- "(Press Release) OneLogin Browser Extensions". OneLogin Browser Extensions. OneLogin. Retrieved 11 August 2017.
- "OneLogin ISV Partners". OneLogin ISV Partners. OneLogin. Retrieved 11 August 2017.
- "(Press Release) OneLogin Signs Contract with Deutsche Telekom's T-Systems". OneLogin Signs Contract with Deutsche Telekom’s T-Systems. OneLogin. Retrieved 11 August 2017.
- "OneLogin, Inc". CrunchBase. CrunchBase. Retrieved 11 August 2017.
- "(Press Release) OneLogin Acquires Cafesoft". OneLogin. Retrieved 11 August 2017.
- "(Press Release) OneLogin Acquires Portandi". OneLogin. OneLogin. Retrieved 11 August 2017.
- "(Press Release) OneLogin acquires Sphere". OneLogin. OneLogin. Retrieved 11 August 2017.
- "Why ThisData has Joined with OneLogin". OneLogin. OneLogin. Retrieved 11 August 2017.
- "(Press Release) OneLogin Receives Highest Score Among All Vendors in Current Offering Category". Onelogin. Forrester. Retrieved 11 August 2017.
- "(Press Release) Onelogin Awarded by Glassdoor: "Best Places to Work 2016"". OneLogin. OneLogin. Retrieved 11 August 2017.
- "(Press Release) OneLogin Ranked as The 28th Fastest Growing Company in North America on Deloitte's 2015 Technology Fast 500". OneLogin. OneLogin. Retrieved 11 August 2017.
- "(Press Release) OneLogin Named to JMP Securities Fast 50 List of Hottest Privately Held Companies". OneLogin. OneLogin. Retrieved 11 August 2017.
- "Bay Area News Group Top Workplaces 2016". issuu. issuu. Retrieved 11 August 2017.
- "(Press Release) Compliance". Compliance. OneLogin. Retrieved 11 August 2017.
- "(Press Release) Availability Status". OneLogin. OneLogin. Retrieved 11 August 2017.
- "(Press Release) How OneLogin maintained 100% uptime during the Dyn DDoS attack". OneLogin. OneLogin. Retrieved 11 August 2017.
- "(Press Release) OneLogin Compliance Initiatives". OneLogin. OneLogin. Retrieved 11 August 2017.
- "(Press Release) August 2016 Incident". OneLogin. OneLogin. Retrieved 11 August 2017.
- "(Press Release) May 31, 2017 Security Incident". OneLogin. OneLogin. Retrieved 11 August 2017.
- "How the Rise in Non-Targeted Attacks Has Widened the Remediation Gap" (PDF). Kenna. Kenna Security. Retrieved 11 August 2017.
- Gerritz, Chris. "Breach Detection by the Numbers: Days, Weeks or Years?". Infocyte. Infocyte. Retrieved 11 August 2017.