The End User Experience

How users log in and what happens when they switch applications or end a session depends on the authentication mode configured. See:

About Login

If you use one provider (native authentication or an external IdP), you are taken to the configured method to log in. Users with external IdPs enter their IdP username (specified in System Security as the External Provider User Name), then go to their IdP Login page on a new browser tab where they enter their username and password. For example, if you use an Okta identity provider, clicking Logon launches the Okta Login page. Users with native accounts enter their native account password and log in. See Login for One External IdP and Login for OneStream IdentityServer Native Authentication.

If you use multiple IdPs, including native authentication with an external IdP, the Login dialog box (often called "Home Realm Discovery") displays. OneStream IdentityServer evaluates your user account authentication settings to identify your authentication mode, which determines the rest of your login with the appropriate IdP. See Login for Multiple Authentication Methods.

SAML 2.0 users must re-enter their username, prefixed with their domain name if they use Active Directory Federation Services (ADFS). See Login for SAML 2.0 and ADFS.

TIP: As a best practice, after you have configured an external IdP and are no longer using OneStream IdentityServer native accounts, you should submit a Support ticket to disable native authentication. See Native Authentication.

Initial Login for Native Authentication

  1. Navigate to the OneStream instance ClickOnce URL or launch OneStream from a previously created desktop shortcut.

  2. If prompted, click Run to install the Windows Application.

  3. On the Login dialog box, enter your username and click the NEXT button.

  4. Enter your password and click the LOG IN button.

  5. Change your password by entering your current and new passwords and clicking the CONFIRM button.

  6. On the Login dialog box, enter your username and new password and click the LOG IN button.

  7. In the OneStream application window, click the Logon button.

  8. Select an application from the drop-down menu and click the Open Application button.

    TIP: To save a shortcut to the application, click the Create Windows Shortcut icon, enter a name, and click the OK button.

Login Flows

See:

Login for One External IdP

  1. In Server Address on the Logon screen, specify the URL or a client connection and click the Connect button.

    The Logon screen has a blue Authentication heading at the top with a server address below in a rectangular field. There are five buttons on the page, which are each a blue oval with black text. There is also an Application drop-down menu that is a rectangle with a black down arrow.

  2. Click the Logon button. If you already logged on and have an active login token, go to step 5 to open an application. Otherwise, you are taken to your IdP login page on a new browser tab. For example:
    The Sign In dialog box has the okta logo at the top and two rectangular fields for username and password and a blue rectangular Sign in button.

  3. Enter your external username and password and click Continue.

  4. ADFS: Enter your external username in this format <domain>\<username> and click the Sign in button.

  5. On the OneStream Logon screen, open an application.

Login for Multiple Authentication Methods

Perform these steps if you use different IdPs or one IdP with native authentication.

  1. In Server Address on the Logon screen, specify the URL or a client connection and click the Connect button.

    The Logon screen has a blue Authentication heading at the top with a server address below in a rectangular field. There are five buttons on the page, which are each a blue oval with black text. There is also an Application drop-down menu that is a rectangle with a black down arrow.

  2. Click Logon. The Login dialog box displays on a new browser tab. If the environment is configured for native authentication, you can log in with a native account.

    The Login dialog box has a blue banner at the top with the OneStream logo and a field for the username. There are two rectangular buttons for next and cancel. The next button has a blue background, and the cancel button has a white background.

  3. Enter your username and click the NEXT button. Your username is evaluated to determine your authentication mode.

  4. Follow the flow for the authentication mode:

  • OneStream IdentityServer Native Authentication: Enter your native account password and click the LOG IN button.

    The Login dialog box has a blue banner at the top with the OneStream logo and fields for the username and password. There are two rectangular buttons for log in and cancel. The log in button has a blue background, and the cancel button has a white background. There are links that can be selected to change a password or reset a forgotten password.

    NOTE: Click Change Password on the Login screen to change your password. Your username and current password are required to change your password.

    NOTE: Click Forgot Password on the Login screen to reset your password. Your username and email address are required to reset your password. If you forgot your username, contact your administrator. This feature is only available for native authentication in OneStream IdentityServer.

  • External IdP:

    • Enter your IdP username and click the Next button.

    • On the IdP login page that displays on a new tab, enter your password and click Login or Sign In. For example:
      The Sign In dialog box has the okta logo at the top and two rectangular fields for username and password and a blue rectangular Sign in button.

5. On the OneStream Logon screen, open an application.

Login for the Excel Add-In

The same login logic applies in Excel that is used in the Windows Application.

  1. Click The Logon icon has a globe with black horizontal and vertical lines and a blue line that creates the silhouette of a user. The word Logon is displayed on the bottom.l Logon.

  2. Specify a URL or client connection and connect.

  3. Perform the task for your authentication flow:

    • If one IdP is configured and the token is active, you can open an application. Otherwise, log in using the IdP.

    • If multiple IdPs are configured, enter your username. If native authentication is enabled, enter your password. Otherwise, enter your IdP external username and password and sign in.

    • If you use native authentication, enter your native username and password.

Login for SAML 2.0 and ADFS

  1. In Server Address on the Logon screen, specify the URL or a client connection and click the Connect button.

  2. Click the Logon button. The Log In dialog box displays on a new browser tab.

  3. Enter your username in SAML 2.0 and click Next.

  4. On the IdP login page that displays on a new tab, enter your external username in SAML 2.0.

  5. For ADFS: Enter your external username prefixed with your domain in this format: <domain>\<username>. For example, sso\jsmith.

  6. Click the Sign in button.

  7. On the OneStream Logon screen, open an application.

Login for OneStream IdentityServer Native Authentication

  1. In Server Address on the Logon screen, specify the URL or a client connection and click the Connect button.

    The Logon screen has a blue Authentication heading at the top with a server address below in a rectangular field. There are five buttons on the page, which are each a blue oval with black text. There is also an Application drop-down menu that is a rectangle with a black down arrow.

  2. Click the Logon button. The Login dialog box displays on a new browser tab.

  3. Enter your username and password.

    The Login dialog box has a blue banner at the top with the OneStream logo and fields for the username and password. There are two rectangular buttons for log in and cancel. The log in button has a blue background, and the cancel button has a white background. There are links that can be selected to change a password or reset a forgotten password.

    NOTE: Click Change Password on the Login screen to change your password. Your username and current password are required to change your password.

    NOTE: Click Forgot Password on the Login screen to reset your password. Your username and email address are required to reset your password. If you forgot your username, contact your administrator. This feature is only available for native authentication in OneStream IdentityServer.

  4. Click the LOG IN button.

  5. On the OneStream Logon screen, open an application.

Change Applications and Log Off

When you change applications, your login is retained regardless of your authentication mode. You do not have to log in again.

Use either of the following options to change applications:

  • Click Logoff The icon has a blue background with a white silhouette of a user that has a red x. on any screen and then click the Change Application button.

  • Select another application on the Logon screen and then click the Change Application button.

Ending a session:

  • Logs you out of OneStream and disconnects you from the server.

  • Does not log you out of their external IdP.

You can log back in without specifying credentials if your provider token is still valid. Use either of the following options to end a session:

  • Click Logoff The icon has a blue background with a white silhouette of a user that has a red x. on any screen and then click the End Session button.

  • Click the Logoff button on the Logon page.