Authentication

This section provides an overview for OneStream authentication for customers in a self-hosted environment.

For customers in a OneStream-hosted environment, see the Identity and Access Management Guide for information about authentication with OneStream IdentityServer.

When users sign in to a OneStream application, they go through an authentication process where they are required to confirm their identity. This is typically done by entering a user ID and password in the OneStream application. The user ID and password could be through an external authentication that is Cloud-based in which OneStream is not storing a user password or through OneStream native users in which this password is stored in the OneStream Framework.

How Does Single Sign-on Work?

  • The OneStream administrator must provision a user to OneStream in the System tab. The Authentication properties of the user indicate whether OneStream should use native authentication or an external single sign-on (SSO) to authenticate the user.

  • Federated single sign-on enables applications to redirect to Azure AD (Microsoft Entra ID), Okta, PingFederate, or your SAML 2.0 provider for user authentication.

  • The user experience during the authentication process is dependent on the configuration of your identity provider. The default experience presents the user with a dialog box to enter the single user ID and password previously configured in an external provider that they may then use to sign in to other corporate applications, hence a single sign-on.

  • Most external authentication providers allow for control over the user experience using techniques such as Integrated Windows Authentication (IWA) or a variant that can eliminate or reduce the need to enter a user ID and password multiple times throughout the day. Consult with your identity provider for information on how to configure this experience. 

    • For Azure AD (Microsoft Entra ID), this is referred to as “Pass-Through Authentication.”

    • For Okta, this is referred to as “Okta IWA Web App.”

    • For PingFederate, this is referred to as “PingFederate IWA Integration Kit.”

The steps in this section provide information on configuring OneStream for external authentication with Transport Layer Security (TLS) encryption (access to the Web Server using https versus http). For a point of reference, these steps were performed in IIS running on a Windows Server 2016 operating system. 

Modern Browser Experience Configuration

If you use the Modern Browser Experience, you must enter a REST API key in both the OneStream Application Server Configuration and Web Server Configuration to enter OneStream and browser clients.

Application Server Configuration

  1. Open the OneStream Server Configuration Utility application.

  2. Go to File > New Application Server Configuration File.

    NOTE: Alternatively, you can open an existing file to edit it.

  3. In the Security section, click the ellipsis to the right of Security.

    The Application Server Configuration File dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the Security section, Security is highlighted.

  4. In the Key for Encrypting Rest Api Calls field, enter a unique value. It is recommended to enter a value with at least 30 characters that are alphanumeric and have both mixed case and symbols.

    The Security dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the General section, Key for Encrypting Rest Api Calls is highlighted.

  5. Click the OK button.

  6. Save changes and reset IIS.

    NOTE: Reset IIS after you save any changes to the Application Server Configuration or Web Server Configuration.

Web Server Configuration

  1. Open the OneStream Server Configuration Utility application.

  2. Go to File > New Web Server Configuration File.

    NOTE: Alternatively, you can open an existing file to edit it.

  3. In the Authentication section, click the ellipsis to the right of Security.

    The Web Server Configuration File dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the Authentication section, Security is highlighted.

  4. In the Key for Encrypting Rest Api Calls field, enter the same value from the Key for Encrypting Rest Api Calls field in the Application Server Configuration. See Application Server Configuration step 4.

    The Security dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the General section, Key for Encrypting Rest Api Calls is highlighted.

    NOTE: It is recommended to enter a value with at least 30 characters that are alphanumeric and have both mixed case and symbols.

  5. Click the OK button.

  6. Save changes and reset IIS.

    NOTE: Reset IIS after you save any changes to the Application Server Configuration or Web Server Configuration.

Authentication Configurations

OneStream supports native authentication, authentication with one external identity provider, or both native authentication and one external identity provider.

OneStream supports the following external identity providers:

  • Microsoft Active Directory (MSAD)

  • Lightweight Directory Access Protocol (LDAP)

  • Three OpenID Connect (OIDC) identity providers:

    • Azure Active Directory (Azure AD [Microsoft Entra ID])

    • Okta

    • PingFederate

  • SAML 2.0 identity providers (for example, Okta, PingFederate, Active Directory Federation Services [ADFS], and Salesforce)

Set up authentication in the Application Server Configuration and Web Server Configuration in OneStream. This section includes instructions to set up for the following configurations:

Set Up for Native Authentication

  1. Open the OneStream Server Configuration Utility application.

  2. Go to File > New Application Server Configuration File.

    NOTE: Alternatively, you can open an existing file to edit it.

  3. In the Security section, click the ellipsis to the right of Native Authentication.

    The Application Server Configuration dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the Security section, Native Authentication is highlighted.

  4. In the Enable Native Authentication drop-down menu, select True.

    IMPORTANT: If Enable Native Authentication is set to False, the user will receive an error when attempting to log in to OneStream using native authentication.

    The Native Authentication dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the General section, Enable Native Authentication is set to True.

  5. Click the OK button and save changes.

  6. Go to File > New Web Server Configuration File.

    NOTE: Alternatively, you can open an existing file to edit it.

  7. In the Web Server Configuration Settings section, click the ellipsis to the right of Single Sign On Identity Provider.

    The Web Server Configuration dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the Web Server Configuration Settings section, Single Sign On Identity Provider is highlighted.

  8. In the General section, in the SSO Identity Provider Type drop-down menu, select NotUsed and then click the OK button.

    The Single Sign On Identity Provider dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the General section, SSO Identity Provider Type is set to NotUsed.

  9. In the Authentication section, click the ellipsis to the right of Security.

    The Web Server Configuration dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the Authentication section, Security is highlighted.

  10. In the Display Native Logon with SSO Enabled drop-down menu, select False.

    The Security dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the General section, Display Native Login with SSO Enabled is set to False.

  11. Click the OK button.

  12. Save changes and reset IIS.

    NOTE: Reset IIS after you save any changes to the Application Server Configuration or Web Server Configuration.

Set Up for Single Sign-on with an External Identity Provider

  1. Open the OneStream Server Configuration Utility application.

  2. Go to File > New Application Server Configuration File.

    NOTE: Alternatively, you can open an existing file to edit it.

  3. In the Security section, click the ellipsis to the right of Native Authentication.

    The Application Server Configuration dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the Security section, Native Authentication is highlighted.

  4. In the Enable Native Authentication drop-down menu, select False.

    The Native Authentication dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the General section, Enable Native Authentication is set to False.

  5. Click the OK button and save changes.

  6. Go to File > New Web Server Configuration File.

    NOTE: Alternatively, you can open an existing file to edit it.

  7. In the Web Server Configuration Settings section, click the ellipsis to the right of Single Sign On Identity Provider.

    The Web Server Configuration dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the Web Server Configuration Settings section, Single Sign On Identity Provider is highlighted.

  8. In the General section, in the SSO Identity Provider Type drop-down menu, select the type of external identity provider: Azure, Okta, PingFederate, Saml, or OpenId. Click the OK button.

  9. In the Authentication section, click the ellipsis to the right of Security.

    The Web Server Configuration dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the Authentication section, Security is highlighted.

  10. In the Display Native Logon with SSO Enabled drop-down menu, select False.

    The Security dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the General section, Display Native Login with SSO Enabled is set to False.

  11. Click the OK button.

  12. Save changes and reset IIS.

    NOTE: Reset IIS after you save any changes to the Application Server Configuration or Web Server Configuration.

We strongly recommend you configure single sign-on with an external identity provider with one of the following options:

  • For OIDC and SAML 2.0 identity providers, enable a time-based one-time password (TOTP), which requires users to enter a one-time verification code for authentication. See Verification Code.

  • For OIDC identity providers only, run a local loopback with a local redirect port. See OIDC Local Redirect Port.

Set Up for Native Authentication and Single Sign-on with an External Identity Provider

  1. Open the OneStream Server Configuration Utility application.

  2. Go to File > New Application Server Configuration File.

    NOTE: Alternatively, you can open an existing file to edit it.

  3. In the Security section, click the ellipsis to the right of Native Authentication.

    The Application Server Configuration dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the Security section, Native Authentication is highlighted.

  4. In the Enable Native Authentication drop-down menu, select True.

    IMPORTANT: If Enable Native Authentication is set to False, the user will receive an error when attempting to log in to OneStream using native authentication.

    The Native Authentication dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the General section, Enable Native Authentication is set to True.

  5. Click the OK button and save changes.

  6. Go to File > New Web Server Configuration File.

    NOTE: Alternatively, you can open an existing file to edit it.

  7. In the Web Server Configuration Settings section, click the ellipsis to the right of Single Sign On Identity Provider.

    The Web Server Configuration dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the Web Server Configuration Settings section, Single Sign On Identity Provider is highlighted.

  8. In the General section, in the SSO Identity Provider Type drop-down menu, select the type of external identity provider: Azure, Okta, PingFederate, Saml, or OpenId. Click the OK button.

  9. In the Authentication section, click the ellipsis to the right of Security.

    The Web Server Configuration dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the Authentication section, Security is highlighted.

  10. In the Display Native Logon with SSO Enabled drop-down menu, select True.

    The Security dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the General section, Display Native Login with SSO Enabled is set to True.

  11. Click the OK button.

  12. Save changes and reset IIS.

    NOTE: Reset IIS after you save any changes to the Application Server Configuration or Web Server Configuration.

We strongly recommend you configure single sign-on with an external identity provider with one of the following options:

  • For OIDC and SAML 2.0 identity providers, enable a time-based one-time password (TOTP), which requires users to enter a one-time verification code for authentication. See Verification Code.

  • For OIDC identity providers only, run a local loopback with a local redirect port. See OIDC Local Redirect Port.

This section includes instructions for configuring the following types of authentication:

Native Authentication Configuration

To enable native authentication, follow these steps:

  1. Set Up for Native Authentication or Set Up for Native Authentication and Single Sign-on with an External Identity Provider.

  2. Set Up OneStream Login with Native Authentication.

  3. Log in to OneStream with Native Authentication.

Set Up OneStream Login with Native Authentication

  1. In the OneStream desktop application, go to System > Security > Users > <user>.

  2. In the Authentication section, complete the following fields for native authentication.

    • External Authentication Provider: In the drop-down menu, select (Not Used).

    • External Provider User Name: Leave this field blank.

    • Internal Provider Password: Enter a password.

  3. Click the Save icon.

Log in to OneStream with Native Authentication

To log in with the browser, see the Modern Browser Experience Guide. To log in with the desktop application, follow these steps:

  1. On the desktop application Logon screen, for Server Address, specify the URL or a client connection.
  2. Click the Connect button.
  3. Enter your user profile name and internal provider password.

  4. Click the Logon button.

  5. Select an application from the drop-down menu.

  6. Click the Open Application button.

NOTE: To log off, on any screen, click the Logoff icon and then click the End Session button.

MSAD Configuration

To enable single sign-on with MSAD, follow these steps:

  1. Set Up for Native Authentication or Set Up for Native Authentication and Single Sign-on with an External Identity Provider.

  2. Set Up the Application Server Configuration in OneStream.

  3. Set Up the Web Server Configuration in OneStream.

  4. Set Up OneStream Login with MSAD.

  5. Log in to OneStream with MSAD.

Set Up the Application Server Configuration in OneStream

  1. Open the OneStream Server Configuration Utility application.

  2. Go to File > New Application Server Configuration File.

    NOTE: Alternatively, you can open an existing file to edit it.

  3. In the Security section, click the ellipsis to the right of External Authentication Providers.

    The Application Server Configuration dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the Security section, External Authentication Providers is highlighted.

  4. Click the + icon to add an item. 

  5. In the General and Windows sections, complete the following fields:

    • Name: Enter the name of the identity provider. This name will display when configuring users to their external SSO.

    • Authentication Provider Type: Select Windows in the drop-down menu.

    • Name of Account Store: Enter the domain name of the active directory.

      TIP: In Active Directory Users and Computers, you can view the domain name of the active directory.

    • Name of Account Store Container: Enter the name of the domain controller (DC). Leave the other values as default.

      TIP: In Active Directory Users and Computers, under the active directory, click Domain Controllers to view the name of the domain controller.

    • Type of Account Store: Select Domain in the drop-down menu.

    The External Authentication Providers dialog box has a blank field on the left. To the right of the blank field are four icons for plus and minus signs and up and down arrows. To the right of the icons is a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the General section, Name and Authentication Provider Type are highlighted. In the Windows Section, Name of Account Store, Name of account Store Container, and Type of Account Store are highlighted.

    See External Authentication Providers.

  6. Click the OK button.

  7. Save changes and reset IIS.

    NOTE: Reset IIS after you save any changes to the Application Server Configuration or Web Server Configuration.

Set Up the Web Server Configuration in OneStream

  1. Open the OneStream Server Configuration Utility application.

  2. Go to File > New Web Server Configuration File.

    NOTE: Alternatively, you can open an existing file to edit it.

  3. In the Web Server Configuration Settings section, click the ellipsis to the right of Single Sign On Identity Provider.

    The Web Server Configuration dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the Web Server Configuration Settings section, Single Sign On Identity Provider is highlighted.

  4. In the SSO Identity Provider Type drop-down menu, select NotUsed.

    The Single Sign On Identity Provider dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the General section, SSO Identity Provider Type is set to NotUsed.

  5. Click the OK button.

  6. Save changes and reset IIS.

    NOTE: Reset IIS after you save any changes to the Application Server Configuration or Web Server Configuration.

Set Up OneStream Login with MSAD

  1. In the desktop application, go to System > Security > Users > <user>.

  2. In the General and Authentication properties, complete the following fields for MSAD authentication.

    • Name: Enter the user logon name listed in active directory.

      TIP: In Active Directory Users and Computers, under the active directory, click Users to view the list of users. Select the user. Click the Account tab to view the user logon name.

    • External Authentication Provider: In the drop-down menu, select the MSAD configuration.

    • External Provider User Name: Leave this field blank.

  3. Click the Save icon.

Log in to OneStream with MSAD

To log in with the browser, see the Modern Browser Experience Guide. To log in with the desktop application, follow these steps:

  1. On the desktop application Logon screen, for Server Address, specify the URL or a client connection.
  2. Click the Connect button.
  3. Enter your user name and password set up in MSAD.

  4. Click the Logon button.

  5. Select an application from the drop-down menu.

  6. Click the Open Application button.

NOTE: To log off, on any screen, click the Logoff icon and then click the End Session button.

LDAP Configuration

To enable single sign-on with LDAP, follow these steps:

  1. Set Up for Native Authentication or Set Up for Native Authentication and Single Sign-on with an External Identity Provider.

  2. Set Up the Application Server Configuration in OneStream.

  3. Set Up the Web Server Configuration in OneStream.

  4. Set Up OneStream Login with LDAP.

  5. Log in to OneStream with LDAP.

Set Up the Application Server Configuration in OneStream

  1. Open the OneStream Server Configuration Utility application.

  2. Go to File > New Application Server Configuration File.

    NOTE: Alternatively, you can open an existing file to edit it.

  3. In the Security section, click the ellipsis to the right of External Authentication Providers.

    The Application Server Configuration dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the Security section, External Authentication Providers is highlighted.

  4. Click the + icon to add an item. 

  5. In the General and LDAP sections, complete the following fields:

    • Name: Enter the name of the identity provider. This name will display when configuring users to their external SSO.

    • Authentication Provider Type: Select LDAP in the drop-down menu.

    • LDAP Authentication Type: Select Basic in the drop-down menu.

    • LDAP Base DN: Enter the distinguished name (DN) of the container or organizational unit where your OneStream users' accounts are located. 

      TIP: The base DN is the full path to the location of the user accounts in the authentication hierarchy. LDAP will look for user accounts in this location. If needed, contact your IT Support for this information.

    • LDAP Server or Domain: Enter the fully qualified domain name (FQDN) of your active directory domain or domain controller.

    The External Authentication Providers dialog box has a blank field on the left. To the right of the blank field are four icons for plus and minus signs and up and down arrows. To the right of the icons is a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the General section, Name and Authentication Provider Type are highlighted. In the LDAP Section, LDAP Authentication Type, LDAP Base DN, and LDAP Server or Domain are highlighted.

    See External Authentication Providers.

  6. Click the OK button.

  7. Save changes and reset IIS.

    NOTE: Reset IIS after you save any changes to the Application Server Configuration or Web Server Configuration.

Set Up the Web Server Configuration in OneStream

  1. Open the OneStream Server Configuration Utility application.

  2. Go to File > New Web Server Configuration File.

    NOTE: Alternatively, you can open an existing file to edit it.

  3. In the Web Server Configuration Settings section, click the ellipsis to the right of Single Sign On Identity Provider.

    The Web Server Configuration dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the Web Server Configuration Settings section, Single Sign On Identity Provider is highlighted.

  4. In the SSO Identity Provider Type drop-down menu, select NotUsed.

    The Single Sign On Identity Provider dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the General section, SSO Identity Provider Type is set to NotUsed.

  5. Click the OK button.

  6. Save changes and reset IIS.

    NOTE: Reset IIS after you save any changes to the Application Server Configuration or Web Server Configuration.

Set Up OneStream Login with LDAP

  1. In the desktop application, go to System > Security > Users > <user>.

  2. In the General and Authentication properties, complete the following fields for LDAP authentication:

    • Name: Enter the user logon name listed in active directory.

      TIP: In Active Directory Users and Computers, under the active directory, click Users to view the list of users. Select the user. Click the Account tab to view the user logon name.

    • External Authentication Provider: In the drop-down menu, select the LDAP configuration.

    • External Provider User Name: Enter the display name listed in the active directory.

      TIP: In Active Directory Users and Computers, under the active directory, click Users to view the list of users. Select the user. Click the General tab to view the display name.

  3. Click the Save icon.

Log in to OneStream with LDAP

To log in with the browser, see the Modern Browser Experience Guide. To log in with the desktop application, follow these steps:

  1. On the desktop application Logon screen, for Server Address, specify the URL or a client connection.
  2. Click the Connect button.
  3. Enter your user name (user logon name) and password set up in the active directory.

  4. Click the Logon button.

  5. Select an application from the drop-down menu.

  6. Click the Open Application button.

NOTE: To log off, on any screen, click the Logoff icon and then click the End Session button.

Microsoft Azure AD (Microsoft Entra ID) Configuration

To enable single sign-on with Azure AD (Microsoft Entra ID) using OIDC protocol, follow these steps:

  1. Set Up for Single Sign-on with an External Identity Provider or Set Up for Native Authentication and Single Sign-on with an External Identity Provider.

  2. Set Up the Applications in Azure AD (Microsoft Entra ID).

  3. Set Up the Application Server Configuration in OneStream.

  4. Set Up the Web Server Configuration in OneStream.

  5. Set Up OneStream Login with Azure AD (Microsoft Entra ID).

  6. Log in to OneStream with Azure AD (Microsoft Entra ID).

To configure OneStream REST API to support Azure AD (Microsoft Entra ID) authentication, see the REST API Implementation Guide.

Set Up the Applications in Azure AD (Microsoft Entra ID)

Set up the applications in Azure AD (Microsoft Entra ID) for the browser and desktop application.

Modern Browser Experience

To set up the application in Azure AD (Microsoft Entra ID) for the browser, you must complete these steps:

  • Enter the redirect URI in Azure AD (Microsoft Entra ID) in this format: https://<domainname>/signin-oidc

  • Copy the client secret from Azure AD (Microsoft Entra ID) and paste it into the Application Server Configuration and Web Server Configuration in OneStream.

  • Copy the application (client) ID and tenant ID (directory ID) from Azure AD (Microsoft Entra ID) and paste them into the Web Server Configuration in OneStream.

Follow these detailed instructions. Depending on the identity provider version you use, the steps you must complete might be different.

  1. Log in to your Azure AD account.

  2. On the Home screen, click the App registrations icon.

  3. On the App registrations page, click the + New registration tab.

  4. On the Register an application page, complete the following fields:

    1. Enter a name for the application.

    2. For Supported account types, select Accounts in this organizational directory only.

    3. For Redirect URI, select Web.

  5. Click the Register button.

  6. On the page for the application, click Add a Redirect URI.

  7. On the Authentication page, click the + Add a platform button.

  8. In the Configure platforms section to the right, select the Web icon.

  9. In the Redirect URIs field, enter the redirect URI in this format: https://<domainname>/signin-oidc

  10. For Implicit grant and hybrid flows, select ID tokens.

  11. Click the Configure button.

  12. On the page for the application, click Add a certificate or secret.

  13. On the Certificates & secrets page, click the + New client secret button.

  14. In the Add a client secret section to the right, enter a description and select an expiration time in the drop-down menu.

  15. Click the Add button.

  16. Copy the value for the client secret. You will need to paste it in the Web Server Configuration in OneStream.

    IMPORTANT: The client secret value may only be available to copy for a limited time, so copy it immediately after it is created.

    TIP: Return to the App registrations page in Azure AD and then select the application to access information needed for the Web Server Configuration in OneStream: application (client) ID, directory (tenant) ID, and redirect URI.

Desktop Application

To set up the application in Azure AD (Microsoft Entra ID) for the desktop application, which includes the Windows Client application and the Excel Add-In, you must complete these steps:

  • Enter the redirect URI in Azure AD (Microsoft Entra ID) in this format: https://<domainname>/OneStreamWeb/OneStreamLogonCallback.aspx

  • Copy the application (client) ID and tenant ID (directory ID) from Azure AD (Microsoft Entra ID) and paste them into the Web Server Configuration in OneStream.

Follow these detailed instructions. Depending on the identity provider version you use, the steps you must complete might be different.

  1. Log in to your Azure AD account.

  2. On the Home screen, click the App registrations icon.

  3. On the App registrations page, click the + New registration tab.

  4. On the Register an application page, complete the following fields:

    1. Enter a name for the application.

    2. For Supported account types, select Accounts in this organizational directory only.

    3. For Redirect URI, select Public client/native.

  5. Click the Register button.

  6. On the page for the application, click Add a Redirect URI.

  7. On the Authentication page, click the + Add a platform button.

  8. In the Configure platforms section to the right, select the Mobile and desktop applications icon.

  9. In the Custom redirect URIs field, enter the redirect URI in this format: https://<domainname>/OneStreamWeb/OneStreamLogonCallback.aspx

  10. Click the Configure button.

    TIP: Return to the App registrations page in Azure AD and then select the application to access information needed for the Web Server Configuration in OneStream: application (client) ID, directory (tenant) ID, and redirect URI.

Set Up the Application Server Configuration in OneStream

  1. Open the OneStream Server Configuration Utility application.

  2. Go to File > New Application Server Configuration File.

    NOTE: Alternatively, you can open an existing file to edit it.

  3. In the Security section, click the ellipsis to the right of External Authentication Providers.

    The Application Server Configuration dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the Security section, External Authentication Providers is highlighted.

  4. Click the + icon to add an item.

  5. In the General and External Provider Single Sign On sections, complete the following fields:

    • Name: Enter the name of the identity provider. This name will display when configuring users to their external SSO.

    • Authentication Provider Type: Select AzureSSO in the drop-down menu.

    • External Provider Web SSO Secret Key: Enter the client secret from Azure AD. See Modern Browser Experience step 16. This key is used in the OneStream Application Server Configuration and the OneStream Web Server Configuration. It enables your application server to communicate with the web server.

    The External Authentication Providers dialog box has a blank field on the left. To the right of the blank field are four icons for plus and minus signs and up and down arrows. To the right of the icons is a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the General section, Name and Authentication Provider Type are highlighted. In the External Provider Single Sign On Section, External Provider Web SSO Secret Key is highlighted.

  6. Click the OK button.

  7. Save changes and reset IIS.

    NOTE: Reset IIS after you save any changes to the Application Server Configuration or Web Server Configuration.

Set Up the Web Server Configuration in OneStream

  1. Open the OneStream Server Configuration Utility application.

  2. Go to File > New Web Server Configuration File.

    NOTE: Alternatively, you can open an existing file to edit it.

  3. In the Web Server Configuration Settings section, click the ellipsis to the right of Single Sign On Identity Provider.

    The Web Server Configuration dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the Web Server Configuration Settings section, Single Sign On Identity Provider is highlighted.

  4. Click the ellipsis to the right of Azure Identity Provider.

    The Single Sign On Identity Provider dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the General section, Azure Identity Provider is highlighted.

  5. In the Azure Identity Provider dialog box, complete the following fields:

    General

    • Azure AD Tenant Id: Enter the directory (tenant) ID from Azure AD. The directory (tenant) ID in Azure AD should be the same value for the browser and desktop application.

      TIP: To view the directory (tenant) ID in Azure AD, go to the page for the application and select Overview in the list on the left.

    • Azure OpenID Connect Scopes: Enter scopes, or leave as default (openid email profile).

    Browser UX Settings

    • OneStream Web App Client ID: Enter the application (client) ID from Azure AD. See Modern Browser Experience step 16.

    • OneStream Web App Client Secret Key: Enter the same value from the External Provider Web SSO Secret Key field in the Application Server Configuration. Enter the client secret from Azure AD. See Modern Browser Experience step 16.

    • Open Id Redirect Url: Enter the value you entered in Azure AD as the redirect URI. See Modern Browser Experience step 9. Use this format: https://<domainname>/signin-oidc

      IMPORTANT: The redirect URI entered in Azure AD and in the Open Id Redirect Url field must match exactly, including capitalization.

      IMPORTANT: The value entered in Browser UX Settings > Open Id Redirect Url must be different from the value entered in Windows Desktop Client Settings > OneStream Windows App Redirect Url in order to route to the correct client.

    Windows Desktop Client Settings

    • OneStream Windows App Client ID: Enter the application (client) ID from Azure AD. See Desktop Application step 10.

    • OneStream Windows App Redirect Url: Enter the value you entered in Azure AD as the redirect URI. See Desktop Application step 10. Use this format: https://<domainname>/OneStreamWeb/OneStreamLogonCallback.aspx

      IMPORTANT: The redirect URI entered in Azure AD and in the OneStream Windows App Redirect Url field must match exactly, including capitalization.

      IMPORTANT: The value entered in Windows Desktop Client Settings > OneStream Windows App Redirect Url must be different from the value entered in Browser UX Settings > Open Id Redirect Url in order to route to the correct client.

    The Azure Identity Provider dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the General section, Azure AD Tenant Id and Azure OpenID Connect Scopes are highlighted. In the Browser UX Settings section, OneStream Web App Client ID, OneStream Web App Client Secret Key, and Open Id Redirect Url are highlighted. In the Windows Desktop Client Settings section, OneStream Windows App Client ID and OneStream Windows App Redirect Url are highlighted.

  6. Click the OK button.

  7. Save changes and reset IIS.

    NOTE: Reset IIS after you save any changes to the Application Server Configuration or Web Server Configuration.

We strongly recommend you configure your environment for OIDC authentication to run a local loopback with a local redirect port. See OIDC Local Redirect Port.

Set Up OneStream Login with Azure AD (Microsoft Entra ID)

  1. In the desktop application, go to System > Security > Users > <user>.

  2. In the Authentication properties, complete the following fields for authentication through Azure AD.

    • External Authentication Provider: In the drop-down menu, select the Azure AD configuration.

    • External Provider User Name: Enter the username configured in Azure AD. This name must match the username set up in Azure AD and be used by only one user.

  3. Click the Save icon.

Log in to OneStream with Azure AD (Microsoft Entra ID)

To log in with the browser, see the Modern Browser Experience Guide. To log in with the desktop application, follow these steps:

  1. On the desktop application Logon screen, for Server Address, specify the URL or a client connection.

  2. Click the Connect button.

  3. Click the External Provider Sign In button.

  4. Enter your Azure AD login credentials.

    NOTE: If the Require Verification Code setting in the Web Server Configuration File is enabled, you will be provided with a one-time verification code to enter in the application. See Verification Code.

  5. Select an application from the drop-down menu.

  6. Click the Open Application button.

NOTE: To log off, on any screen, click the Logoff icon and then click the End Session button.

Okta Configuration

To enable single sign-on with Okta using OIDC protocol, follow these steps:

  1. Set Up for Single Sign-on with an External Identity Provider or Set Up for Native Authentication and Single Sign-on with an External Identity Provider.

  2. Set Up the Application Server Configuration in OneStream.

  3. Set Up the Applications in Okta.

  4. Set Up the Web Server Configuration in OneStream.

  5. Set Up OneStream Login with Okta.

  6. Log in to OneStream with Okta.

To configure OneStream REST API to support Okta authentication, see the REST API Implementation Guide.

Set Up the Application Server Configuration in OneStream

  1. Open the OneStream Server Configuration Utility application.

  2. Go to File > New Application Server Configuration File.

    NOTE: Alternatively, you can open an existing file to edit it.

  3. In the Security section, click the ellipsis to the right of External Authentication Providers.

    The Application Server Configuration dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the Security section, External Authentication Providers is highlighted.

  4. Click the + icon to add an item.

  5. In the General and External Provider Single Sign On sections, complete the following fields:

    • Name: Enter the name of the identity provider. This name will display when configuring users to their external SSO.

    • Authentication Provider Type: Select Okta SSO in the drop-down menu.

    • External Provider Web SSO Secret Key: Enter a unique value. This key is used in the OneStream Application Server Configuration and the OneStream Web Server Configuration. It enables your application server to communicate with the web server.

    The External Authentication Providers dialog box has a blank field on the left. To the right of the blank field are four icons for plus and minus signs and up and down arrows. To the right of the icons is a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the General section, Name and Authentication Provider Type are highlighted. In the External Provider Single Sign On Section, External Provider Web SSO Secret Key is highlighted.

  6. Click the OK button.

  7. Save changes and reset IIS.

    NOTE: Reset IIS after you save any changes to the Application Server Configuration or Web Server Configuration.

Set Up the Applications in Okta

Set up the applications in Okta for the browser and desktop application.

Modern Browser Experience

To set up the application in Okta for the browser, you must complete these steps:

  • Enter the redirect URI in Okta in this format: https://<domainname>/signin-oidc

  • Copy the client ID from Okta and paste it into the Web Server Configuration in OneStream.

Follow these detailed instructions. Depending on the identity provider version you use, the steps you must complete might be different.

  1. Log in to your Okta account.

  2. In the Applications list on the left, select Applications.

  3. Click Create App Integration.

  4. In the Create a new app integration dialog box, for Sign-in method, select OIDC - OpenID Connect.

  5. For Application type, select Single-Page Application.

  6. Click the Next button.

  7. On the New Single-Page App Integration page, complete the following fields:

    • App integration name: Enter the name of the application in Okta.

    • Grant type: Select Authorization Code and Refresh Token.

    • Sign-in redirect URIs: Enter the sign-in redirect URI in this format: https://<domainname>/signin-oidc

    • Sign-out redirect URIs: Click X to clear the field.

    • Controlled access: Select the access option for the application.

  8. Click the Save button.

  9. Copy the client ID. You will paste this into the Web Server Configuration in OneStream.

Desktop Application

To set up the application in Okta for the desktop application, which includes the Windows Client application and the Excel Add-In, you must complete these steps:

  • Enter the redirect URI in Okta in this format: https://<domainname>/OneStreamWeb/OneStreamLogonCallback.aspx

  • Copy the client ID from Okta and paste it into the Web Server Configuration in OneStream.

Follow these detailed instructions. Depending on the identity provider version you use, the steps you need to complete might be different.

  1. Log in to your Okta account.

  2. In the Applications list on the left, select Applications.

  3. Click Create App Integration.

  4. In the Create a new app integration dialog box, for Sign-in method, select OIDC - OpenID Connect.

  5. For Application type, select Native Application.

  6. Click the Next button.

  7. On the New Native App Integration page, complete the following fields:

    • App integration name: Enter the name of the application in Okta.

    • Grant type: Select Authorization Code and Refresh Token.

    • Sign-in redirect URIs: Enter the sign-in redirect URI in this format: https://<domainname>/OneStreamWeb/OneStreamLogonCallback.aspx

    • Sign-out redirect URIs: Click X to clear the field.

    • Controlled access: Select the access option for the application.

  8. Click the Save button.

  9. Copy the client ID. You will need to paste this into the Web Server Configuration in OneStream.

Set Up the Web Server Configuration in OneStream

  1. Open the OneStream Server Configuration Utility application.

  2. Go to File > New Web Server Configuration File.

    NOTE: Alternatively, you can open an existing file to edit it.

  3. In the Web Server Configuration Settings section, click the ellipsis to the right of Single Sign On Identity Provider.

    The Web Server Configuration dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the Web Server Configuration Settings section, Single Sign On Identity Provider is highlighted.

  4. Click the ellipsis to the right of Okta Identity Provider.

    The Single Sign On Identity Provider dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the General section, Okta Identity Provider is highlighted.

  5. In the Okta Identity Provider dialog box, complete the following fields:

    General

    • Okta Domain: Enter the domain from the Okta page URL.

    • Okta Scopes: Enter scopes, or leave as default (openid email phone address profile).

    • Okta Authorization Server ID: Leave as default (blank).

    Browser UX Settings

    • OneStream Web App Client ID: Enter the client ID from the Okta application. See Modern Browser Experience step 9.

    • Okta Web App Client Secret Key: Enter the same value from the External Provider Web SSO Secret Key field in the Application Server Configuration. See Set Up the Application Server Configuration in OneStream step 5.

    • Open Id Redirect Url: Enter the value you entered in Okta as the redirect URI. See Modern Browser Experience step 7. Use this format: https://<domainname>/signin-oidc

      IMPORTANT: The redirect URI entered in Okta and in the Open Id Redirect Url field must match exactly, including capitalization.

      IMPORTANT: The value entered in Browser UX Settings > Open Id Redirect Url must be different from the value entered in Windows Desktop Client Settings > OneStream Windows App Redirect Url in order to route to the correct client.

    Windows Desktop Client Settings

    • OneStream Windows App Client ID: Enter the client ID from the Okta application. See Desktop Application step 9.

    • OneStream Windows App Redirect Url: Enter the value you entered in Okta as the sign-in redirect URI. See Desktop Application step 7. Use this format: https://<domainname>/OneStreamWeb/OneStreamLogonCallback.aspx

      IMPORTANT: The sign-in redirect URI entered in Okta and in the OneStream Windows App Redirect Url field must match exactly, including capitalization.

      IMPORTANT: The value entered in Windows Desktop Client Settings > OneStream Windows App Redirect Url must be different from the value entered in Browser UX Settings > Open Id Redirect Url in order to route to the correct client.

    The Okta Identity Provider dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the General section, Okta Domain, Okta Scopes, and Okta Authorization Server ID are highlighted. In the Browser UX Settings section, OneStream Web App Client ID, Okta Web App Client Secret Key, and Open Id Redirect Url are highlighted. In the Windows Desktop Client Settings section, OneStream Windows App Client ID and OneStream Windows App Redirect Url are highlighted.

  6. Click the OK button.

  7. Save changes and reset IIS.

    NOTE: Reset IIS after you save any changes to the Application Server Configuration or Web Server Configuration.

We strongly recommend you configure your environment for OIDC authentication to run a local loopback with a local redirect port. See OIDC Local Redirect Port.

Set Up OneStream Login with Okta

  1. In the desktop application, go to System > Security > Users > <user>.

  2. In the Authentication properties, configure the user to authenticate through Okta.

    • External Authentication Provider: In the drop-down menu, select the Okta configuration.

    • External Provider User Name: Enter the username configured in Okta. This name must match the username set up in Okta and be used by only one user.

  3. Click the Save icon.

Log in to OneStream with Okta

To log in with the browser, see the Modern Browser Experience Guide. To log in with the desktop application, follow these steps:

  1. On the desktop application Logon screen, for Server Address, specify the URL or a client connection.

  2. Click the Connect button.

  3. Click the External Provider Sign In button.

  4. Enter your Okta login credentials.

    NOTE: If the Require Verification Code setting in the Web Server Configuration File is enabled, you will be provided with a one-time verification code to enter in the application. See Verification Code.

  5. Select an application from the drop-down menu.

  6. Click the Open Application button.

NOTE: To log off, on any screen, click the Logoff icon and then click the End Session button.

PingFederate Configuration

First, install and configure PingFederate. See Appendix: Installing and Configuring PingFederate.

To enable single sign-on with PingFederate using OIDC protocol, follow these steps:

  1. Set Up for Single Sign-on with an External Identity Provider or Set Up for Native Authentication and Single Sign-on with an External Identity Provider.

  2. Set Up the Applications in PingFederate.

  3. Set Up the Application Server Configuration in OneStream.

  4. Set Up the Web Server Configuration in OneStream.

  5. Set Up OneStream Login with PingFederate.

  6. Log in to OneStream with PingFederate.

To configure OneStream REST API to support PingFederate authentication, see the REST API Implementation Guide.

Set Up the Applications in PingFederate

Set up the applications in PingFederate for the browser and desktop application.

Modern Browser Experience

To set up the application in PingFederate for the browser, you must complete these steps:

  • Enter the same client ID in PingFederate and the Web Server Configuration in OneStream.

  • Enter the redirect URI in PingFederate in this format: https://<domainname>/signin-oidc

  • Copy the client secret from PingFederate and paste it into the Application Server Configuration and Web Server Configuration in OneStream.

Follow these detailed instructions. Depending on the identity provider version you use, the steps you must complete might be different.

  1. Log in to your PingFederate account.

  2. In the menu on the left, click OAuth Server.

  3. Under the CLIENTS list, click the Create New button.

  4. On the Client page, complete the following fields:

    • CLIENT ID: Enter a client ID, which is a unique name or identifier for the application registration.

    • NAME: Enter the name of the client.

    • CLIENT AUTHENTICATION: Select CLIENT SECRET.

    • CLIENT SECRET: Select CHANGE SECRET and then click the Generate Secret button.

      IMPORTANT: The client secret value may only be available to copy for a limited time, so copy it immediately after it is created.

    • REDIRECT URIS: Enter the redirect URI in this format: https://<domainname>/signin-oidc and then click the Add button.

    • ALLOWED GRANT TYPES: Select Authorization Code and Refresh Token.

    • REQUIRE PROOF KEY FOR CODE EXCHANGE (PKCE): Select this option.

  5. Click the Save button.

Desktop Application

To set up the application in PingFederate for the desktop application, which includes the Windows Client application and the Excel Add-In, you must complete these steps:

  • Enter the same client ID in PingFederate and the Web Server Configuration in OneStream.

  • Enter the redirect URI in PingFederate in this format: https://<domainname>/OneStreamWeb/OneStreamLogonCallback.aspx

Follow these detailed instructions. Depending on the identity provider version you use, the steps you must complete might be different.

  1. Log in to your PingFederate account.

  2. In the menu on the left, click OAuth Server.

  3. Under the CLIENTS list, click the Create New button.

  4. On the Client page, complete the following fields:

    • CLIENT ID: Enter a client ID, which is a unique name or identifier for the application registration.

    • NAME: Enter the name of the client.

    • REDIRECT URIS: Enter the redirect URI in this format: https://<domainname>/OneStreamWeb/OneStreamLogonCallback.aspx and then click the Add button.

    • ALLOWED GRANT TYPES: Select Authorization Code and Refresh Token.

    • REQUIRE PROOF KEY FOR CODE EXCHANGE (PKCE): Select this option.

  5. Click the Save button.

Set Up the Application Server Configuration in OneStream

  1. Open the OneStream Server Configuration Utility application.

  2. Go to File > New Application Server Configuration File.

    NOTE: Alternatively, you can open an existing file to edit it.

  3. In the Security section, click the ellipsis to the right of External Authentication Providers.

    The Application Server Configuration dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the Security section, External Authentication Providers is highlighted.

  4. Click the + icon to add an item.

  5. In the General and External Provider Single Sign On sections, complete the following fields:

    • Name: Enter the name of the identity provider. This name will display when configuring users to their external SSO.

    • Authentication Provider Type: Select PingFederateSSO in the drop-down menu.

    • External Provider Web SSO Secret Key: Enter the client secret from PingFederate. See Browser Experience Application step 4. This key is used in the OneStream Application Server Configuration and the OneStream Web Server Configuration. It enables your application server to communicate with the web server.

    The External Authentication Providers dialog box has a blank field on the left. To the right of the blank field are four icons for plus and minus signs and up and down arrows. To the right of the icons is a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the General section, Name and Authentication Provider Type are highlighted. In the External Provider Single Sign On Section, External Provider Web SSO Secret Key is highlighted.

  6. Click the OK button.

  7. Save changes and reset IIS.

    NOTE: Reset IIS after you save any changes to the Application Server Configuration or Web Server Configuration.

Set Up the Web Server Configuration in OneStream

  1. Open the OneStream Server Configuration Utility application.

  2. Go to File > New Web Server Configuration File.

    NOTE: Alternatively, you can open an existing file to edit it.

  3. In the Web Server Configuration Settings section, click the ellipsis to the right of Single Sign On Identity Provider.

    The Web Server Configuration dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the Web Server Configuration Settings section, Single Sign On Identity Provider is highlighted.

  4. Click the ellipsis to the right of PingFederate Identity Provider.

    The Single Sign On Identity Provider dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the General section, PingFederate Identity Provider is highlighted.

  5. In the PingFederate Identity Provider dialog box, complete the following fields:

    General

    • PingFederate Domain: Enter the PingFederate domain. If needed, request this value from your IT Support.

    • PingFederate Scopes: Enter scopes, or leave as default (openid email phone address profile).

    Browser UX Settings

    • OneStream Web App Client ID: Enter the client ID you entered in PingFederate. See Modern Browser Experience step 4.

    • OneStream Web App Client Secret Key: Enter the client secret from PingFederate. See Modern Browser Experience step 4.

    • Open Id Redirect Url: Enter the value you entered in PingFederate as the redirect URI. See Modern Browser Experience step 4. Use this format: https://<domainname>/signin-oidc

      IMPORTANT: The redirect URI entered in PingFederate and in the Open Id Redirect Url field must match exactly, including capitalization.

      IMPORTANT: The value entered in Browser UX Settings > Open Id Redirect Url must be different from the value entered in Windows Desktop Client Settings > OneStream Windows App Redirect Url in order to route to the correct client.

    Windows Desktop Client Settings

    • OneStream Windows App Client ID: Enter the client ID you entered in PingFederate. See Desktop Application step 4.

    • OneStream Windows App Redirect Url: Enter the value you entered in PingFederate as the redirect URI. See Desktop Application step 4. Use this format: https://<domainname>/OneStreamWeb/OneStreamLogonCallback.aspx

      IMPORTANT: The redirect URI entered in PingFederate and in the OneStream Windows App Redirect Url field must match exactly, including capitalization.

      IMPORTANT: The value entered in Windows Desktop Client Settings > OneStream Windows App Redirect Url must be different from the value entered in Browser UX Settings > Open Id Redirect Url in order to route to the correct client.

    The PingFederate Identity Provider dialog box has a grid with row headings that have a gray background with black text and can be expanded to display fields with a white background and black text. In this example, in the General section, PingFederate Domain and PingFederate Scopes are highlighted. In the Browser UX Settings section, OneStream Web App Client ID, OneStream Web App Client Secret Key, and Open Id Redirect Url are highlighted. In the Windows Desktop Client Settings section, OneStream Windows App Client ID and OneStream Windows App Redirect Url are highlighted.

  6. Click the OK button.

  7. Save changes and reset IIS.

    NOTE: Reset IIS after you save any changes to the Application Server Configuration or Web Server Configuration.

We strongly recommend you configure your environment for OIDC authentication to run a local loopback with a local redirect port. See OIDC Local Redirect Port.

Set Up OneStream Login with PingFederate

  1. In the desktop application, go to System > Security > Users > <user>.

  2. In the Authentication properties, configure the user to authenticate through PingFederate.

    • External Authentication Provider: In the drop-down menu, select the PingFederate configuration.

    • External Provider User Name: Enter the username configured in PingFederate. This name must match the username set up in PingFederate and be used by only one user.

  3. Click the Save icon.

Log in to OneStream with PingFederate

To log in with the browser, see the Modern Browser Experience Guide. To log in with the desktop application, follow these steps:

  1. On the desktop application Logon screen, for Server Address, specify the URL or a client connection.

  2. Click the Connect button.

  3. Click the External Provider Sign In button.

  4. Enter your PingFederate login credentials.

    NOTE: If the Require Verification Code setting in the Web Server Configuration File is enabled, you will be provided with a one-time verification code to enter in the application. See Verification Code.

  5. Select an application from the drop-down menu.

  6. Click the Open Application button.

NOTE: To log off, on any screen, click the Logoff icon and then click the End Session button.