The End User Experience
How users log in and what happens when they switch applications or end a session depends on the authentication mode configured. See:
About Login
If you use one provider (native authentication or an external IdP), you are taken to the configured method to log in. Users with external IdPs enter their IdP username (specified in System Security as the External Provider User Name), then go to their IdP Login page on a new browser tab where they enter their username and password. For example, if you use an Okta identity provider, clicking Logon launches the Okta Login page. Users with native accounts enter their native account password and log in. See Login for One External IdP and Login for OneStream IdentityServer Native Authentication.
If you use multiple IdPs, including native authentication with an external IdP, the Login dialog box (often called "Home Realm Discovery") displays. OneStream IdentityServer evaluates your user account authentication settings to identify your authentication mode, which determines the rest of your login with the appropriate IdP. See Login for Multiple External IdPs.
SAML 2.0 users must re-enter their username, prefixed with their domain name if they use Active Directory Federation Services (ADFS). See Login for SAML 2.0 and ADFS.
TIP: As a best practice, after you have configured an external IdP and are no longer using OneStream IdentityServer native accounts, you should submit a Support ticket to disable native authentication. See Native Authentication.
Initial Login for Native Authentication
-
Navigate to the OneStream instance ClickOnce URL or launch OneStream from a previously created desktop shortcut.
-
If prompted, click Run to install the Windows Application.
-
On the Login dialog box, enter your username and click the NEXT button.
-
Enter your password and click the LOG IN button.
-
Change your password by entering your current and new passwords and clicking the CONFIRM button.
-
On the Login dialog box, enter your username and new password and click the LOG IN button.
-
In the OneStream application window, click the Logon button.
-
Select an application from the drop-down menu and click the Open Application button.
TIP: To save a shortcut to the application, click the Create Windows Shortcut icon, enter a name, and click the OK button.
Login Flows
See:
Login for One External IdP
-
In Server Address on the Logon screen, specify the URL or a client connection and click the Connect button.
-
Click the Logon button. If you already logged on and have an active login token, go to step 5 to open an application. Otherwise, you are taken to your IdP login page on a new browser tab. For example:
-
Enter your external username and password and click Continue.
-
ADFS: Enter your external username in this format <domain>\<username> and click the Sign in button.
-
On the OneStream Logon screen, open an application.
Login for Multiple External IdPs
Perform these steps if you use different IdPs or one IdP with native authentication.
-
In Server Address on the Logon screen, specify the URL or a client connection and click the Connect button.
-
Click Logon. The Login dialog box displays on a new browser tab. If the environment is configured for native authentication, you can log in with a native account.
-
Enter your username and click the NEXT button. Your username is evaluated to determine your authentication mode.
-
Follow the flow for the authentication mode:
-
OneStream IdentityServer Native Authentication: Enter your native account password and click the LOG IN button.
NOTE: Click Change Password on the Login screen to change your password. Your username and current password are required to change your password.
NOTE: Click Forgot Password on the Login screen to reset your password. Your username is required to reset your password. If you forgot your username, contact your administrator. This feature is only available for native authentication in OneStream IdentityServer.
-
External IdP:
-
Enter your IdP username and click the Next button.
-
On the IdP login page that displays on a new tab, enter your password and click Login or Sign In. For example:
-
5. On the OneStream Logon screen, open an application.
Login for the Excel Add-In
The same login logic applies in Excel that is used in the Windows Application.
-
Click l Logon.
-
Specify a URL or client connection and connect.
-
Perform the task for your authentication flow:
-
If one IdP is configured and the token is active, you can open an application. Otherwise, log in using the IdP.
-
If multiple IdPs are configured, enter your username. If native authentication is enabled, enter your password. Otherwise, enter your IdP external username and password and sign in.
-
If you use native authentication, enter your native username and password.
-
Login for SAML 2.0 and ADFS
-
In Server Address on the Logon screen, specify the URL or a client connection and click the Connect button.
-
Click the Logon button. The Log In dialog box displays on a new browser tab.
-
Enter your username in SAML 2.0 and click Next.
-
On the IdP login page that displays on a new tab, enter your external username in SAML 2.0.
-
For ADFS: Enter your external username prefixed with your domain in this format: <domain>\<username>. For example, sso\jsmith.
-
Click the Sign in button.
-
On the OneStream Logon screen, open an application.
Login for OneStream IdentityServer Native Authentication
-
In Server Address on the Logon screen, specify the URL or a client connection and click the Connect button.
-
Click the Logon button. The Login dialog box displays on a new browser tab.
-
Enter your username and password.
NOTE: Click Change Password on the Login screen to change your password. Your username and current password are required to change your password.
NOTE: Click Forgot Password on the Login screen to reset your password. Your username is required to reset your password. If you forgot your username, contact your administrator. This feature is only available for native authentication in OneStream IdentityServer.
-
Click the LOG IN button.
-
On the OneStream Logon screen, open an application.
Change Applications and Log Off
When you change applications, your login is retained regardless of your authentication mode. You do not have to log in again.
Use either of the following options to change applications:
-
Click Logoff on any screen and then click the Change Application button.
-
Select another application on the Logon screen and then click the Change Application button.
Ending a session:
-
Logs you out of OneStream and disconnects you from the server.
-
Does not log you out of their external IdP.
You can log back in without specifying credentials if your provider token is still valid. Use either of the following options to end a session:
-
Click Logoff on any screen and then click the End Session button.
-
Click the Logoff button on the Logon page.