# OneLogin with OpenID Connect

## Add IAM on the App Settings Page

1. Navigate to the <i class="fa-gear">:gear:</i> **App Settings** page in the Immuta console and click the **Add IAM** button.
2. Complete the **Display Name** field and select **OpenID** from the **Identity Provider Type** dropdown.
3. Adjust **Default Permissions** granted to users by selecting from the list in this dropdown menu.

## Add OpenID Connect in OneLogin

1. Navigate to OneLogin, click **Administration**, and then select **Applications** from the Applications menu.
2. Click **Add App** in the top right corner of the screen. Search for and select **OpenID Connect (OIDC)**.
3. Complete the **Display Name** field and click **Save**.

## Complete the Configuration

1. From the **Identity and Access Management** window in your Immuta tenant, copy the **SSO Callback URL** to your clipboard.
2. Return to OneLogin, click the **Configuration** tab in the left panel, and paste the URL in the **Login Url** and **Redirect URI's** fields.
3. Click **Save** in the top right corner of this screen.
4. Click the **SSO** tab in the left panel of your OneLogin account. Copy the **Client ID** and the **Client Secret** and paste these values in the corresponding fields in your Immuta tenant.
5. Then, right click the **Well-known Configuration** text from the **SSO** tab of OneLogin, and copy the link to your clipboard.
6. Return to your Immuta tenant, and paste this link in the **Discover URL** field; pasting this link here prevents you from having to manually fill out the rest of the form.
7. Confirm email as the **User ID claim**, and fill out the **Scopes** section.
8. Return to OneLogin and scroll to the **Token Endpoint** section. Select **POST** from the **Authentication Method** dropdown.
9. Click **Save**.
10. Return to your Immuta console, opt to **Enable SSL** and **Enable SCIM support for OpenID**. *Validate that the usernames in your IAM match those in your data platform (Snowflake, Databricks, etc.). If they are incorrect in the IAM or the casing doesn't match, fix the data platform username in the identity provider before configuring SCIM in Immuta.*
    1. Copy the **SCIM URL** and **API key** generated, and then [save your changes](#user-content-fn-1)[^1].
    2. Validate the URL and credentials within the identity provider application.
11. In the **Profile Schema** section, map attributes in OpenID to automatically fill in a user's Immuta profile. *Note: Fields that you specify in this schema will not be editable by users within Immuta.*

    If usernames in your data platform align with usernames in an external IAM and those accounts align with an IAM attribute, enter the IAM attribute in the field that corresponds to your data platform:

    1. **User's Databricks Username**
    2. **User's Snowflake Username**
    3. **User's Trino Username**
    4. **User's Azure Synapse Analytics Username**
    5. **User's Redshift Username**
    6. **User's AWS User**. After entering the IAM attribute in the User's AWS User field, click the **Select AWS User Type** from the dropdown and select one of the types belo&#x77;**.** This is used by the Amazon S3 Integration to map users in Immuta to the corresponding user type in AWS.
       * **None** (fallback to Immuta username): When selecting this option, the AWS username is assumed to be the same as the Immuta username.
       * [**AWS IAM role**](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-roles): Only a single Immuta user can be mapped to an IAM role. This restriction prohibits enforcing policies on AWS users who could assume that role. Therefore, if using role principals, create a new user in Immuta that represents the role so that the role then has the permissions applied specifically to it.
       * [**AWS IAM user**](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-users)
       * **AWS Identity Center user IDs**: You must use the numeric `User ID` value found in AWS IAM Identity Center, not the user's email address.
    7. **User's PostgreSQL Username**
12. Opt to **Allow Identity Provider Initiated Single Sign On**, **External Groups and Attributes Endpoint**, and **Migrate Users**.
13. Click **Test Connection**. Once the connection is successful, click **Test User Login**.
14. Click **Save**.

{% hint style="warning" %}
**Multiple user accounts cannot have the same email address**

If you register user accounts that have the same email address as an existing Immuta user account, the email field for the subsequent user accounts will be left empty. For more details, see the [Identity managers reference guide](https://documentation.immuta.com/latest/configuration/people/reference-guides/identity-managers#limitations).
{% endhint %}

[^1]: You can either finish configuring your IAM on the app settings page before clicking save, or you can save now and return to the app settings page to edit the IAM configuration after saving.