Use IP Allowlisting to enforce zero trust policies for specific SaaS Applications integrated with OneLogin
Use a OneLogin App Policy IP Address Allow List to require a CSE Service Tunnel when authenticating to a SaaS Application
- Updated on
Overview
This guide explains how to use a OneLogin App Policy to require that end users have a CSE Service Tunnel established before they can authenticate to a specific SaaS application through OneLogin. The result is equivalent to the Entra ID IP allowlisting flow: authentication is permitted only when the request originates from the CSE Access Tier egress IP addresses.
Compared with Entra ID, OneLogin IP allowlisting is simpler to configure. OneLogin restricts access with a single App Policy IP Address Allow List, rather than a combination of Named Locations and Conditional Access policies.
Doc status: CSE-side steps reviewed 2026-06-29. The third-party IdP console steps follow the vendor’s own documentation and should be confirmed against the live admin console, which can change without notice.
Prerequisites
- A OneLogin account with Admin privileges.
- The SaaS application(s) you want to protect already integrated with OneLogin.
- A CSE Service Tunnel that users connect through.
Steps
This procedure spans two systems. The CSE Command Center steps (Step 1) establish the Service Tunnel that gives tunneled traffic a known, allowable source IP. The OneLogin console steps (Steps 3 and 4) tell OneLogin to accept only that source IP. For the OneLogin console steps, treat OneLogin’s own documentation linked under References as the authoritative source for current UI labels and navigation.
Values to exchange
The two systems share one piece of data: the source IP that OneLogin should trust.
| Value | Source | Used in |
|---|---|---|
| CSE Access Tier egress IP address(es) | CSE (identified in Step 2) | OneLogin App Policy IP Address Allow List (Step 3) |
Step 1: Register a Service Tunnel for the public domains
This step provisions the CSE Service Tunnel through which protected traffic must flow, ensuring that authentication requests reach OneLogin from a CSE Access Tier egress IP rather than the user’s local network.
1.1 Register a Service Tunnel for Public Domains.
1.2 Configure the Service Tunnel to include the OneLogin authentication domains and the domains of the SaaS application(s) you are protecting, so that this traffic is routed through CSE. For the current OneLogin domains and IP addresses, see OneLogin Domains and IP Addresses.
Step 2: Identify the CSE Access Tier egress IP addresses
2.1 Obtain the public egress IP address(es) of the Access Tier(s) that serve the Service Tunnel. These are the source IPs OneLogin sees for tunneled traffic, and the addresses you will allow in Step 3.
The CSE-maintained list is published on the Global Edge Network IP Ranges page. Use the values under Global Edge Egress IPs (global_edge_egress_ip_ranges.txt).
Important — remove the /32 suffix for OneLogin. The published egress list uses CIDR notation (for example, 203.0.113.10/32). OneLogin’s IP Address Allow List accepts only individual IP addresses or address ranges, not CIDR notation. Each entry that retains a /32 suffix will fail. Before pasting the list into Step 3, strip the trailing /32 from every single-host address so that only the bare IP remains (for example, 203.0.113.10). This differs from Entra ID, which requires the CIDR form.
Step 3: Create a OneLogin App Policy with an IP Address Allow List
This step defines, on the OneLogin side, the source IP condition that gates authentication. Because this is configured in OneLogin’s own console, confirm the navigation and field names against OneLogin’s documentation if the UI differs from what is shown here.
3.1 In the OneLogin Admin Portal, navigate to Security > Policies, and select New App Policy. This creates the policy object that will carry the IP restriction.
3.2 Enter a descriptive policy name (for example, CSE Service Tunnel Required), and select Save.
3.3 In the App Policy settings, locate the IP Address Allow List, and enter the CSE Access Tier egress IP address(es) from Step 2 as a space-separated list of bare IP addresses (with the /32 suffixes removed, as noted in Step 2).
Note: Leaving the allow list blank permits access from any IP address. Optionally, enable Ignore X-Forwarded-For header IP addresses so that OneLogin evaluates the connecting source IP rather than a forwarded-header value.
3.4 Leave the remaining App Policy settings at their defaults unless your organization requires otherwise; they do not affect the IP restriction. In particular:
- MFA bypass can be left blank if it is not needed.
- The recurring re-authentication timer (how often users are re-prompted for MFA) should be given a value — for example, 60 minutes — so that users connecting through the Service Tunnel are not prompted excessively. If left empty, users may experience frequent MFA prompts.
- Authenticator types and whether to require MFA are your organization’s choice; configure them according to your own security policy.
Step 4: Assign the App Policy to the SaaS application
This step binds the IP-restricting policy to the specific application, so that the source-IP condition is enforced at authentication time.
4.1 Navigate to Applications, and select the application you want to protect. The application does not need to be a SAML app; an App Policy can be assigned to any application in OneLogin.
4.2 Open the Access tab to reach the policy assignment for that application.
4.3 Under Policy, select the App Policy you created in Step 3.
4.4 Select Save. The policy then applies to all users of that application.
Note: To allow exceptions for specific user groups, use role-based App Policies so that different roles can have different IP requirements for the same application.
Expected behaviour
If the user does NOT have the Service Tunnel connection established, OneLogin sees a non-allowed source IP and blocks access to the application. Once the user establishes the Service Tunnel, the request originates from an allowed Access Tier IP and authentication succeeds.
References
- OneLogin, App Policy Settings - IP Address Allow List.
- OneLogin, User Policies.
- OneLogin, OneLogin Domains and IP Addresses.