The OneStream Community is temporarily frozen until June 29th due to the ongoing maintenance. Please read the blog post here to learn more.
Forum Discussion
Security Setup for Contractor ID
Hi All,
qq--is there a way to disable SSO login for one account.
we have one user created in OneStream as a contractor, and now we want to enable that user to login to OneStream application witho...
T_Kress
OneStream Employee
OneStream EmployeeI think in the security window for that user, you can just change this drop-down back to "Not Used" and then they would need a native password which you would provide for them and they will have to change at first log on:
If this is allowed, then they will log on with their OS username and OS password.
This is of course, if your customer allows Native Logon which is a server-side setting of True done at initial install. If that has not been set to True, then you cannot allow native logon IDs.
You would then have to open a ticket to get this set to True by One Stream support:
Hi Kress,
Thanks for your reply.
In our test instance, we have enabled Native login, and I am able to log in without any issues.
However, my requirement is to use a dedicated technical user for all our automation jobs.
For example, we have automated our security provisioning via SailPoint using REST APIs and Token. But in the Task Activity log, it shows my name for auditing because I am the one who generated the token. To avoid this, we want to use a contractor user as the technical account.
In our test environment, this works because i disable the External Authentication Provider, which allows Native login for that contractor account. But in Production, Native login is disabled entirely, so this approach does not work.
I would like to check if there is any way to disable SSO only for a specific user in Production. The goal is to log in with the contractor account without OTP, access the OneStream application, and generate the required API token using that ID.
Please let me know if there are any recommended options or best practices to achieve this.
- T_Kress
In your production environment, I do not believe what you need is to disable SSO for one user, but instead enable native logon and only use native logon for that one user. You can leave all other users in production as SSO. If this is the requirement, I would suggest opening a support case to get native access enabled in production.
I am not sure otherwise, if there are any other options other than creating an account in your SSO authenticator environment that can be used as this "system logon" and then that ID would use SSO, like all others.
Maybe someone else will have other ideas.
Hi,
In our company, we also use SSO for all users, also for an "automation technical user" - for automated data / medatada load from outside Onestream via REST API.
OS tokens are used for autouser authentication. Solution from our side for that type of issue (in order to avoid admin's username in the task activity window) was:
- when creating new tokect in Onestream, you need to log into Onestream with credentials as this technical user (in this sense, you need to use username/pswd for this tech.user. ). This is once-a year job, since tokens are issued for 1 year.
