The OneStream Community is temporarily frozen until June 29th due to the ongoing maintenance. Please read the blog post here to learn more.

Forum Discussion

Satish's avatar
Satish
New Contributor III
4 months ago

Security Setup for Contractor ID

Hi All, qq--is there a way to disable SSO login for one account. we have one user created in OneStream as a contractor, and now we want to enable that user to login to OneStream application witho...
Security
Satish's avatar
Satish
New Contributor III
4 months ago

Hi Kress,

Thanks for your reply.
In our test instance, we have enabled Native login, and I am able to log in without any issues.

However, my requirement is to use a dedicated technical user for all our automation jobs.

For example, we have automated our security provisioning via SailPoint using REST APIs and Token. But in the Task Activity log, it shows my name for auditing because I am the one who generated the token. To avoid this, we want to use a contractor user as the technical account.

In our test environment, this works because i disable the External Authentication Provider, which allows Native login for that contractor account. But in Production, Native login is disabled entirely, so this approach does not work.

I would like to check if there is any way to disable SSO only for a specific user in Production. The goal is to log in with the contractor account without OTP, access the OneStream application, and generate the required API token using that ID.

Please let me know if there are any recommended options or best practices to achieve this.

T_Kress's avatar
T_Kress
Icon for OneStream Employee rankOneStream Employee
4 months ago

In your production environment, I do not believe what you need is to disable SSO for one user, but instead enable native logon and only use native logon for that one user.  You can leave all other users in production as SSO.  If this is the requirement, I would suggest opening a support case to get native access enabled in production.

I am not sure otherwise, if there are any other options other than creating an account in your SSO authenticator environment that can be used as this "system logon" and then that ID would use SSO, like all others.

Maybe someone else will have other ideas.