Docs / Organization Setup

Organization Setup

Connect your OneLogin tenant to wavekey and configure Trusted IdP authentication.

Setup Overview

Connecting your organization to wavekey is a two-part process:

  1. Create an OIDC app in OneLogin and link it to wavekey using your invite link.
  2. Configure wavekey as a Trusted IdP in OneLogin so it can be used as an MFA factor.
Before you begin: You'll need admin access to both your OneLogin tenant and the wavekey invite link provided by your wavekey representative.

Accepting the Invite

You'll receive an invite link from your wavekey representative. This link opens the organization setup page where you'll connect your OneLogin tenant.

Becoming the Admin

During setup, you'll be asked to enter an Admin Email. The person whose email is entered here becomes the wavekey admin for your organization. This is important because:

  • Enrollment PINs — When any user enrolls their device, a 4-digit verification PIN is sent to this email address. You'll need to share each PIN with the enrolling user so they can complete setup.
  • Manage Service Providers — As admin, you'll have access to the Manage Service Providers dashboard where you can connect and configure Salesforce, Google Workspace, and other integrations.
  • User Enrollment — You authorize enrollment by distributing PINs to users as they enroll their devices.
Choose Your Admin Email Carefully

The admin email can't easily be changed after setup. Make sure it belongs to someone who will be actively managing wavekey for your organization and can promptly share enrollment PINs with users.

Part 1 — Connect Your OneLogin Tenant

Step 1: Create the OIDC Connected App

  1. Log in to your OneLogin Admin Console.
  2. Go to Applications → Add App and search for OpenId Connect (OIDC).
  3. Set the Redirect URI to the URL shown on your wavekey invite page.
  4. Set the Post Logout Redirect URI to the second URL shown on the invite page.
  5. Copy the Client ID and Client Secret from the app's SSO tab.
  6. Go to the Access tab and assign the app to the roles or users who should use wavekey.

Step 2: Complete the Invite Form

  1. Open the wavekey invite link you received.
  2. Enter your Issuer Base URL (usually https://yourcompany.onelogin.com/oidc/2).
  3. Paste the Client ID and Client Secret from your OIDC app.
  4. Enter the Admin Email — enrollment PINs will be sent to this address.
  5. Click "Connect Organization".

On success, you'll see the Trusted IdP configuration values needed for Part 2.

Part 2 — Configure Trusted IdP in OneLogin

After connecting, wavekey provides the following configuration values. You'll enter these into OneLogin to establish wavekey as a Trusted Identity Provider.

Configuration Values Provided
Field Description
Issuer wavekey's OIDC issuer URL
Authentication Endpoint wavekey's authorization endpoint
Token Endpoint wavekey's token exchange endpoint
User Information Endpoint wavekey's userinfo endpoint
Token Endpoint Auth Method Always BASIC
Scopes openid email profile
Client ID Your tenant's client ID (use the Copy button)
Client Secret Your tenant's client secret (click to reveal, then copy)
Allowed Redirect URI OneLogin's callback URL for the Trusted IdP

Steps in OneLogin

  1. Go to Authentication → Trusted IdPs → New Trust.
  2. Enter each of the configuration values from the wavekey success screen.
  3. Check "Send Login Hint (OIDC TIDPs) in Auth Request".
  4. Click "Enable Trusted IDP".
  5. Go to Authentication → Policies and edit your sign-in policy.
  6. Under MFA, select "Trusted IdP as a Factor" and choose wavekey.
  7. For each app you want to protect, set their policy to "Require MFA" and select the wavekey Trusted IdP.

What's Next

Once your organization is connected and the Trusted IdP is configured:

  • Enroll users — when a user first logs in, they'll see a QR code and you'll receive a PIN to share with them.
  • Connect service providers — add Salesforce, Google Workspace, and enable continuous authentication.