This document describes how you can collect OneLogin Single Sign-On (SSO) logs
by configuring OneLogin Event Webhooks and Google Security Operations HTTPS Webhooks.
From the Google Security Operations menu, select Settings > Feeds.
Click Add new.
In the Feed name field, enter a name for the feed.
In the Source Type list, select Webhook.
Select OneLogin as the Log type.
Click Next.
Optional: Enter values for the following input parameters:
Split delimiter: \n.
Asset namespace: the asset namespace.
Ingestion labels: the label to be applied to the events from this feed.
Click Next.
Review your new feed configuration, and then click Submit.
Click Generate Secret Key to generate a secret key to authenticate this feed.
Copy and store the secret key as you cannot view this secret again. You can
generate a new secret key, but regeneration of the secret key makes the
previous secret key obsolete.
From the Details tab, copy the feed endpoint URL from the Endpoint Information
field. Enter this endpoint URL in your OneLogin Event Webhook.
Click Done.
Create an API key for the HTTPS webhook feed
Go to the Google Cloud console console Credentials page.
Click Create credentials, and then select API key.
Copy and store the API key.
Restrict the API key access to the Chronicle API.
Configure OneLogin Event Webhook
The OneLogin Event Webhook lets you stream OneLogin event data to
Google Security Operations which accepts data in JSON format.
This integration lets you monitor activities, alert on threats, and execute
event-based identity related workflows across your OneLogin and Google Security Operations environment.
Log on to the OneLogin admin portal.
Go to the Developers tab > Webhooks > New Webhook, and then choose Event Webhook for Log Management.
Enter the following details:
In the Name field, enter Google SecOps.
In the Format field, enter SIEM (NDJSON).
In the Listener URL, enter the Google SecOps Webhook endpoint that will receive the event data from OneLogin.
In the Custom Headers, enable authentication by specifying the API key and secret key as part of the custom header in the following format:
X-goog-api-key:API_KEY
X-Webhook-Access-Key:SECRET
Click Save. Refresh the page to see the new webhook in your OneLogin Event Broadcasters as connected.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Collect OneLogin Single Sign-On (SSO) logs\n==========================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\nThis document describes how you can collect OneLogin Single Sign-On (SSO) logs\nby configuring OneLogin Event Webhooks and Google Security Operations HTTPS Webhooks.\n\nFor more information, see [Data ingestion to Google Security Operations](/chronicle/docs/data-ingestion-flow).\n\nConfigure Google SecOps HTTPS Webhook\n-------------------------------------\n\n### Create an HTTPS webhook feed\n\n1. From the Google Security Operations menu, select **Settings** \\\u003e **Feeds**.\n2. Click **Add new**.\n3. In the **Feed name** field, enter a name for the feed.\n4. In the **Source Type** list, select **Webhook**.\n5. Select **OneLogin** as the **Log type**.\n6. Click **Next**.\n7. Optional: Enter values for the following input parameters:\n 1. **Split delimiter** : `\\n`.\n 2. **Asset namespace**: the asset namespace.\n 3. **Ingestion labels**: the label to be applied to the events from this feed.\n8. Click **Next**.\n9. Review your new feed configuration, and then click **Submit**.\n10. Click **Generate Secret Key** to generate a secret key to authenticate this feed.\n11. Copy and store the secret key as you cannot view this secret again. You can generate a new secret key, but regeneration of the secret key makes the previous secret key obsolete.\n12. From the **Details** tab, copy the feed endpoint URL from the **Endpoint Information** field. Enter this endpoint URL in your OneLogin Event Webhook.\n13. Click **Done**.\n\n### Create an API key for the HTTPS webhook feed\n\n1. Go to the Google Cloud console console Credentials page.\n2. Click **Create credentials**, and then select API key.\n3. Copy and store the API key.\n4. Restrict the API key access to the Chronicle API.\n\nConfigure OneLogin Event Webhook\n--------------------------------\n\nThe OneLogin Event Webhook lets you stream OneLogin event data to\nGoogle Security Operations which accepts data in JSON format.\nThis integration lets you monitor activities, alert on threats, and execute\nevent-based identity related workflows across your OneLogin and Google Security Operations environment.\n\n1. Log on to the OneLogin admin portal.\n2. Go to the Developers tab \\\u003e **Webhooks** \\\u003e **New Webhook** , and then choose **Event Webhook for Log Management**.\n3. Enter the following details:\n\n - In the **Name** field, enter `Google SecOps`.\n - In the **Format** field, enter `SIEM (NDJSON)`.\n - In the **Listener URL**, enter the Google SecOps Webhook endpoint that will receive the event data from OneLogin.\n - In the **Custom Headers**, enable authentication by specifying the API key and secret key as part of the custom header in the following format:\n\n `X-goog-api-key:API_KEY`\n\n `X-Webhook-Access-Key:SECRET`\n4. Click **Save**. Refresh the page to see the new webhook in your OneLogin Event Broadcasters as connected.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
