π¦
Rust Onelogin MCP Server
An MCP server implementation for interactions with current OneLogin API capabilities
0 installs
Trust: 34 β Low
Devtools
Ask AI about Rust Onelogin MCP Server
Powered by Claude Β· Grounded in docs
I know everything about Rust Onelogin MCP Server. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Loading tools...
Reviews
Documentation
OneLogin MCP Server
A comprehensive Model Context Protocol (MCP) server for OneLogin API
Features β’ Quick Start β’ Tool Configuration β’ CLI Commands β’ API Coverage β’ Contributing
Overview
A production-ready MCP server implementation providing comprehensive coverage of the OneLogin API across 28 API domains. Built in Rust for performance, reliability, and type safety, this server exposes 154 tools through the Model Context Protocol for seamless integration with AI assistants and automation workflows.
Key Features
- β Comprehensive API Coverage - 28 OneLogin API domains fully implemented
- π 154 MCP Tools - Complete OneLogin capabilities accessible via MCP protocol
- β‘ High Performance - Built with Tokio async runtime for concurrent operations
- π Secure - OAuth 2.0 token management, TLS encryption, secret handling
- π Production Ready - Rate limiting, caching, circuit breaker, comprehensive error handling
- π’ Multi-Tenant - Manage multiple OneLogin tenants from a single server instance
- π― Migration Focused - Special features for OneLogin migration scenarios
- π οΈ Type Safe - Full Rust type system ensures reliability
- π Well Documented - Extensive inline documentation and usage examples
- βοΈ Configurable Tools - Enable/disable tools by category or individually via JSON config
- π Hot Reload - Configuration changes take effect without server restart
Quick Start
Prerequisites
- Rust 1.70 or later
- OneLogin account with API credentials (Client ID and Secret)
Installation
-
Clone the repository
git clone <repository-url> cd onelogin-mcp-server -
Configure environment
cp .env.example .envEdit
.envwith your OneLogin credentials:ONELOGIN_CLIENT_ID=your_client_id_here ONELOGIN_CLIENT_SECRET=your_client_secret_here ONELOGIN_REGION=us # or 'eu' ONELOGIN_SUBDOMAIN=your_company CACHE_TTL_SECONDS=300 RATE_LIMIT_RPS=10 -
Build and run
cargo build --release cargo run --release
The server will start and listen for MCP protocol messages on stdin/stdout.
Usage
MCP Protocol Interaction
The server implements the Model Context Protocol and responds to JSON-RPC requests.
Initialize the server
{
"jsonrpc": "2.0",
"id": 1,
"method": "initialize",
"params": {}
}
List available tools
{
"jsonrpc": "2.0",
"id": 2,
"method": "tools/list",
"params": {}
}
Call a tool
{
"jsonrpc": "2.0",
"id": 3,
"method": "tools/call",
"params": {
"name": "onelogin_list_users",
"arguments": {
"limit": 10
}
}
}
Common Use Cases
User Management
Create a user:
{
"name": "onelogin_create_user",
"arguments": {
"email": "newuser@example.com",
"username": "newuser",
"firstname": "Jane",
"lastname": "Doe",
"title": "Software Engineer"
}
}
Update a user:
{
"name": "onelogin_update_user",
"arguments": {
"user_id": 12345,
"title": "Senior Software Engineer",
"department": "Engineering"
}
}
Unlock a user account:
{
"name": "onelogin_unlock_user",
"arguments": {
"user_id": 12345
}
}
Smart Hooks (Custom Authentication Logic)
Create a pre-authentication hook:
{
"name": "onelogin_create_smart_hook",
"arguments": {
"type": "pre-authentication",
"function": "exports.handler = async (context) => { return { success: true } }",
"runtime": "nodejs18.x",
"options": {
"risk_enabled": true,
"location_enabled": true
}
}
}
Note: The server automatically base64-encodes the JavaScript function for you.
Get hook execution logs:
{
"name": "onelogin_get_smart_hook_logs",
"arguments": {
"hook_id": "abc123"
}
}
Risk & Security (Vigilance AI)
Get real-time risk score:
{
"name": "onelogin_get_risk_score",
"arguments": {
"user_identifier": "user@example.com",
"ip_address": "192.168.1.100",
"user_agent": "Mozilla/5.0..."
}
}
Validate user with Smart MFA:
{
"name": "onelogin_validate_user_smart_mfa",
"arguments": {
"user_identifier": "user@example.com",
"context": {
"ip_address": "192.168.1.100",
"user_agent": "Mozilla/5.0..."
}
}
}
Create risk rule:
{
"name": "onelogin_create_risk_rule",
"arguments": {
"name": "Detect Impossible Travel",
"enabled": true,
"conditions": [
{
"field": "location_change_rate",
"operator": "greater_than",
"value": "500"
}
],
"action": {
"action_type": "require_mfa"
},
"priority": 1
}
}
Directory Synchronization
Create directory connector:
{
"name": "onelogin_create_directory_connector",
"arguments": {
"name": "Corporate AD",
"connector_type": "active_directory",
"configuration": {
"host": "ad.company.com",
"port": 389,
"bind_dn": "CN=Service,DC=company,DC=com",
"base_dn": "DC=company,DC=com"
}
}
}
Trigger sync:
{
"name": "onelogin_sync_directory",
"arguments": {
"connector_id": "dir123"
}
}
API Coverage
This server provides comprehensive coverage of the OneLogin API across 28 domains:
Core Identity Management
| Domain | Tools | Description |
|---|---|---|
| π€ Users | 14 | Complete user lifecycle management |
| π Roles | 5 | Role CRUD and management |
| π₯ Groups | 5 | Group CRUD management |
Application & Access
| Domain | Tools | Description |
|---|---|---|
| π± Apps | 5 | Application configuration and management |
| π App Rules | 11 | Provisioning rules, conditions, and actions |
| π Connectors | 2 | Application connector templates |
| π MFA | 9 | Multi-factor authentication + token generation |
| π« SAML | 3 | SAML SSO assertion generation |
| π OAuth | 3 | OAuth 2.0 token management |
| π OIDC | 3 | OpenID Connect endpoints |
Advanced Security
| Domain | Tools | Description |
|---|---|---|
| β‘ Smart Hooks | 11 | Custom authentication logic + hook environment variables |
| π‘οΈ Vigilance AI | 8 | Real-time risk scoring and Smart MFA |
| π Login/Session | 3 | Authentication flows and session management |
| π― Risk | 1 | Get individual risk rule details |
Administration & Governance
| Domain | Tools | Description |
|---|---|---|
| π Privileges | 7 | Delegated administration privileges |
| π·οΈ Custom Attributes | 4 | Custom user fields and metadata |
| π Reports | 4 | Run and retrieve reports |
| π Role Resources | 6 | Role apps, users, and admin assignments |
Provisioning & Integration
| Domain | Tools | Description |
|---|---|---|
| π User Mappings | 8 | Automated provisioning rules |
| π Directories | 7 | AD/LDAP/Azure AD synchronization |
| π Self-Registration | 7 | User self-registration profiles |
Communication & Branding
| Domain | Tools | Description |
|---|---|---|
| βοΈ Invitations | 2 | User invitation management |
| π¨ Branding | 12 | Account branding, email settings, and message templates |
Monitoring & Events
| Domain | Tools | Description |
|---|---|---|
| π Events | 4 | Audit logs and event tracking |
Developer Tools
| Domain | Tools | Description |
|---|---|---|
| π§ API Authorization | 5 | API auth server configuration |
| π Embed Tokens | 2 | SSO embedding capabilities |
| π Rate Limits | 2 | API rate limit status |
| π’ Tenant Management | 1 | List configured tenants (multi-tenant mode) |
Total: 28 API Domains β’ 154 Tools
Architecture
High-Level Design
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β MCP Server (JSON-RPC) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Tool Registry (154 tools) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Tenant Manager β
β βββββββββββββββββββββββ βββββββββββββββββββββββ β
β β Tenant: prod β β Tenant: staging β ... β
β β βββββββββββββββββ β β βββββββββββββββββ β β
β β β OneLogin API β β β β OneLogin API β β β
β β β Client β β β β Client β β β
β β βββββββββββββββββ€ β β βββββββββββββββββ€ β β
β β βAuthβHTTPβCacheβ β β βAuthβHTTPβCacheβ β β
β β βββββββββββββββββ β β βββββββββββββββββ β β
β βββββββββββββββββββββββ βββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
OneLogin API (HTTPS)
Key Components
- MCP Server - Handles JSON-RPC protocol, routes tool calls
- Tool Registry - Manages 154 tool definitions and execution
- Tenant Manager - Multi-tenant client resolution with per-tenant isolation
- API Clients - 28 domain-specific API clients with typed models
- Auth Manager - OAuth 2.0 token lifecycle management (per tenant)
- HTTP Client - Connection pooling, retry logic, error handling
- Cache Layer - Moka-based caching with configurable TTL (per tenant)
- Rate Limiter - Governor-based rate limiting (per tenant)
- Circuit Breaker - Fault tolerance for API failures
Technology Stack
- Runtime: Tokio (async/await)
- HTTP: Reqwest with rustls
- Serialization: Serde (JSON)
- Caching: Moka
- Rate Limiting: Governor
- Logging: Tracing
- Error Handling: Anyhow + Thiserror
Configuration
Environment Variables
| Variable | Required | Default | Description |
|---|---|---|---|
ONELOGIN_CLIENT_ID | β Yes | - | OneLogin API Client ID |
ONELOGIN_CLIENT_SECRET | β Yes | - | OneLogin API Client Secret |
ONELOGIN_REGION | β Yes | - | Region: us or eu |
ONELOGIN_SUBDOMAIN | β Yes | - | Your OneLogin subdomain |
CACHE_TTL_SECONDS | No | 300 | Cache time-to-live in seconds |
RATE_LIMIT_RPS | No | 10 | Requests per second limit |
ENABLE_METRICS | No | false | Enable Prometheus metrics |
ONELOGIN_MCP_CONFIG | No | Platform default | Custom path to tool config file |
ONELOGIN_TENANTS_CONFIG | No | Platform default | Custom path to tenants.json for multi-tenant mode |
Multi-Tenant Configuration
The server supports managing multiple OneLogin tenants from a single instance. This is useful when you manage production and staging environments, multiple business units, or need cross-tenant operations.
Setup
Create a tenants.json file:
| Platform | Default Location |
|---|---|
| macOS | ~/Library/Application Support/onelogin-mcp/tenants.json |
| Linux | ~/.config/onelogin-mcp/tenants.json |
| Windows | C:\Users\<User>\AppData\Roaming\onelogin-mcp\tenants.json |
Override with ONELOGIN_TENANTS_CONFIG environment variable.
tenants.json Format
{
"tenants": [
{
"name": "production",
"client_id": "your_prod_client_id",
"client_secret": "your_prod_client_secret",
"region": "us",
"subdomain": "mycompany",
"default": true
},
{
"name": "staging",
"client_id": "your_staging_client_id",
"client_secret": "your_staging_client_secret",
"region": "us",
"subdomain": "mycompany-staging"
}
]
}
Usage
When multi-tenant mode is active, every tool accepts an optional tenant parameter:
{
"name": "onelogin_list_users",
"arguments": {
"tenant": "staging",
"limit": 10
}
}
Omitting tenant (or passing an empty string) uses the default tenant.
Use onelogin_list_tenants to see all configured tenants:
{
"name": "onelogin_list_tenants",
"arguments": {}
}
Backward Compatibility
- Single-tenant mode: If no
tenants.jsonexists, the server uses environment variables (ONELOGIN_CLIENT_ID, etc.) exactly as before. Notenantparameter appears in tool schemas. - Multi-tenant mode: When
tenants.jsonis present, the server loads all tenants from the file. Environment variable credentials (ONELOGIN_CLIENT_ID, etc.) are not required β only shared operational settings (CACHE_TTL_SECONDS,RATE_LIMIT_RPS, etc.) are read from env vars.
Each tenant gets its own isolated authentication, rate limiting, and caching stack.
Getting OneLogin API Credentials
- Log in to your OneLogin admin portal
- Navigate to Administration β Developers β API Credentials
- Click New Credential
- Select Read users, Manage users, and other required permissions
- Copy the Client ID and Client Secret
Tool Configuration
The MCP server supports fine-grained control over which tools are enabled. By default, 46 core tools are enabled while 108 specialized tools are disabled.
Configuration File Location
| Platform | Default Location |
|---|---|
| macOS | ~/Library/Application Support/onelogin-mcp/config.json |
| Linux | ~/.config/onelogin-mcp/config.json |
| Windows | C:\Users\<User>\AppData\Roaming\onelogin-mcp\config.json |
Override with ONELOGIN_MCP_CONFIG environment variable.
Default Configuration
Enabled by Default (46 tools):
users- Core identity management (14 tools)apps- Application management (5 tools)roles- Role-based access control (5 tools)groups- Group management (5 tools)connectors- App connector templates (2 tools)custom_attributes- Custom user fields (4 tools)invitations- User onboarding (2 tools)events- Audit logs (4 tools)reports- Monitoring reports (4 tools)tenant_management- List configured tenants (1 tool)
Disabled by Default (108 tools):
app_rules,mfa,saml,smart_hooks,vigilance,privileges,user_mappings,embed_tokens,oauth,oidc,directories,branding,self_registration,login,api_auth,role_resources,rate_limits,risk
Configuration File Format
{
"version": "1",
"hot_reload": true,
"categories": {
"users": true,
"apps": true,
"mfa": false,
"saml": false
}
}
Tool-Level Overrides
Override individual tools within a category:
{
"version": "1",
"categories": {
"users": {
"enabled": true,
"tools": {
"onelogin_delete_user": false,
"onelogin_set_password": false
}
}
}
}
Hot Reload
When hot_reload is enabled (default), the server automatically reloads configuration when the file changes. No restart required.
CLI Commands
The server includes a CLI for managing tool configuration:
Initialize Configuration
# Create default config file
onelogin-mcp-server config init
# Overwrite existing config
onelogin-mcp-server config init --force
View Configuration
# Show current config status
onelogin-mcp-server config show
# Show config file path
onelogin-mcp-server config path
# List all categories
onelogin-mcp-server config categories
# List all tools
onelogin-mcp-server config tools
# List tools in a specific category
onelogin-mcp-server config tools --category users
Enable/Disable Tools
# Enable all categories
onelogin-mcp-server config enable all
# Enable a category
onelogin-mcp-server config enable mfa
# Disable a category
onelogin-mcp-server config disable smart_hooks
# Enable a specific tool
onelogin-mcp-server config enable onelogin_create_smart_hook
# Disable a specific tool
onelogin-mcp-server config disable onelogin_delete_user
Edit & Reset
# Open config in default editor
onelogin-mcp-server config edit
# Reset to defaults
onelogin-mcp-server config reset
# Reset without confirmation
onelogin-mcp-server config reset --yes
Example Workflow
# Initialize config
onelogin-mcp-server config init
# Enable MFA tools for a project
onelogin-mcp-server config enable mfa
# But disable dangerous operations
onelogin-mcp-server config disable onelogin_delete_user
# View the result
onelogin-mcp-server config show
# Start the server
onelogin-mcp-server
Development
Project Structure
onelogin-mcp-server/
βββ Cargo.toml # Project configuration and dependencies
βββ .env.example # Environment template
βββ .gitignore # Git ignore rules
βββ README.md # This file
βββ QUICKSTART.md # 5-minute getting started
βββ INTEGRATION.md # Claude Desktop integration guide
βββ src/
βββ main.rs # Application entry point
βββ cli.rs # CLI commands for config management
βββ api/ # API client implementations
β βββ mod.rs # OneLoginClient aggregator
β βββ users.rs # Users API
β βββ smart_hooks.rs # Smart Hooks API
β βββ vigilance.rs # Vigilance/Risk API
β βββ ... (28 more)
βββ core/ # Core infrastructure
β βββ auth.rs # OAuth token management
β βββ client.rs # HTTP client
β βββ config.rs # Configuration
β βββ tenant_manager.rs # Multi-tenant client management
β βββ tool_config.rs # Tool enable/disable configuration
β βββ error.rs # Error types
β βββ cache.rs # Caching layer
β βββ rate_limit.rs # Rate limiting
βββ mcp/ # MCP protocol
β βββ server.rs # JSON-RPC server
β βββ tools.rs # Tool registry (with filtering)
βββ models/ # Data models
β βββ users.rs
β βββ smart_hooks.rs
β βββ ...
βββ utils/ # Utility functions
βββ mod.rs
βββ serde_helpers.rs
Building
# Development build
cargo build
# Release build (optimized)
cargo build --release
# Check for errors without building
cargo check
# Run tests
cargo test
# Run with debug logging
RUST_LOG=debug cargo run
Testing
# Run all tests
cargo test
# Run specific test
cargo test test_name
# Run tests with output
cargo test -- --nocapture
# Run tests with specific log level
RUST_LOG=debug cargo test
Code Quality
# Format code
cargo fmt
# Run linter
cargo clippy
# Fix auto-fixable issues
cargo fix
Deployment
Docker
Create a Dockerfile:
FROM rust:1.75 as builder
WORKDIR /app
COPY . .
RUN cargo build --release
FROM debian:bookworm-slim
RUN apt-get update && \
apt-get install -y ca-certificates && \
rm -rf /var/lib/apt/lists/*
COPY --from=builder /app/target/release/onelogin-mcp-server /usr/local/bin/
CMD ["onelogin-mcp-server"]
Build and run:
docker build -t onelogin-mcp-server .
docker run -e ONELOGIN_CLIENT_ID=... \
-e ONELOGIN_CLIENT_SECRET=... \
-e ONELOGIN_REGION=us \
-e ONELOGIN_SUBDOMAIN=... \
onelogin-mcp-server
Kubernetes
Example deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
name: onelogin-mcp-server
spec:
replicas: 1
selector:
matchLabels:
app: onelogin-mcp-server
template:
metadata:
labels:
app: onelogin-mcp-server
spec:
containers:
- name: server
image: onelogin-mcp-server:latest
env:
- name: ONELOGIN_CLIENT_ID
valueFrom:
secretKeyRef:
name: onelogin-credentials
key: client-id
- name: ONELOGIN_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: onelogin-credentials
key: client-secret
- name: ONELOGIN_REGION
value: "us"
- name: ONELOGIN_SUBDOMAIN
value: "mycompany"
Production Checklist
- Use secret management (AWS Secrets Manager, Vault, etc.)
- Enable structured logging with log aggregation
- Set appropriate rate limits for your use case
- Configure cache TTL based on data freshness requirements
- Set up monitoring and alerting
- Implement health checks
- Use HTTPS for all external communications
- Rotate API credentials regularly
- Review and configure resource limits
- Set up automated backups if needed
Migration Use Cases
This MCP server is particularly valuable for OneLogin migration scenarios:
Password Migration
Use Smart Hooks with user-migration type to:
- Transparently migrate user passwords during first login
- Validate credentials against legacy system
- Store migrated passwords in OneLogin
Automated Provisioning
Use User Mappings to:
- Automatically assign roles based on user attributes
- Map department to appropriate applications
- Create consistent user profiles
Metadata Preservation
Use Custom Attributes to:
- Store legacy system identifiers
- Preserve custom user fields
- Maintain audit trails from source systems
Continuous Sync
Use Directory Connectors to:
- Sync with AD/LDAP in real-time
- Keep Azure AD in sync
- Maintain Google Workspace integration
Risk Monitoring
Use Vigilance AI to:
- Detect unusual login patterns during migration
- Identify potential security issues
- Enforce Smart MFA for suspicious activities
Troubleshooting
Common Issues
Authentication Errors
Problem: Authentication failed error
Solutions:
- Verify credentials in
.envfile - Check that API credentials have correct permissions
- Ensure region (US/EU) matches your OneLogin instance
- Verify subdomain is correct
# Test credentials
echo $ONELOGIN_CLIENT_ID
echo $ONELOGIN_REGION
echo $ONELOGIN_SUBDOMAIN
Rate Limiting
Problem: Getting 429 (Too Many Requests) errors
Solutions:
- Reduce
RATE_LIMIT_RPSin.env - Increase cache TTL to reduce API calls
- Batch operations where possible
RATE_LIMIT_RPS=5 # Lower rate limit
CACHE_TTL_SECONDS=600 # Increase cache duration
Build Errors
Problem: Compilation fails
Solutions:
- Update Rust:
rustup update - Clean build artifacts:
cargo clean - Check dependency versions:
cargo update - Rebuild:
cargo build --release
Connection Issues
Problem: Cannot connect to OneLogin API
Solutions:
- Check internet connectivity
- Verify firewall rules allow HTTPS (443)
- Check if behind corporate proxy
- Verify OneLogin service status
Debug Mode
Enable detailed logging:
# Debug level
RUST_LOG=debug cargo run
# Trace level (very verbose)
RUST_LOG=trace cargo run
# Specific module
RUST_LOG=onelogin_mcp_server::api::users=debug cargo run
Performance Tuning
Optimization Tips
-
Increase Cache TTL - For rarely changing data
CACHE_TTL_SECONDS=600 # 10 minutes -
Adjust Rate Limits - Based on your API tier
RATE_LIMIT_RPS=20 # If you have higher limits -
Connection Pool - Already optimized (10 connections per host)
-
Batch Operations - Use bulk endpoints when available
Performance Metrics
Expected performance characteristics:
- Throughput: 10-20 requests/second (configurable)
- Latency: <100ms for cached requests, ~200-500ms for API calls
- Memory: ~50MB baseline, scales with cache size
- CPU: Low (I/O bound, async runtime)
Contributing
Contributions are welcome! Please follow these guidelines:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
Code Standards
- Follow Rust style guidelines (
cargo fmt) - Ensure code passes linter (
cargo clippy) - Add tests for new functionality
- Update documentation
- Write clear commit messages
Documentation
- QUICKSTART.md - Get started in 5 minutes
- INTEGRATION.md - Claude Desktop integration guide
- .env.example - Configuration template
License
This project is licensed under the MIT License - see the LICENSE file for details.
Acknowledgments
- Built with Rust
- Uses Tokio async runtime
- Implements Model Context Protocol
- Integrates with OneLogin API
Support
For issues, questions, or contributions:
- Open an issue on GitHub
- Check existing documentation
- Review OneLogin API documentation
Built with β€οΈ for OneLogin migrations and automation