SaaS app gating with Twingate and OneLogin enables you to require an authorized connection to a Twingate Connector as a prerequisite for IdP Auth to a SaaS Resource. This is similar in concept to IP whitelisting inside a SaaS app, but the IP check and approval/disapproval happens at the IdP Auth stage instead of being configured in the SaaS application directly.
As this use case is dependent on an IP address associated with one or more Twingate Connectors, the first step is to create a Twingate Resource associated with your organization's OneLogin tenant URL (e.g. mycompany.onelogin.com) and associating that Resource with one or more Groups. Doing this means that authorized users attempting to authenticate through OneLogin will be coming from the exit IP address associated with the Twingate Remote network used to enable connectivity to the new Resource. This is the IP address you'll use as part of the OneLogin App Policy configuration.
In the OneLogin admin console, navigate to Security -> Policies and select New App Policy.
At the App Policy configuration screen, name your App Policy (in this case, we've named it Twingate SaaS App Gate). You'll also see a box to the right titled Allowed IP Addresses. In that field, you'll insert the public exit IP address for the Remote network where your Connectors are deployed.
Within the OneLogin admin console, navigate to Applications -> Applications and select the app you'd like to apply the OneLogin App Policy to (e.g. Google Workspace).
Go to Access -> Policies and select your App Policy (in this case, we've used "Twingate SaaS App Gating", then hit save in the upper right corner of the console.
This rule ensures that attempts to access the app in question will only be allowed if the user is connected to Twingate with an authorized account that belongs to the correct Twingate Group.
Updated about 1 month ago