OneLogin Directory

This guide helps administrators sync their OneLogin directory with an application they want to onboard. Integrating your application with OneLogin automates user management tasks and keeps access rights up-to-date.

Setting up the integration involves:

1. Endpoint: The URL where OneLogin sends requests to your application, enabling communication between them.
2. Bearer Token: A token OneLogin uses to authenticate its requests to the endpoint, ensuring security and authorization.

By setting up these components, you enable seamless synchronization between your application and the OneLogin directory.

1. Create an endpoint and API token

   Open the Admin Portal from the app being onboarded and select the “Directory Sync” tab. Choose “OneLogin” as your Directory Provider.

   

   Click “Configure” to generate an Endpoint URL and Bearer token for your organization.

   

   Note

   If the “Directory Sync” tab is not visible, contact the app owner to enable it via the Scalekit Dashboard (Organizations > Your Organization > Enable Directory Sync).

2. Add a new application in OneLogin

   In OneLogin, click “Administration” and then “Applications” from the top navigation pane.

   

   Click “Add App” to add a new application.

   

   Search for “SCIM Provisioner with SAML (SCIM v2 Enterprise)”

   

   Name the app (e.g., “Hero SaaS App”) and click “Save”.

   

   Go to the “Provisioning” tab, enable provisioning, and click “Save”.

   

3. Provision users

   Go to “Users” and click on a user you want to provision.

   

   Note

   You can create a new user for testing. Ensure users have a “username” property, which will be treated as a unique identifier in SCIM implementations. Using an email address as the username is also allowed.

   Go to the “Applications” tab, click ”+”, and assign “Hero SaaS App”. Click “Continue”.

   

   Click “Pending” to approve provisioning.

   

   The status should change to “Provisioned” within a few seconds.

   

   This action informs the Hero SaaS app that the user is approved for access, and the app can create an account for them. You can see the new user added to the “Hero SaaS App” in the portal.

   

4. Configure group provisioning

   Applications being onboarded may have roles that scope access, such as “admin” roles allowing users to perform administrator actions like deleting logs. You can choose which users in your organization get administrator access while others get member access.

   Note

   Labels such as “Member” and “Admin” are specific to the app. Check the “Access Roles” section in the configuration portal provided by the application (in this case, Hero SaaS App). The app owner must enable this section based on its applicability.

   To map users to groups in the app being onboarded:

   1. Create a role in OneLogin.
   2. Enable the inclusion of the Group parameter.
   3. Create a rule that automatically picks up a user’s role value and sets it to the Group parameter.
   4. Assign the role to the user.
   5. Assign the user to the app.

5. Configure provisioning settings for groups

   Navigate to the list of Applications and select “Hero SaaS App”. Ensure the provisioning workflow is enabled in the “Provisioning” tab.

   

   Switch to “Rules” Tab and Click “Add Rule” button.

   Name the rule (e.g., “Assign Group in Hero SaaS”) and set the action to “Set Groups in Hero SaaS App” for each “role” with any value.

   

   Select the “Parameters” tab, click on the “Groups” row, and check “Include in User Provisioning” in the popup.

   

6. Create and assign roles

   Click on the user and navigate to “Applications”.

   

   Add “Hero SaaS App” and select the roles to be passed to the app (treated as Groups by Hero SaaS App).

   

   Approve the user provisioning along with the Group.

   

   Finally, verify that the groups are sent to the Hero SaaS App from the administrator portal where you configured the OneLogin connection.