Skip to main content

OneLogin SCIM

Sync user lists with apps during onboarding

Overview

This guide helps administrators sync their OneLogin Directory with an application they want to onboard. Integrating your application with OneLogin automates user management tasks and keeps access rights up-to-date.

Setting up the integration involves:

  1. Endpoint: The URL where OneLogin sends requests to your application, enabling communication between them.
  2. Bearer Token: A token OneLogin uses to authenticate its requests to the endpoint, ensuring security and authorization.

By setting up these components, you enable seamless synchronization between your application and the OneLogin directory.

Setting Up the Endpoint and API Token

Open the Admin Portal from the app being onboarded and select the "Directory Sync" tab.

Choose "OneLogin" as your Directory Provider.

Setting up Directory Sync in the admin portal of an app being onboarded: OneLogin selected as the provider, awaiting
configuration

Setting up Directory Sync in the admin portal of an app being onboarded: OneLogin selected as the provider, awaiting configuration

Click "Configure" to generate an Endpoint URL and Bearer token for your organization.

OneLogin directory sync setup: Endpoint URL and one-time visible bearer token
provided

OneLogin directory sync setup: Endpoint URL and one-time visible bearer token provided

note

If the "Directory Sync" tab is not visible, contact the app owner to enable it via the Scalekit Dashboard (Organizations > Your Organization > Enable Directory Sync).

Add New Application in OneLogin

In OneLogin, click "Administration" and then "Applications" from the top navigation pane.

Click "Add App" to add a new application.

The OneLogin Applications page displays a list of apps with options to download JSON or add a new app.

Search for "SCIM Provisioner with SAML (SCIM v2 Enterprise)"

OneLogin application search results for "SCIM Provisioner with SAML" displaying SCIM v2 Enterprise option.

Name the app (e.g., "Hero SaaS App") and click "Save".

Configuring the portal settings for the application in OneLogin, including display name and icon
options.

Configuring the portal settings for the application in OneLogin, including display name and icon options.

Go to the "Provisioning" tab, enable provisioning, and click "Save".

Setting up provisioning workflow for SCIM Provisioner with SAML in OneLogin, including options for user creation,
deletion, and suspension actions.

Setting up provisioning workflow for SCIM Provisioner with SAML in OneLogin, including options for user creation, deletion, and suspension actions.

Provisioning Users

Go to "Users" and click on a user you want to provision.

OneLogin Users dashboard displaying user information, including roles, last login time, and account
status.

OneLogin Users dashboard displaying user information, including roles, last login time, and account status.

note

You can create a new user for testing. Ensure users have a "username" property, which will be treated as a unique identifier in SCIM implementations. Using an email address as the username is also allowed.

Go to the "Applications" tab, click "+", and assign "Hero SaaS App". Click "Continue".

Assigning a new login to a user in OneLogin

Assigning a new login to a user in OneLogin

Click “Pending” to approve provisioning.

OneLogin user provisioning dialog for creating Kitty Flake in Hero SaaS App, with options to approve or skip the
action.

OneLogin user provisioning dialog for creating Kitty Flake in Hero SaaS App, with options to approve or skip the action.

The status should change to "Provisioned" within a few seconds.

OneLogin user profile for Kitty Flake displaying assigned applications, with Hero SaaS App provisioned and
admin-configured.

OneLogin user profile for Kitty Flake displaying assigned applications, with Hero SaaS App provisioned and admin-configured.

This action informs the Hero SaaS app that the user is approved for access, and the app can create an account for them. You can see the new user added to the "Hero SaaS App" in the portal.

OneLogin Directory Sync interface showing user details for Kitty Flake in Your organization, with SCIM integration
status.

OneLogin Directory Sync interface showing user details for Kitty Flake in Your organization, with SCIM integration status.

Congratulations! You have successfully provisioned a user with the Hero SaaS Application.

Provisioning Groups

Applications being onboarded may have roles that scope access, such as "admin" roles allowing users to perform administrator actions like deleting logs. You can choose which users in your organization get administrator access while others get member access.

note

Labels such as "Member" and "Admin" are specific to the app. Check the "Access Roles" section in the configuration portal provided by the application (in this case, Hero SaaS App). The app owner must enable this section based on its applicability.

To map users to groups in the app being onboarded:

  1. Create a role in OneLogin.
  2. Enable the inclusion of the Group parameter.
  3. Create a rule that automatically picks up a user's role value and sets it to the Group parameter.
  4. Assign the role to the user.
  5. Assign the user to the app.

Configuring Provisioning for Groups

Navigate to the list of Applications and select "Hero SaaS App”. Ensure the provisioning workflow is enabled in the "Provisioning" tab.

Setting up provisioning workflow for SCIM Provisioner with SAML in OneLogin, including options for user creation,
deletion, and suspension actions.

Setting up provisioning workflow for SCIM Provisioner with SAML in OneLogin, including options for user creation, deletion, and suspension actions.

Switch to “Rules” Tab and Click “Add Rule” button.

Name the rule (e.g., "Assign Group in Hero SaaS") and set the action to "Set Groups in Hero SaaS App" for each "role" with any value.

Configuring a new mapping for group assignment in the Hero SaaS App using
OneLogin.

Configuring a new mapping for group assignment in the Hero SaaS App using OneLogin.

Configuring a new mapping for group assignment in the Hero SaaS App using OneLogin.

Select the "Parameters" tab, click on the "Groups" row, and check "Include in User Provisioning" in the popup.

Configuring field groups in OneLogin for SCIM provisioning, including SAML assertion and user provisioning
options.

Configuring field groups in OneLogin for SCIM provisioning, including SAML assertion and user provisioning options.

Configuring field groups in OneLogin for SCIM provisioning, including SAML assertion and user provisioning options.

Creating a Role in OneLogin

Click on the user and navigate to "Applications".

Assigning the 'Hero SaaS App' to the 'hero_saas_viewer' role in
OneLogin.

Assigning the 'Hero SaaS App' to the 'hero_saas_viewer' role in OneLogin.

Assigning the 'Hero SaaS App' to the 'hero_saas_viewer' role in OneLogin.

Add "Hero SaaS App" and select the roles to be passed to the app (treated as Groups by Hero SaaS App).

Viewing application assignment and status for 'Test User' in OneLogin, with 'Hero SaaS App'
pending.

Viewing application assignment and status for 'Test User' in OneLogin, with 'Hero SaaS App' pending.

Approve the user provisioning along with the Group.

Approving 'Test User' for the 'Hero SaaS App' with assigned groups: Viewer and
hero_saas_viewer.

Approving 'Test User' for the 'Hero SaaS App' with assigned groups: Viewer and hero_saas_viewer.

Approving 'Test User' for the 'Hero SaaS App' with assigned groups: Viewer and hero_saas_viewer.

Finally, verify that the groups are sent to the Hero SaaS App from the administrator portal where you configured the OneLogin connection.

Directory sync status for Your Organization, showing linked groups and user count in
OneLogin.

Directory sync status for Your Organization, showing linked groups and user count in OneLogin.

Congratulations! You have successfully provisioned groups along with users.


Is this page helpful? Yes No