Skip to main content
Version: Config V2

(Beta) User Provisioning (SCIM) with Onelogin

info

Beta Feature: SCIM provisioning is in public beta. It has been thoroughly tested with various Identity Providers. We're now collecting feedback from real-world usage to fine-tune the experience. Share your feedback here.

Introduction

Each Identity Provider requires specific information to configure a SCIM integration. The following guide will walk you through how you can connect ConfigCat with OneLogin via SCIM.

1. Create an Application in OneLogin

  • Log in to OneLogin, select Applications and click on Add App.

    OneLogin add application

  • Type SCIM V2 into the search bar, and select SCIM Provisioner with SAML (SCIM v2 Core).

    OneLogin select APP

  • Enter a descriptive Display Name, then click Save.

    OneLogin app name

2. Configure Provisioning (SCIM) for the OneLogin Application

  • Gather the SCIM URL and the Token from the Authentication & Provisioning page in ConfigCat.

    SCIM URL and token SCIM token

  • On the OneLogin application's Configuration tab's API Connection section configure the following:

    • Add the SCIM URL from the ConfigCat Dashboard as the SCIM Base URL.
    • Add the Token from the ConfigCat Dashboard as the SCIM Bearer Token.
    • Add the following as the SCIM JSON Template: 
      {
        "schemas": [
          "urn:ietf:params:scim:schemas:core:2.0:User"
        ],
        "userName": "{$parameters.scimusername}",
        "displayName": "{$user.display_name}"
      }
    OneLogin API Connection configuration

  • On the OneLogin application's Provisioning tab configure the following:

    • Check the Enable provisioning checkbox.
    • Configure the other checkboxes and dropdowns based on your preference.
    OneLogin enable provisioning

  • On the OneLogin application's Parameters tab configure the following:

    • Set Email as the scimusername parameter. OneLogin SCIM username parameter
    • Check the Include in User Provisioning checkbox at the Groups parameter. OneLogin Groups parameter

  • On the OneLogin application's Rules tab configure which property should OneLogin send as the user's groups to ConfigCat.
    In the following example we are mapping the user's role in OneLogin as the synced group to ConfigCat, but you can create other mappings as well based on your preference. Read more about mappings here.

    • Click on te Add rule button.
    • Specify a Name for your rule.
    • Select Set Groups in ##YOUR APPLICATION NAME## at the Actions.
    • Select role at the For each dropdown.
    • Set .* for the with value that matches input.
    OneLogin group mapping rule

3. Assign users manually to the application or set access based on policies/roles on the OneLogin application's Access tab.

OneLogin assign groups/roles/users

4. Start provisioning

  • On the OneLogin application's Configuration tab click on the Enable button to start the provisioning.

    OneLogin enable provisioning

  • Wait until the first provisioning is finished, and you should see each synced group and user on ConfigCat's Authentication & Provisioning page.

5. Next Steps