OneLogin SCIM Provisioning Configuration Guide

This guide will show you how to set up a OneLogin app with System for Cross-domain Identity Management (SCIM) provisioning. When done, you will have enabled an app with provisioning to securely automate and manage user identity information, such as user account creation, updates, and deactivation, between OneLogin and strongDM.

Prerequisites

Before you begin, ensure that you have the appropriate privileges and permissions:

  • In OneLogin, you must be assigned one of the following privileges: Super User or Account Owner.
  • In strongDM, you must have the Account Administrator Permission Level.

Steps

These instructions walk you through the process of adding a SCIM provisioning application in OneLogin and getting your token from the strongDM Admin UI. We recommend that you keep both OneLogin and the Admin UI open in your browser so you can easily tab between them.

Add the StrongDM app in OneLogin

  1. Log in to the OneLogin Admin portal (https://<YOUR-ORGANIZATION-NAME>.onelogin.com).
  2. Go to Apps and click the Add App button. If you have already added the strongDM app through our OneLogin SSO guide, you can skip to the following section.
  3. Search for and then select StrongDM.
  4. Enter a descriptive name for your app in the Display Name field.
  5. Click the Save button.

Get a SCIM token from strongDM

  1. Log in to the strongDM Admin UI.
  2. Go to Settings > User Management > SSO.
  3. Under SCIM Provider, select OneLogin from the drop-down menu.
  4. Click Activate SCIM.
  5. Copy and save the generated token. You need this token when configuring provisioning for your OneLogin app in the following section.

Set up provisioning in OneLogin

  1. Go to the StrongDM app’s Configuration tab and set the following properties:
    1. SCIM Bearer Token: Enter the strongDM SCIM token (for example, aabb12fjfl445...jkhksjhf98345un) that you generated in the Admin UI.
    2. API Status: In this section, click Enable to activate the connection to the SCIM API. If you get an error, make sure your secret token is correct and try again.
  2. Click Save.

Customize user provisioning in OneLogin

  1. Go to the app’s Provisioning tab.
  2. Select the checkboxes for Enable provisioning, Create user, Delete user, and Update user.
  3. For both of the drop-down menus, set the options to Suspend.
  4. Click Save.

Now you can directly add this app to each OneLogin user that you want to be provisioned to strongDM.

If you would also like to provision OneLogin roles as strongDM Roles and have OneLogin users provisioned based on the Roles they are members of, please proceed to the Customize group provisioning in OneLogin section.

Customize group provisioning in OneLogin

  1. Go to the app’s Rules tab.
  2. Click Add Rule and set the following properties:
    1. Name: Give the rule a descriptive name.
    2. Actions: Select Set Groups in %appName% from the drop-down menu. Then select the Map from OneLogin radio button.
  3. Define the Action options so that they read For each role with value that matches . set %appName% Groups named after roles*.
  4. Click Save.
  5. Go to the Parameters tab.
  6. Click the Groups field and ensure the Include in User Provisioning flag is checked.
  7. Click Save.
  8. Go to the Access tab.
  9. In the Roles section, select each of the roles that you would like to provision to strongDM.
  10. Click Save.
  11. Go to the Provisioning section of the OneLogin admin portal to review and approve any staged provisioning changes.

SCIM provisioning setup is now complete!

How to Remove strongDM Roles Not Provisioned from OneLogin

Due to a limitation where OneLogin does not support role deletion via SCIM provisioning, you cannot remove strongDM Roles via OneLogin. If you would like to remove any strongDM Roles that were provisioned from OneLogin, you must do the following:

  1. Disable provisioning in strongDM. To do this in the Admin UI, follow these steps:
    1. Go to Settings > User Management> Provisioning.
    2. Under SCIM Provider, select None - provisioning disabled from the drop-down menu.
  2. Delete the strongDM Role(s) that you want removed. To do this in the Admin UI, follow these steps:
    1. Go to Access > Roles.
    2. Select the Role you want to remove.
    3. From that Role’s Settings tab, click Delete role.
  3. Re-enable provisioning in strongDM and get a new SCIM token. To do this in the Admin UI, follow these steps:
    1. Go back to Settings > User Management> Provisioning.
    2. Under SCIM Provider, select OneLogin from the drop-down menu.
  4. Go to your OneLogin app’s Configuration tab, and update the SCIM Bearer Token with the new token.
Top