OneLogin SCIM Provisioning Configuration Guide

Last modified on October 4, 2023

Overview

This guide shows you how to set up a OneLogin app with SCIM (System for Cross-domain Identity Management) provisioning. You can use SCIM provisioning to securely automate and manage user identity information, such as user account creation, updates, and deactivation between OneLogin and StrongDM.

You can enable provisioning in either of the StrongDM apps listed in the OneLogin portal, depending on which single sign-on (SSO) method you plan on using (that is OIDC or SAML). If you do not plan on also using OneLogin for SSO with StrongDM, it does not matter which app you choose.

Prerequisites

Before you begin, ensure that you have the appropriate privileges and permissions:

  • In OneLogin, you must be assigned one of the following privileges: Super User or Account Owner.
  • In StrongDM, you must have the Account Administrator Permission Level.

Steps

These instructions walk you through the process of adding a SCIM provisioning application in OneLogin and getting your token from the StrongDM Admin UI.

Add a StrongDM app in OneLogin

If you have already added a StrongDM app through either our OIDC SSO guide or our SAML SSO guide, you can skip to the following section.

  1. Log in to the OneLogin Admin portal (https://<YOUR-ORGANIZATION-NAME>.onelogin.com).
  2. Go to Apps and click the Add App button.
  3. Search for and then select StrongDM. If you plan on also using SSO in addition to provisioning, pick the StrongDM app that matches the SSO method that you use with OneLogin (OIDC or SAML). If you do not plan on using SSO, select either app.
  4. Enter a descriptive name for your app in the Display Name field.
  5. Click the Save button.

Get a SCIM token from StrongDM

  1. Log in to the StrongDM Admin UI.
  2. Go to Settings > User Management > SSO.
  3. Under SCIM Provider, select OneLogin from the drop-down menu.
  4. Click Activate SCIM.
  5. Copy and save the generated token. You need this token when configuring provisioning for your OneLogin app in the following section.

Set up provisioning in OneLogin

  1. Go to the StrongDM app’s Configuration tab and set the following properties:
    1. SCIM Bearer Token: Enter the StrongDM SCIM token (for example, aabb12fjfl445...jkhksjhf98345un) that you generated in the Admin UI.
    2. API Status: In this section, click Enable to activate the connection to the SCIM API. If you get an error, make sure your secret token is correct and try again.
  2. Click Save.

Customize user provisioning in OneLogin

  1. Go to the app’s Provisioning tab.
  2. Select the checkboxes for Enable provisioning, Create user, Delete user, and Update user.
  3. For both of the drop-down menus, set the options to Suspend.
  4. Click Save.

Now you can directly add this app to each OneLogin user that you want to be provisioned to StrongDM.

If you would also like to provision OneLogin roles as StrongDM Roles and have OneLogin users provisioned based on the Roles they are members of, please proceed to the Customize group provisioning in OneLogin section.

Customize group provisioning in OneLogin

  1. Go to the app’s Rules tab.
  2. Click Add Rule and set the following properties:
    1. Name: Give the rule a descriptive name.
    2. Actions: Select Set Groups in %appName% from the drop-down menu. Then select the Map from OneLogin radio button.
  3. Define the Action options so that they read For each role with value that matches . set %appName% Groups named after roles*.
  4. Click Save.
  5. Go to the Parameters tab.
  6. Click the Groups field and ensure the Include in User Provisioning flag is checked.
  7. Click Save.
  8. Go to the Access tab.
  9. In the Roles section, select each of the roles that you would like to provision to StrongDM.
  10. Click Save.
  11. Go to the Provisioning section of the OneLogin admin portal to review and approve any staged provisioning changes.

SCIM provisioning setup is now complete!

How to Remove StrongDM Roles Not Provisioned from OneLogin

Due to a limitation where OneLogin does not support role deletion via SCIM provisioning, you cannot remove StrongDM Roles via OneLogin. If you would like to remove any StrongDM Roles that were provisioned from OneLogin, you must do the following:

  1. Disable provisioning in StrongDM. To do this in the Admin UI, follow these steps:
    1. Go to Settings > User Management> Provisioning.
    2. Under SCIM Provider, select None - provisioning disabled from the drop-down menu.
  2. Delete the StrongDM Role(s) that you want removed. To do this in the Admin UI, follow these steps:
    1. Go to Access > Roles.
    2. Select the Role you want to remove.
    3. From that Role’s Settings tab, click Delete role.
  3. Re-enable provisioning in StrongDM and get a new SCIM token. To do this in the Admin UI, follow these steps:
    1. Go back to Settings > User Management> Provisioning.
    2. Under SCIM Provider, select OneLogin from the drop-down menu.
  4. Go to your OneLogin app’s Configuration tab, and update the SCIM Bearer Token with the new token.