OneLogin SCIM Provisioning Configuration Guide

Overview #

User provisioning provides you with the ability to continue to manage your organization’s users in one place, and have those users populate into StrongDM. Provisioning prevents the need to create a duplicate set of users in StrongDM that already exist in your identity management service. When provisioning users, the users are set up in the external service and are then synced to StrongDM. The provisioned users are not able to be individually edited within StrongDM. Changes to provisioned users are made at the source and are synced to StrongDM afterward. These users in StrongDM are given access to resources in the same manner as native users: by assigning them to roles that contain the desired access permissions.

This guide shows you how to set up a OneLogin app with SCIM (System for Cross-domain Identity Management) provisioning. You can use SCIM provisioning to securely automate and manage user identity information, such as user account creation, updates, and deactivation between OneLogin and StrongDM.

You can enable provisioning in either of the StrongDM apps listed in the OneLogin portal, depending on which single sign-on (SSO) method you plan on using (that is OIDC or SAML). If you do not plan on also using OneLogin for SSO with StrongDM, it does not matter which app you choose.

Prerequisites #

Before you begin, ensure that you have the appropriate privileges and permissions:

• In OneLogin, you must be assigned one of the following privileges: Super User or Account Owner.
• In StrongDM, you must have the Account Administrator Permission Level.

Steps #

These instructions walk you through the process of adding a SCIM provisioning application in OneLogin and getting your token from the StrongDM Admin UI.

Add a StrongDM app in OneLogin #

If you have already added a StrongDM app through either our OIDC SSO guide or our SAML SSO guide, you can skip to the following section.

1. Log in to the OneLogin Admin portal (https://<YOUR-ORGANIZATION-NAME>.onelogin.com).
2. Go to Apps and click the Add App button.
3. Search for and then select StrongDM. If you plan on also using SSO in addition to provisioning, pick the StrongDM app that matches the SSO method that you use with OneLogin (OIDC or SAML). If you do not plan on using SSO, select either app.
4. Enter a descriptive name for your app in the Display Name field.
5. Click the Save button.

Get a SCIM token from StrongDM #

1. Log in to the StrongDM Admin UI.
2. Go to Settings > User Management and then the SSO section.
3. Under SCIM Provider, select OneLogin from the drop-down menu.
4. Click Activate SCIM.
5. Copy and save the generated token. You need this token when configuring provisioning for your OneLogin app in the following section.

Set up provisioning in OneLogin #

1. Go to the StrongDM app’s Configuration tab and set the following properties:
   1. SCIM Bearer Token: Enter the StrongDM SCIM token (for example, aabb12fjfl445...jkhksjhf98345un) that you generated in the Admin UI.
   2. API Status: In this section, click Enable to activate the connection to the SCIM API. If you get an error, make sure your secret token is correct and try again.
2. Click Save.

Customize user provisioning in OneLogin #

1. Go to the app’s Provisioning tab.
2. Select the checkboxes for Enable provisioning, Create user, Delete user, and Update user.
3. For both of the drop-down menus, set the options to Suspend.
4. Click Save.

Now you can directly add this app to each OneLogin user that you want to be provisioned to StrongDM.

If you would also like to provision OneLogin roles as StrongDM Roles and have OneLogin users provisioned based on the Roles they are members of, please proceed to the Customize group provisioning in OneLogin section.

Identity Aliases #

If you intend to use Identity Aliases for your users, you can send multiple Identity Alias values from OneLogin. This section describes how to set up OneLogin to pass Identity Set and Identity Alias values for users when they are provisioned.

To set up Identity Aliases for your users, follow these steps.

1. In OneLogin, create a custom attribute for the value of each Identity Alias you wish users to have. For example, if you intend users to have two different Identity Aliases, create two custom attributes. When done, these custom fields appear on user profiles.
   There can be multiple Identity Aliases, as long as they have unique names (for example, RDP Identity Alias or SSH Identity Alias).
2. Go to the app’s Parameters tab and add those custom user fields as new fields. When adding the new field, select the checkbox for Include in User Provisioning.
3. Go to the app’s Configuration tab > API Connection section, and edit the SCIM JSON template.
4. In the template, make sure that "schemas" inludes the external namespace "urn:ietf:params:scim:schemas:extension:strongdm:2.0:User".
5. For the identityAliases attribute, update the configuration to match the following. Replace the Identity Set names and Identity Alias parameter names with your own.

   ...
   "urn:ietf:params:scim:schemas:extension:strongdm:2.0:User": {
      "identityAliases": [
         "<IDENTITY_SET_1_NAME>,{$parameters.<IDENTITY_ALIAS_1_NAME>}",
         "<IDENTITY_SET_2_NAME>,{$parameters.<IDENTITY_ALIAS_2_NAME>}",
      ]
   }
   

   For example:

   ...
   "urn:ietf:params:scim:schemas:extension:strongdm:2.0:User": {
      "identityAliases": [
         "ssh-set,{$parameters.sshIdentityAlias}",
         "rdp-set,{$parameters.rdpIdentityAlias}",
      ]
   }
   

6. Once the configuration has been updated to include all of your custom parameters, go to a user profile and enter Identity Alias values for those fields.

When provisioned, the user in StrongDM will have those Identity Aliases, in those Identity Sets, in their user profile.

Customize group provisioning in OneLogin #

1. Go to the app’s Rules tab.
2. Click Add Rule and set the following properties:
   1. Name: Give the rule a descriptive name.
   2. Actions: Select Set Groups in %appName% from the drop-down menu. Then select the Map from OneLogin radio button.
3. Define the Action options so that they read For each role with value that matches . set %appName% Groups named after roles*.
4. Click Save.
5. Go to the Parameters tab.
6. Click the Groups field and ensure the Include in User Provisioning flag is checked.
7. Click Save.
8. Go to the Principals tab.
9. In the Roles section, select each of the roles that you would like to provision to StrongDM.
10. Click Save.
11. Go to the Provisioning section of the OneLogin admin portal to review and approve any staged provisioning changes.

SCIM provisioning setup is now complete!

How to Remove StrongDM Roles Not Provisioned from OneLogin #

Due to a limitation where OneLogin does not support role deletion via SCIM provisioning, you cannot remove StrongDM Roles via OneLogin. If you would like to remove any StrongDM Roles that were provisioned from OneLogin, you must do the following:

1. Disable provisioning in StrongDM. To do this in the Admin UI, follow these steps:
   1. Go to Settings > User Management and then the Provisioning section.
   2. Under SCIM Provider, select None - provisioning disabled from the drop-down menu.
2. Delete the StrongDM Role(s) that you want removed. To do this in the Admin UI, follow these steps:
   1. Go to Principals > Roles.
   2. Select the Role you want to remove.
   3. From that Role’s Settings tab, click Delete role.
3. Re-enable provisioning in StrongDM and get a new SCIM token. To do this in the Admin UI, follow these steps:
   1. Go back to Settings > User Management and then the Provisioning section.
   2. Under SCIM Provider, select OneLogin from the drop-down menu.
4. Go to your OneLogin app’s Configuration tab, and update the SCIM Bearer Token with the new token.