OneLogin SCIM Setup

Matthew Rawls

April 07, 2025 14:35

Overview

SCIM (System for Cross-domain Identity Management) is an open standard that automates user provisioning and de-provisioning between identity providers (such as OneLogin) and external applications. Setting up SCIM in OneLogin allows for seamless user management, reducing administrative overhead and ensuring security compliance.

Prerequisites

Before setting up SCIM provisioning in OneLogin, ensure you have the following:

Administrator Access to OneLogin.
SCIM API Credentials from the target application.
SCIM-Enabled Application that supports user provisioning.

Steps

Configuring SCIM for OneLogin on Simpplr

Navigate to Manage > Application > Integration > People data.
Click Add Integration and select OneLogin.
Enter a unique name for the integration (Duplicate names are not allowed).
Click Add, which will take you to the newly added integration screen.
Click Generate Token. This will display two key configurations:
- SCIM Base URL: The endpoint URL used by vendors to make API calls for test connections, provisioning, and syncing.
- Token: The authentication token that Simpplr uses to validate incoming requests from the vendor for provisioning and synchronization operations.

Configure OneLogin for SCIM

Log in to OneLogin. You will need administrator access to do the next steps.
In the top right corner, click Administration.
To create a new application:
1. From the main menu, select Applications > choose Add App.
2. Select SCIM Provisioner with SAML (SCIM v2 Enterprise) and select Save.
Configure SCIM in the newly created application.
1. Go to the created application/search for already created application.
2. Select the Configuration tab.
3. Let us suppose the base url of the tenant is https://ats-reg-testing.qa.simpplr.xyz/ , then put simpplr.xyz in SAML Audience URL and put qa.simpplr.xyz in SAML Consumer URL.
4. Copy SCIM Base URL from newly created integration and paste in Scim Base URL in the configuration tab.
5. Copy Token and paste in the SCIM Bearer Token in the configuration tab.
Configure Field Mappings in OneLogin.
1. Copy and past the basic schema in the SCIM JSON templates.
  
  class="" data-testid="renderer-code-block-line-1" data-ds--code--row="">{ "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" ], "externalId": "{$user.id}", "userName": "{$parameters.scimusername}", "name": { "familyName": "{$user.lastname}", "givenName": "{$user.firstname}" }, "emails": [ { "value": "{$user.email}", "type": "work", "primary": true } ], "displayName": "{$user.display_name}", "locale": "{$user.locale_code}", "phoneNumbers": [ { "value": "{$user.phone}" } ], "roles": "{$user.custom_fields.Roles}", "active": "{$user.status}" }
2. This is the Basic Schema mapping with all the basic user fields for the users created in OneLogin.
3. Configuring Standard and Custom Fields in OneLogin.
4. Depending Upon use of Standard and Custom Fields, the schema would be defined as follows:
  1. Simpplr Defines Standard Fields and Custom fields as:
    
    Simpplr Defined Standard Fields urn:ietf:params:scim:schemas:extension:simpplrapp:User:business_unit urn:ietf:params:scim:schemas:extension:simpplrapp:User:about Simpplr Defined Custom Fields urn:ietf:params:scim:schemas:extension:simpplrapp:66886f53-e818-46cc-b25d-25162482afbc:User:b3d05d30-70c8-4a84-9364-0b3311f4259a
  2. Now for standard Fields will be added in the JSON as:
    
    "urn:ietf:params:scim:schemas:extension:simpplrapp:User": { "business_unit": "{$user.display_name}", "about": "{$user.about}" }
  3. Similarly, Custom fields will be defined as:
    
    "urn:ietf:params:scim:schemas:extension:simpplrapp:66886f53-e818-46cc-b25d-25162482afbc:User": { "b3d05d30-70c8-4a84-9364-0b3311f4259a": "{$user.customField1}" }
  4. The final schema with added standard and custom fields will look something like this:
    
    { "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" ], "externalId": "{$user.id}", "userName": "{$parameters.scimusername}", "name": { "familyName": "{$user.lastname}", "givenName": "{$user.firstname}" }, "emails": [ { "value": "{$user.email}", "type": "work", "primary": true } ], "displayName": "{$user.display_name}", "locale": "{$user.locale_code}", "phoneNumbers": [ { "value": "{$user.phone}" } ], "roles": "{$user.custom_fields.Roles}", "active": "{$user.status}", "urn:ietf:params:scim:schemas:extension:simpplrapp:User": { "business_unit": "{$user.display_name}", "about": "{$user.about}" }, . "urn:ietf:params:scim:schemas:extension:simpplrapp:66886f53-e818-46cc-b25d-25162482afbc:User": { "b3d05d30-70c8-4a84-9364-0b3311f4259a": "{$user.customField1}" . } }
Configure provisioning for SCIM app:
1. Select the Provisioning tab.
2. Check Enable Provisioning.
3. Under Require admin approval before this action section, uncheck the Create, Delete, and Update checkboxes to have OneLogin provision new users and update users to the SCIM app without requiring administrative approval.
4. Select Save.
Test provisioning with your SCIM App.
1. Select the Access tab.
2. In the Roles section, ensure Default is checked.
3. Select Save.
4. From the main menu, select Users.
5. Select the user to provision to the SCIM app.
6. Select the Applications tab for the user.
7. In the Roles section, select Default.
8. Select Save User to start the provisioning process.
View provisioning:
1. From the main menu, select Users > Provisioning.
2. Refresh the page to view the updates.
3. Go to Applications, open the SCIM app.
4. Select the Users tab to see provisioned users.
To disconnect OneLogin SCIM, follow the steps:
1. Go to Simpplr. Click on Manage > Applications > Integrations > People Data.
2. Select the SCIM, click on the 3 dots, and click Delete.
3. Log in to OneLogin.
4. Click on Administration from the application section from the main menu and then click on App Name.
5. Select the Provisioning tab and uncheck the Enable provisioning in the Workflow section.
6. Click Save.