OneLogin - Configuring SCIM User Provisioning

Learn how to configure SCIM with OneLogin to provision users to your Staffbase platform automatically.

In this article, you will learn how to set up SCIM using OneLogin as the identity provider.

System for Cross-domain Identity Management (SCIM) allows you to provision users to the Staffbase platform using an identity provider. Learn more.

SCIM is optional for user management. You can choose an option based on your business requirements. Learn more about other options.

Prerequisites

  • You have access to the OneLogin Administration.
  • You have super user privilege in OneLogin.
    Learn more.
  • You have an existing SSO/SAML configuration in OneLogin in order to configure it for the Staffbase platform.
  • You have the SCIM endpoint URL for your Staffbase platform. The URL has the following format: https://<your-domain>/scim
  • You have generated an API token with administrative access via the Staffbase Studio.

Edit existing app

You need to extend your existing App in OneLogin for Staffbase to add SCIM provisioning.

  1. In OneLogin, go to Administration.
OneLogin Administation
  1. Click Applications > Applications.
OneLogin Applications Menu
  1. Select your existing application for the Staffbase SSO/SAML configuration by filtering the overview and clicking on the name.
OneLogin Select App
  1. Under Configuration, navigate to API and provide the following details, and click Save:
OneLogin Configuration API
  • API Status: Click Enable to turn on the option.
  • SCIM Base URL: Enter the SCIM endpoint URL for your Staffbase platform.
    For example, the URL uses the following format: https://<your-domain>/scim
  • SCIM Bearer Token: Enter the API token generated from the Staffbase Studio.
  • SCIM JSON Template: Enter the following template, which contains the minimum information required by Staffbase, such as externalId, Firstname, Lastname, and Email
1{
2  "schemas": [
3    "urn:scim:schemas:core:2.0",
4    "urn:scim:schemas:extension:enterprise:2.0"
5  ],
6  "externalId": "{$user.id}",
7  "name": {
8    "familyName": "{$user.lastname}",
9    "givenName": "{$user.firstname}"
10  },
11  "emails": [
12    {
13      "value": "{$user.email}",
14      "type": "work",
15      "primary": true
16    } 
17  ]
18}
  1. Under Provisioning, provide the following details, and click Save:
OneLogin Configuration API
  • Enable provisioning: Click Enable to turn on the option.
  • When users are deleted in OneLogin, or the user's app access is removed, perform the below action: Select Delete.
  • When user accounts are suspended in OneLogin, perform the following action:: Select Suspend.
  • For production: Disable the following options: -Create user
    • Delete user
    • Update user
  • For testing: Enable the following options:
    • Create user
    • Delete user
    • Update user
      When these options are enabled, actions need to be approved under Users.
OneLogin Configuration API

Define the mapping for user provisioning

For an overview of default attribute mappings, see SCIM Default Attribute Mappings.
In this guide, only a minimum mapping to get you started is shown.
You can create more mappings based on your business needs.

The mapping is defined in the JSON template in step 4 above. To add additional custom attributes, see OneLogin - Creating Custom Attributes for SCIM User Provisioning.

Additional helpful information