About SCIM Directory Integration with OneLogin
SCIM Directory Integration with OneLogin in Iru Endpoint allows you to set up SCIM-based user directory synchronization between OneLogin and Iru Endpoint, enabling automatic user and group provisioning and deprovisioning.How It Works
The SCIM integration creates a secure connection between OneLogin and Iru Endpoint, enabling automatic synchronization of user and group data. When users or groups are added, modified, or removed in OneLogin, these changes are automatically reflected in Iru Endpoint through the SCIM protocol.Prerequisites
- Complete the steps outlined in the SCIM Directory Integration support article to set up a new SCIM user directory in your Iru Endpoint tenant. You will need to obtain the SCIM access token and API URL.
- Copy and store the token provided as outlined in the SCIM Directory Integration article. The token will not be visible once you click Done and will be required in a later step.
- Be sure to review the supported user and group attributes listed in the SCIM Directory Integration.
Creating the SCIM Integration in OneLogin
1
Access OneLogin Admin Console
Log into your OneLogin admin console. (example: https://accuhive.onelogin.com/admin2)
2
Navigate to Applications
In the top navigation, hover over Applications.
3
Open Applications Menu
Click Applications in the drop-down menu.
4
Add New Application
Near the top-right, click Add App.
5
Search for SCIM Provisioner
In the text field, enter SCIM Provisioner.
6
Select SCIM Provisioner
Click on SCIM Provisioner with SAML (SCIM v2 Enterprise).
Configuring SCIM Settings
Once in the SCIM Provisioner with SAML (SCIM v2 Enterprise) application, use the following steps to configure the SCIM settings. The following steps include provisioning users and groups (roles).Application Information
1
Update Display Name
(optional) Update the app Display Name to something like Iru Endpoint SCIM Provisioner
2
Configure Portal Visibility
(optional) Choose whether to make the app visible in the OneLogin portal.
3
Add Application Icon
(optional) Add an icon.
4
Add Description
(optional) Add a description.
5
Save Configuration
After completing the basic configuration, click Save.
Parameters
1
Navigate to Parameters
Navigate to the Parameters page.
2
Add New Parameter
Click the add (+) button on the right
3
Enter Field Name
Enter email.value into the Field name.
4
Save Parameter
Click Save.
5
Configure Parameter Value
Click on the email.value Parameter and set the value to Email.
6
Save Configuration
Click Save.
Configuration
1
Navigate to Configuration
Navigate to the Configuration page.
2
Enter SCIM Base URL
In the SCIM Base URL field, paste the Iru Endpoint SCIM URL from the integration created earlier using the SCIM Directory Integration support article. (Example: https://accuhive.api.kandji.io/api/v1/scim).
3
Enter Bearer Token
In the SCIM Bearer Token field, paste the token that you copied when creating the Integration in Iru Endpoint.
4
Enable API Connection
Click Enable to turn on the API Connection.
5
Save Configuration
Click Save.
Provisioning
1
Access Provisioning Page
Go to the Provisioning page.
2
Enable Provisioning
Select the box to Enable provisioning.
3
Configure User Operations
Uncheck the boxes next to Create user, Delete user, and Update user.
4
Set Deletion Policy
For the option When users are deleted in OneLogin, or the user’s app access is removed…, choose Delete.
5
Set Suspension Policy
For the option When user accounts are suspended in OneLogin…, choose Suspend.
6
Save Configuration
Now, in the top-right, click Save to keep the initial configuration.
Provisioning Users and Roles to Iru Endpoint
Use the following steps to send users and OneLogin roles to Iru Endpoint via the SCIM integration.OneLogin roles are synonymous to groups in Iru Endpoint, and are assigned to the SCIM configuration. When users are assigned to roles in OneLogin, they are then pushed to Iru Endpoint. Additionally, any roles assigned to the SCIM app are pushed to Iru Endpoint as groups.
Creating a Role
1
Navigate to Users
In the top navigation, hover over Users.
2
Access Roles
In the dropdown menu, click Roles.
3
Create New Role
Click New Role.
4
Name the Role
Give the Role a name.
5
Assign Apps to Role
Select the apps that should be assigned to the role. In this case, we selected the SCIM app.
6
Save Role
Click Save.
Assigning Users to the Role
1
Access Created Role
Click back into the role that was just created.
2
Navigate to Users
Click Users.
3
Create New Mapping
Under Users Added Automatically, click New Mapping.
4
Name the Mapping
Give the Mapping a name.
5
Configure Conditions
Create the conditions that meet your needs. For this example, we choose Group membership as the criteria, but you can use other criteria like department.
6
Select Role Action
Under Actions, choose the role that should be applied.
7
Save Mapping
Click Save.
OneLogin only allows a user to be member of one group, so you can think of OneLogin groups like an attribute that describes the user similar to department or location. Use OneLogin roles, if a user needs to be a member of more than one “group”.
If desired, users can also be added to the SCIM apps manually from each user’s record.
Adding a Rule to the SCIM App
Use the steps below to push one or more roles (Iru Endpoint groups) to Iru Endpoint in the OneLogin SCIM app.1
Access Rules
In the SCIM app, click Rules.
2
Add New Rule
Click Add Rule.
3
Name the Rule
Give the rule a name.
4
Configure Action
Under Actions, choose Set Groups in from the first drop down.
5
Select Mapping Source
Select Map from OneLogin.
6
Configure Role Mapping
In the For each field, choose role from the dropdown.
7
Set Role Value
In the with value that matches field, enter the SCIM Role to push to Iru Endpoint as a group.
8
Save Rule
Click Save.
Pushing Updates
Syncing: User and group syncing is one-way, meaning the SCIM app will send user information to Iru Endpoint only when there is new or updated information to be sent. For this reason, a “Sync Now” option is not needed in the Iru Endpoint web app.
1
Access More Actions
Hover over the More Actions menu.
2
Reapply Entitlement Mappings
Click on the Reapply entitlement mappings option.