Skip to main content

About SCIM Directory Integration with OneLogin

SCIM Directory Integration with OneLogin in Iru Endpoint allows you to set up SCIM-based user directory synchronization between OneLogin and Iru Endpoint, enabling automatic user and group provisioning and deprovisioning.

How It Works

The SCIM integration creates a secure connection between OneLogin and Iru Endpoint, enabling automatic synchronization of user and group data. When users or groups are added, modified, or removed in OneLogin, these changes are automatically reflected in Iru Endpoint through the SCIM protocol.

Prerequisites

  • Complete the steps outlined in the SCIM Directory Integration support article to set up a new SCIM user directory in your Iru Endpoint tenant. You will need to obtain the SCIM access token and API URL.
  • Copy and store the token provided as outlined in the SCIM Directory Integration article. The token will not be visible once you click Done and will be required in a later step.
  • Be sure to review the supported user and group attributes listed in the SCIM Directory Integration.

Creating the SCIM Integration in OneLogin

1

Access OneLogin Admin Console

Log into your OneLogin admin console. (example: https://accuhive.onelogin.com/admin2)
2

Navigate to Applications

In the top navigation, hover over Applications.
3

Open Applications Menu

Click Applications in the drop-down menu.
4

Add New Application

Near the top-right, click Add App.
5

Search for SCIM Provisioner

In the text field, enter SCIM Provisioner.
6

Select SCIM Provisioner

Click on SCIM Provisioner with SAML (SCIM v2 Enterprise).

Configuring SCIM Settings

Once in the SCIM Provisioner with SAML (SCIM v2 Enterprise) application, use the following steps to configure the SCIM settings. The following steps include provisioning users and groups (roles).

Application Information

1

Update Display Name

(optional) Update the app Display Name to something like Iru Endpoint SCIM Provisioner
2

Configure Portal Visibility

(optional) Choose whether to make the app visible in the OneLogin portal.
3

Add Application Icon

(optional) Add an icon.
4

Add Description

(optional) Add a description.
5

Save Configuration

After completing the basic configuration, click Save.

Parameters

1

Navigate to Parameters

Navigate to the Parameters page.
2

Add New Parameter

Click the add (+) button on the right
3

Enter Field Name

Enter email.value into the Field name.
4

Save Parameter

Click Save.
5

Configure Parameter Value

Click on the email.value Parameter and set the value to Email.
6

Save Configuration

Click Save.

Configuration

1

Navigate to Configuration

Navigate to the Configuration page.
2

Enter SCIM Base URL

In the SCIM Base URL field, paste the Iru Endpoint SCIM URL from the integration created earlier using the SCIM Directory Integration support article. (Example: https://accuhive.api.kandji.io/api/v1/scim).
3

Enter Bearer Token

In the SCIM Bearer Token field, paste the token that you copied when creating the Integration in Iru Endpoint.
4

Enable API Connection

Click Enable to turn on the API Connection.
5

Save Configuration

Click Save.

Provisioning

1

Access Provisioning Page

Go to the Provisioning page.
2

Enable Provisioning

Select the box to Enable provisioning.
3

Configure User Operations

Uncheck the boxes next to Create user, Delete user, and Update user.
4

Set Deletion Policy

For the option When users are deleted in OneLogin, or the user’s app access is removed…, choose Delete.
5

Set Suspension Policy

For the option When user accounts are suspended in OneLogin…, choose Suspend.
6

Save Configuration

Now, in the top-right, click Save to keep the initial configuration.

Provisioning Users and Roles to Iru Endpoint

Use the following steps to send users and OneLogin roles to Iru Endpoint via the SCIM integration.
OneLogin roles are synonymous to groups in Iru Endpoint, and are assigned to the SCIM configuration. When users are assigned to roles in OneLogin, they are then pushed to Iru Endpoint. Additionally, any roles assigned to the SCIM app are pushed to Iru Endpoint as groups.

Creating a Role

1

Navigate to Users

In the top navigation, hover over Users.
2

Access Roles

In the dropdown menu, click Roles.
3

Create New Role

Click New Role.
4

Name the Role

Give the Role a name.
5

Assign Apps to Role

Select the apps that should be assigned to the role. In this case, we selected the SCIM app.
6

Save Role

Click Save.

Assigning Users to the Role

1

Access Created Role

Click back into the role that was just created.
2

Navigate to Users

Click Users.
3

Create New Mapping

Under Users Added Automatically, click New Mapping.
4

Name the Mapping

Give the Mapping a name.
5

Configure Conditions

Create the conditions that meet your needs. For this example, we choose Group membership as the criteria, but you can use other criteria like department.
6

Select Role Action

Under Actions, choose the role that should be applied.
7

Save Mapping

Click Save.
OneLogin only allows a user to be member of one group, so you can think of OneLogin groups like an attribute that describes the user similar to department or location. Use OneLogin roles, if a user needs to be a member of more than one “group”.
For more information on Group provisioning, please see OneLogin’s documentation here.
If desired, users can also be added to the SCIM apps manually from each user’s record.

Adding a Rule to the SCIM App

Use the steps below to push one or more roles (Iru Endpoint groups) to Iru Endpoint in the OneLogin SCIM app.
1

Access Rules

In the SCIM app, click Rules.
2

Add New Rule

Click Add Rule.
3

Name the Rule

Give the rule a name.
4

Configure Action

Under Actions, choose Set Groups in from the first drop down.
5

Select Mapping Source

Select Map from OneLogin.
6

Configure Role Mapping

In the For each field, choose role from the dropdown.
7

Set Role Value

In the with value that matches field, enter the SCIM Role to push to Iru Endpoint as a group.
8

Save Rule

Click Save.

Pushing Updates

Syncing: User and group syncing is one-way, meaning the SCIM app will send user information to Iru Endpoint only when there is new or updated information to be sent. For this reason, a “Sync Now” option is not needed in the Iru Endpoint web app.
If the SCIM app is updated in OneLogin, you will need to save the change and then use the Reapply entitlement mappings.
1

Access More Actions

Hover over the More Actions menu.
2

Reapply Entitlement Mappings

Click on the Reapply entitlement mappings option.