Provision Users with OneLogin SCIM

This topic will walk you through how to provision users with OneLogin SCIM. This includes how to create a bearer token, enable the API integration, and assign users/role/groups to Ironclad.

Prerequisites

• You must be able to create Ironclad API bearer tokens in your Ironclad company.
• You must have a SAML SSO connector configured in your Ironclad company before provisioning users with SCIM.

Supported OneLogin Features

• Create Users
• Update User Attributes
• Deactivate Users
• Create Groups

Step 1: Create a Bearer Token

Required Role: Admin

1. In Ironclad, click on your name located in the top right corner of Ironclad. Click Company Settings > API.
2. Create a new bearer token for use by Azure. Name it something descriptive and memorable such as "OneLogin SCIM provisioning token".
3. Copy the generated token that displays.

Step 2: Enable API Integration in OneLogin

1. Log in to your OneLogin admin account. Click the Applications tab, and then click Add App.
2. When you add a new application, search for SCIM and select SCIM Provisioner with SAML (SCIM V2) either Core or Enterprise.
3. Name this application (perhaps Ironclad), and select Save.
4. Under the application, click the Configuration tab.
5. For both of the SAML URLs, enter the SAML Callback URL from Ironclad’s Integrations page.
6. In the SCIM Base URL field, enter https://ironcladapp.com/scim/v2, and in the SCIM Bearer Token field, enter the Ironclad API key.
7. Click Enable to activate the SCIM connection to Ironclad.
8. Click Save located in the top right.
9. If you have SSO enabled, you must download the certificate from OneLogin and upload it to Ironclad on the SAML integrations page.
10. In OneLogin, click the Provisioning tab.
11. Select Enable Provisioning, and select the applicable synchronization options. Click Save.

Step 3: Assign Users to the Ironclad Application

Pushing users into Ironclad with SCIM is only supported when a single SAML configuration is in place in your Ironclad company.

1. Under the main directory in OneLogin, click the Users dropdown, and then select Users.
2. Select a user, and under the Applications tab, you can:
   1. Add the user to the application by clicking the Add button indicated by a plus sign.
   2. Assign the user a role that is mapped to the application.
3. Click Save User.

Step 4: Assign Roles/Groups to the Ironclad Application

OneLogin does not support updating or deleting groups in third-party applications via SCIM. Any subsequent updates to users will be reflected in Ironclad so long as the provisioning is set up correctly.

1. For the first approach, you must first set up a rule in OneLogin to set groups in Ironclad to roles in OneLogin. You must then add users to these roles and they will be provisioned to groups created in Ironclad for those roles. Additionally, you can map these roles to OneLogin groups as well. To do this:
   1. ​​​​​​​In OneLogin, click the Applications tab. In the left panel, click Rules > Add Rule.
   2. Edit the mapping and click Save.
   3. Click the Users tab located at the top of the screen, and then click Roles from the dropdown.
   4. Locate Check existing or add new users to this role. Search for a user and then click Add to Rule.
2. Another approach is to use Entitlements in OneLogin. To do this:
   1. ​​​​​​​In OneLogin, click the Applications tab. In the left panel, click Provisioning.
   2. Locate the Entitlements section. Click Refresh. Any groups that you created in Ironclad are added to the possible group assignments in OneLogin.
3. Click Save to save any changes to the roles or user/group assignments.

Step 5: Configure Group Permissions in Ironclad

You must manage group permissions in Ironclad after pushing groups via SCIM. Refer to the Group Permissions Overview for more information.