Skip to main content
  1. Ironclad
  2. Integrations
  3. SCIM

Provision Users with OneLogin SCIM

This topic will walk you through how to provision users with OneLogin SCIM. This includes how to create a SCIM scoped token, enable the API integration, and assign users/role/groups to Ironclad.

Prerequisites

  • You must be able to create Ironclad API bearer tokens in your Ironclad company.
  • You must have a SAML SSO connector configured in your Ironclad company before provisioning users with SCIM.

Supported OneLogin Features

  • Create Users
  • Update User Attributes
  • Deactivate Users
  • Create Groups

 

 

Step 1: Create a SCIM Scoped Token

Required Role: Admin

image - 2024-04-29T111837.677.png
  1. In Ironclad, navigate to Company Settings > Integrations > SAML
  2. At the top, select the SCIM Configuration tab.
  3. Under Token Generation, enter a descriptive name for the token.
  4. Click + Generate New Token.
  5. Copy and paste the new token into your identity provider's setup.
  6. Save this token in a safe place. Once you close the window, you will not be able to access it again.

 

 

Step 2: Enable API Integration in OneLogin

  1. Log in to your OneLogin admin account. Click the Applications tab, and then click Add App.
  2. When you add a new application, search for SCIM and select SCIM Provisioner with SAML (SCIM V2) either Core or Enterprise.
  3. Name this application (perhaps Ironclad), and select Save.
  4. Under the application, click the Configuration tab.
  5. For both of the SAML URLs, enter the SAML Callback URL from Ironclad’s Integrations page.
  6. In the SCIM Base URL field, enter https://ironcladapp.com/scim/v2 (or for the Ironclad Demo environment https://demo.ironcladapp.com/scim/v2), and in the SCIM Bearer Token field, enter the Ironclad API key.APIStatus.jpeg
  7. Click Enable to activate the SCIM connection to Ironclad.
  8. Confirm the SCIM JSON Template and add any desired additional User Attributes in the Provisioning tab.
    NOTE
    You must use the user's email address for the userName field.
  9. Click Save located in the top right.
  10. If you have SSO enabled, you must download the certificate from OneLogin and upload it to Ironclad on the SAML integrations page.OneLogin.jpegProvisioning.jpeg
  11. In OneLogin, click the Provisioning tab.
  12. Select Enable Provisioning, and select the applicable synchronization options. Click Save.

 

 

Step 3: Assign Users to the Ironclad Application

Pushing users into Ironclad with SCIM is only supported when a single SAML configuration is in place in your Ironclad company.
AssignUsers.jpeg

  1. Under the main directory in OneLogin, click the Users dropdown, and then select Users.
  2. Select a user, and under the Applications tab, you can:
    1. Add the user to the application by clicking the Add button indicated by a plus sign.
    2. Assign the user a role that is mapped to the application.
  3. Click Save User.

 

 

Step 4: Assign Roles/Groups to the Ironclad Application

OneLogin does not support updating or deleting groups in third-party applications via SCIM. Any subsequent updates to users will be reflected in Ironclad so long as the provisioning is set up correctly.

  1. For the first approach, you must first set up a rule in OneLogin to set groups in Ironclad to roles in OneLogin. You must then add users to these roles and they will be provisioned to groups created in Ironclad for those roles. Additionally, you can map these roles to OneLogin groups as well. To do this:
    1. Verify there is a Groups field under the Parameters tab and that the Include in User Provisioning box is checked.​​​​​​
    2. In OneLogin, click the Applications tab. In the left panel, click Rules > Add Rule.
    3. Edit the mapping and click Save. You can use this rule for all roles using the .* regular expression (below) or set up rules specific to the roles you want to push to Ironclad.EditMapping.jpeg
    4. Click the Users tab located at the top of the screen, and then click Roles from the dropdown.
    5. Locate Check existing or add new users to this role. Search for a user and then click Add to Rule.CheckExisting.jpeg
  2. Another approach is to use Entitlements in OneLogin. To do this:
    1. ​​​​​​​In OneLogin, click the Applications tab. In the left panel, click Provisioning.
    2. Locate the Entitlements section. Click Refresh. Any groups that you created in Ironclad are added to the possible group assignments in OneLogin.GRoup.jpegSavechanges.jpeg
  3. Click Save to save any changes to the roles or user/group assignments.

 

 

Step 5: Configure Group Permissions in Ironclad

You must manage group permissions in Ironclad after pushing groups via SCIM. Refer to the Group Permissions Overview for more information.

 

 

Troubleshooting FAQs

Provisioning failure:

“User failed creating in app. Authorization failure. 
The authorization header is invalid or missing."

Solution: Verify that you are using the correct SCIM Base URL. Refer to step 2.6 above.

 

Provisioning failure:

“User failed creating in app. User validation failed: username: 
Path `username` is invalid."

Solution: Ironclad requires an email address in the userName field. Refer to step 2.8 above.

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Related Articles

Want to learn more about this feature and more? Review the Related Articles. Here, we provide a list of articles curated just for you.

Related articles