This topic will walk you through how to provision users with OneLogin SCIM. This includes how to create a bearer token, enable the API integration, and assign users/role/groups to Ironclad.
- You must be able to create Ironclad API bearer tokens in your Ironclad company.
- You must have a SAML SSO connector configured in your Ironclad company before provisioning users with SCIM.
Supported OneLogin Features
- Create Users
- Update User Attributes
- Deactivate Users
- Create Groups
Required Role: Admin
- In Ironclad, click on your profile icon located in the top right corner of Ironclad. Click Company Settings > API.
- Create a new bearer token for use by Azure. Name it something descriptive and memorable such as "OneLogin SCIM provisioning token".
- Copy the generated token that displays.
- Log in to your OneLogin admin account. Click the Applications tab, and then click Add App.
- When you add a new application, search for SCIM and select SCIM Provisioner with SAML (SCIM V2) either Core or Enterprise.
- Name this application (perhaps Ironclad), and select Save.
- Under the application, click the Configuration tab.
- For both of the SAML URLs, enter the SAML Callback URL from Ironclad’s Integrations page.
- In the SCIM Base URL field, enter https://ironcladapp.com/scim/v2 (or for the Ironclad Demo environment https://demo.ironcladapp.com/scim/v2), and in the SCIM Bearer Token field, enter the Ironclad API key.
- Click Enable to activate the SCIM connection to Ironclad.
Confirm the SCIM JSON Template and add any desired additional User Attributes in the Provisioning tab.
You must use the user's email address for the userName field.
- Click Save located in the top right.
- If you have SSO enabled, you must download the certificate from OneLogin and upload it to Ironclad on the SAML integrations page.
- In OneLogin, click the Provisioning tab.
- Select Enable Provisioning, and select the applicable synchronization options. Click Save.
Pushing users into Ironclad with SCIM is only supported when a single SAML configuration is in place in your Ironclad company.
- Under the main directory in OneLogin, click the Users dropdown, and then select Users.
- Select a user, and under the Applications tab, you can:
- Add the user to the application by clicking the Add button indicated by a plus sign.
- Assign the user a role that is mapped to the application.
- Click Save User.
OneLogin does not support updating or deleting groups in third-party applications via SCIM. Any subsequent updates to users will be reflected in Ironclad so long as the provisioning is set up correctly.
- For the first approach, you must first set up a rule in OneLogin to set groups in Ironclad to roles in OneLogin. You must then add users to these roles and they will be provisioned to groups created in Ironclad for those roles. Additionally, you can map these roles to OneLogin groups as well. To do this:
- Verify there is a Groups field under the Parameters tab and that the Include in User Provisioning box is checked.
- In OneLogin, click the Applications tab. In the left panel, click Rules > Add Rule.
- Edit the mapping and click Save. You can use this rule for all roles using the .* regular expression (below) or set up rules specific to the roles you want to push to Ironclad.
- Click the Users tab located at the top of the screen, and then click Roles from the dropdown.
- Locate Check existing or add new users to this role. Search for a user and then click Add to Rule.
- Another approach is to use Entitlements in OneLogin. To do this:
- In OneLogin, click the Applications tab. In the left panel, click Provisioning.
- Locate the Entitlements section. Click Refresh. Any groups that you created in Ironclad are added to the possible group assignments in OneLogin.
- Click Save to save any changes to the roles or user/group assignments.
You must manage group permissions in Ironclad after pushing groups via SCIM. Refer to the Group Permissions Overview for more information.
“User failed creating in app. Authorization failure.
The authorization header is invalid or missing."
Solution: Verify that you are using the correct SCIM Base URL. Refer to step 2.6 above.
“User failed creating in app. User validation failed: username:
Path `username` is invalid."
Solution: Ironclad requires an email address in the userName field. Refer to step 2.8 above.