- Create a Bearer Token
- Enable API Integration in OneLogin
- Assign Users to Ironclad
- Assign Roles/Groups to Ironclad
- Next Steps: Configure Group Permissions in Ironclad
- You must be able to create Ironclad API bearer tokens in your Ironclad company.
- You must have a SAML SSO connector configured in your Ironclad company before provisioning users with SCIM.
Supported OneLogin Features
- Create Users
- Update User Attributes
- Deactivate Users
- Create Groups
Create a Bearer Token
- Login to Ironclad with a company Admin account and navigate to the Company Settings page by clicking your name in the top-right corner of the application and choosing Company Settings.
- Navigate to the API tab.
- Create a new bearer token for use by OneLogin. Name it something descriptive and memorable (e.g. "OneLogin SCIM provisioning token").
- Copy the generated token that appears.
Enable API Integration in onelogin
- Log in to your onelogin admin account and under Applications select Add App.
- When adding a new application, search for SCIM and select the SCIM Provisioner with SAML (SCIM V2) either Core or Enterprise.
- Name this application (perhaps Ironclad), and select Save.
- Under the application, click the Configuration tab.
- For the SAML URL’s (Both of them), place the SAML callback URL from the integrations page of Ironclad in these two fields.
- Under API Connection, for the SCIM Base URL, enter https://ironcladapp.com/scim/v2 and for the SCIM Bearer Token, enter the Ironclad API key.
- Select the button Enable to activate the SCIM connection to Ironclad.
- On the top right, click Save.
- For SSO, you will also need to download the certificate and place this in Ironclad under the SAML integrations page.
- Go the applications Provisioning tab.
- Select Enable Provisioning, and select however many of the three
options for synchronization.
Assign Users to the Ironclad Application
Pushing users into Ironclad with SCIM is only supported when a single SAML configuration is in place in your Ironclad company.
- Under the main directory, after selecting the Users dropdown, again click Users.
- Select a user, and under the Applications tab, you can select either to add the user to the application via the + button, or by assigning the user a role which is mapped to the application (see more under the groups section).
- Select Save User at the top right.
Assign Roles/Groups to the Ironclad Application
- For the first approach, we first set up a Rule in onelogin to set Groups in Ironclad to Roles in onelogin. We then need to add users to these roles and they will be provisioned to groups created in Ironclad for those roles. Additionally, we can map these Roles to onelogin Groups as well.
- From here, you can set the user to a role under either the Users screen (as shown above) or under the Roles screen
- Another approach is to use Entitlements. Under the Provisioning tab for the application, if Refresh Entitlements is selected, any groups created in Ironclad will be added to the possible groups assignments in onelogin.
- Click Save to save any changes to the Roles or user group assignments.
OneLogin does not currently support updating or deleting groups in third party applications via SCIM.
Any subsequent updates to users will be reflected in Ironclad so long as the provisioning is set up correctly.
Next Steps: Configure Group Permissions in Ironclad
Group permissions must be managed in Ironclad after pushing groups via SCIM. See Managing Permissions for more details about these settings.