Generic SCIM provisioning

You can now provision and sync users and groups from third-party identity stores by configuring a generic SCIM directory in EAA. You can use any SCIM provider that supports SCIM 2.0 version like OneLogin as the SCIM source and EAA as the SCIM target.

STEP 1: Create a new SCIM directory of type Generic in Enterprise Center

Configure a SCIM directory of type Generic in Enterprise Center and save the SCIM base URL and the Provisioning key.

  1. Log in to Enterprise Center.
  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Directories.
  3. Select Add New Directory (+).
  4. Enter a name and description for the directory.
  5. In Directory Type select SCIM, and in SCIM Schema select Generic.
  6. Select Add New Directory.
  7. Open your new directory Settings > General and copy SCIM base URL. Save it for provisioning any generic SCIM source. For OneLogin see STEP 2: Create a new SCIM App in OneLogin
  8. In Settings > General select Create Provisioning Key.
  9. Enter a name and description for the key.
  10. Copy the Provisioning key by clicking on the copy to clipboard icon. Save it for provisioning any generic SCIM source.
  11. Select Save. The new SCIM directory appears on the directories list page.

STEP 2: Create a new SCIM App in OneLogin

ūüďė

Prerequisite

You must have an administrator account created in OneLogin portal.

  1. Go to your OneLogin portal.
  2. Add a SCIM Provisioner with SAML (SCIM v2 Core) app.
  3. Perform the initial setup to add app name, icons, and whether it is a personal or organizational app. Save changes.
  4. Additional configurations like Info, Configuration, Parameters, Rules, Single Sign-On, Access Control, Provisioning, and Users appear.
  5. In the Configuration tab, provide a Display Name for the SCIM app.
  6. Save it.
  7. In the Configuration tab, in API Connection, paste the SCIM Base URL from STEP 1.
  8. In the Configuration tab, in API Connection, paste the Provisioning key from STEP 1 to SCIM Bearer Token.
  9. In the Configuration tab, in API Connection, set API Status to Enabled.
  10. In the Users tab, add the Users, groups, and their roles.
  11. In the Provisioning tab, you can enable provisioning. This enables you to automate the provisioning tasks like creating, deleting, and updating users. You can also configure what actions can be done when users are deleted and suspended. Here you can provision users and provision groups.
  12. To provision users:
    a. Add application to users by Users > Users > select user > Applications > Add application > select SCIM app.
    b. Applications > Applications > Select > Users > Click on Pending.
  13. OneLogin doesn't have the concept of groups like other third-party SCIM providers. It only has roles that are similar to SCIM groups. Roles can be assigned to users and applications. To provision groups:
    a. Create a new role by selecting Users > Roles > New Role. Enter a name for the role.
    b. Click Save.
    c. To add users to the created role: Open created role, click Users and enter the name(s) of the user to add under Check existing or add new users to this role. Click Check > Add To Role.
    d. Users Added Manually section will have all the users of the selected role. Click Save
    e. To add SCIM application to the created role: Open created role, click Applications > Add apps button > Select apps to add > Click, Save
    f. You need to add rules to map the OneLogin roles to SCIM groups. Click Add rule to map OneLogin roles to SCIM groups: Applications > Applications > Select > Rules > Add Rule
    g. Give a Name for the rule.
    h. Under Actions,
    i. Select Set Groups in the SCIM application you created.
    ii. Select Map from OneLogin
    iii. In For each, select role
    iv. In the value that matches, enter the name of the role that needs to be created as a group on the SCIM server.
    i. Save the rule
    j. Save the application.

ūüďė

References:

OneLogin SCIM documentation and OneLogin Initial Setup and other configurations.