SCIM Integration with OneLogin (new)

Owned by Yuriy Shpek
Last updated: Jul 07, 2023
4 min read

Here is a quick demo of how it works with OneLogin.

Let’s create a SCIM test app in OneLogin to test the integration between your Jira/Confluence/Bitbucket SCIM implementation and OneLogin’s SCIM provisioning service.

1. Add your SCIM App (Jira/Confluence/Bitbucket) to OneLogin​

The first step is adding app to your OneLogin Applications.

1.1. Access OneLogin and go to Apps > Add Apps.

1.2. Search for and select SCIM Provisioner with SAML (SCIM v2 Core).

1.3. Give your SCIM test app a Display Name value that will help you recognize it.

1.4. Click Save.

2. Configure Your SCIM Test App

2.1. Select the Configuration tab.

2.2. Before proceeding, we need to get parameter values from the target store that points OneLogin to your SCIM API server. So, get SCIM API URL and Bearer token on the Jira/Confluence/Bitbucket side, for example:

2.3. Fill in test data in the SAML Audience URL and SAML Consumer URL fields (it’s just for the demo, we are not testing SAML now). Fill in SCIM Base URL, SCIM Bearer Token values:

SCIM JSON Template has core User attributes as default but you can define your own schema and mapping.

2.4. Click Enable.

2.5. Save the settings.

2.6. Now, if we go to Jira/Confluence/Bitbucket and open the plugin's Audit Log, we can see the request record (request received from OneLogin):

3. Configure Provisioning in OneLogin

3.1. Customize user provisioning

  1. Go to the app’s Provisioning tab.

  2. Select the checkboxes for Enable provisioning, Create user, Delete user, and Update user.

  3. For both of the drop-down menus, set the options to Suspend.

  4. Click Save.

3.2. Provisioning OneLogin Users into target app Groups

If your Jira/Confluence/Bitbucket directory (сorresponding to the SCIM Base URL) already has created groups, then you can configure user bindings to them on the OneLogin side.

  1. Select the Parameters tab for your SCIM test app.

  2. Select Groups to display the Edit Field Groups panel.

3. If the groups exist, they will display in the Available values area as shown in the screenshot below. Select the groups into which you want to provision users.

Note: To have your user groups display as available values when configuring provisioning, you must first refresh entitlements. To do this, in your app, go to the Provisioning tab and click Refresh.

Bind Application to users

Next you need directly bind application with each OneLogin user that you want to be provisioned to.

  1. In OneLogin, click Users.

  2. Click a user.

  3. Click Applications.

  4. In the Applications table, click the add button (+)

5. In the Assign new login settings, select our App, and click Continue:

6. Next window appear and we can adjust associations user with groups:

7. After the user has been added, in order for SCIM to send the request to Jira/Confluence/Bitbucket Admin will need to approve the change by clicking on the "pending" status to Approve the user (the approval link can also be reached by going to the Users > Provisioning).

8. Click Approve. The Provisioning status will turn to Provisioned:

9. Check the Jira (Confluence/Bitbucket) info

Once the Provisioning status will turn to Provisioned, it also means that the exchange will be performed with the target system:

If provisioning fails, you might see something like the following error:

The most common reason is incorrect SCIM Base URL or SCIM Bearer Token settings in the OneLogin app.