Automatically Fetch User Accounts without Manually Importing for OneLogin (via SCIM)
OneLogin (via SCIM)
Introduction:
OneLogin gives users the ability to access the applications and other resources they need to do their job by logging in once to a single interface. Platforms like OneLogin are known as Identity and Access Management (IAM) solutions that are primarily used to provide their users with a Single Sign-on (SSO) experience. OneLogin allows you to automatically send user account data (name, email, role, etc.) into external apps like Slack, Zoom, Salesforce, or your custom platform using SCIM without any CSV uploads or manual entry.
SCIM
SCIM (System for Cross-domain Identity Management) is a standard protocol that automates how users are created, updated, or removed across applications. With SCIM, OneLogin can sync user details, like name, email, role to apps like Zoom, or custom platforms that support SCIM.
SCIM helps by:
-
Automatically creating users when they’re added to OneLogin
-
Updating user info when their OneLogin profile changes
-
Disabling or deleting users from apps when removed in OneLogin
SCIM is ideal for improving security, reducing IT overhead, and ensuring consistent identity data across platforms.
SAML
SAML (Security Assertion Markup Language) is a standard used for Single Sign-On (SSO). It allows users to log in once to OneLogin and gain access to multiple connected apps (like G Suite, Zoom, or Salesforce) without logging in again.
How it works:
-
The user logs in to OneLogin.
-
OneLogin sends a secure login token (assertion) to the app (service provider).
-
The app trusts OneLogin and grants access, no separate password needed.
SAML is useful for improving security and user convenience. It’s often used alongside SCIM, where SAML handles authentication and SCIM handles user creation, updates, and removals.
What is Automatic User Provisioning via OneLogin?
Automatic provisioning means OneLogin pushes user details to your app when a user is added, updated, or deleted using the SCIM protocol. This reduces errors, saves IT time, and ensures data stays in sync.
What You Need to Integrate App with OneLogin (SCIM)
| Requirement | Description |
|---|---|
| SCIM API Endpoint | A web link where OneLogin can send create/update/delete user requests |
| Bearer Token | A secret token (like a password) so OneLogin can authenticate securely |
| SCIM 2.0 Support | Your app must support SCIM 2.0 (understand user creation/update requests) |
Use OneLogin’s SCIM connector to automatically create, update, or deactivate user accounts in your SCIM-compatible application.
What It Does:
-
Auto-creates users in your app.
-
Syncs updates to user info (like title, phone, etc.).
-
Deactivates/suspends users when removed in OneLogin.
Setup Steps:
Prepare Your App for SCIM Integration
-
Create a SCIM 2.0-compatible API endpoint in your app.
-
Generate a Bearer Token your app will recognize.
-
Support basic SCIM actions:
-
POST /Users (create)
-
PATCH /Users/{id} (update)
- DELETE /Users/{id} or deactivate (active: false)
-
Add Your App in OneLogin
-
Go to Admin Portal → Apps → Add App.
-
Search and select your app (e.g., Zoom, Slack, or Custom SCIM).
-
Save and go to the app configuration.
Enable SCIM Provisioning
Configure Provisioning Behavior
-
Choose what OneLogin does when:
-
A user is added → Create in your app
-
A user is updated → Sync changes
-
A user is removed → Suspend/Delete in your app
-
-
Toggle actions to "Automatically" if you don’t want manual approval.
Set Up User Mappings
-
Go to Users → Mappings.
-
Create or edit a mapping rule:
-
Assign users to the app based on role, department, etc.
-
Define how OneLogin sends attributes like name, email, title.
-
Assign the App to Users or Roles
-
Go to the Users tab:
-
Assign the app directly to users
-
Or assign it to a Role, then assign users to that role
-
If provisioning is active, users matching the rules will be auto-synced to your app.
What Happens Next?
Once integrated:
-
When a user is added to OneLogin → They are automatically created in your app.
-
If their profile changes in OneLogin → Your app is updated.
-
If they’re removed → OneLogin disables or deletes them in your app.
| Requirement | Purpose |
| SCIM API URL | Endpoint where OneLogin sends user actions |
| Bearer Token | Authenticates OneLogin to your app |
| SCIM 2.0 Support | Lets your app understand and apply user changes |
| OneLogin Step | Description |
| Add App | Add your SCIM-compatible app to OneLogin |
| Enable Provisioning | Enter SCIM URL + Token |
| Set Provisioning Rules | Choose when to create/update/delete users |
| Create Mappings | Map OneLogin attributes to your app fields |
| Assign Users/Roles | Control which users get sent to your app |