Skip to main content

Automatically fetch user accounts without manually importing for OneLogin (via SCIM)

OneLogin (via SCIM) 

OneLogin gives users the ability to access the applications and other resources they need to do their job by logging in once to a single interface. Platforms like OneLogin are known as Identity and Access Management (IAM) solutions that are primarily used to provide their users with a Single Sign-on (SSO) experience.

Think of a medieval worker coming to get their tools from within the castle walls.

 

Automatically Provision Users from OneLogin to an App Using SCIM 

Requirements: 

  • Your target application must support SCIM (e.g., Slack, Zoom, Atlassian, etc.). 

  • The app must be configured in OneLogin as a SCIM-enabled connector. 

 

Auto-Provision Users via SCIM in OneLogin 

 

Set Up the App in OneLogin 

  1. Go to OneLogin Admin Portal → Apps → Add App. 
  2. Search for the app (e.g., Slack, Zoom, Custom SCIM). 
  3. Choose the SCIM-enabled version of the app. 
  4. Save and configure it. 

 

Enable SCIM Provisioning 

  1. Go to the app’s Provisioning tab.  

  2. Enable "Enable provisioning".  

  3. Set up SCIM Base URL and Bearer Token (get these from the app you’re connecting to).  

  4. Save settings. 

 

Configure Provisioning Settings 

  • Still under Provisioning, configure: 

  • When users are added, Automatically provision user to the app 

  • When users are removed, Suspend/delete in the app 

  • When user is updated, Update info in the app 

  • Toggle “Automatically” to avoid needing manual approval. 

 

Set up User Mappings 

  • Go to Users → Mappings. 

  • Create or edit a mapping that assigns users to the app based on conditions (e.g., role, department). 

  • Assign roles and apps automatically based on user attributes. 

 

Assign the App to Users or Roles 

Either: 

  • Go to the Users section → Assign App directly to individual users 

  • Or assign the app to a Role, and assign users to that role 

  • If provisioning is set to auto, the SCIM call will trigger and send the user to the connected app. 

 

Now what happens? 

  • When a user is created or updated in OneLogin and matches the criteria (mapping or manual assignment), OneLogin will: 

  • Auto-create the user in the SCIM-connected app. 

  • Sync attributes (name, email, title, etc.). 

  • Disable/suspend user in the app when removed in OneLogin. 

 

Just-in-Time (JIT) Provisioning 

Some apps (like G Suite, Zoom, etc.) allow JIT provisioning via SAML when the user logs in for the first time. SCIM is still used for full lifecycle management (e.g., deprovisioning, updates). 

 

No Manual Import Needed 

Provisioning:  Enable in App settings (Provisioning tab) 

Auto-Provision: Enable auto-create/update/delete 

Assignment:  Use Roles, Mappings, or direct assignment 

SCIM:  Set endpoint URL and token from the app 

Back to top