Skip to main content

Automatically Fetch User Accounts without Manually Importing for OneLogin (via SCIM)

OneLogin (via SCIM) 

Introduction: 

OneLogin gives users the ability to access the applications and other resources they need to do their job by logging in once to a single interface. Platforms like OneLogin are known as Identity and Access Management (IAM) solutions that are primarily used to provide their users with a Single Sign-on (SSO) experience.

SCIM

SCIM (System for Cross-domain Identity Management) is a standard protocol that automates how users are created, updated, or removed across applications. With SCIM, OneLogin can sync user details, like name, email, role to apps like Zoom, or custom platforms that support SCIM.

SCIM helps by:

  • Automatically creating users when they’re added to OneLogin

  • Updating user info when their OneLogin profile changes

  • Disabling or deleting users from apps when removed in OneLogin

SCIM is ideal for improving security, reducing IT overhead, and ensuring consistent identity data across platforms.

Just-in-Time (JIT) Provisioning 

Some apps (like G Suite, Zoom, etc.) allow JIT provisioning via SAML when the user logs in for the first time. SCIM is still used for full lifecycle management (e.g., deprovisioning, updates).

SAML


SAML (Security Assertion Markup Language) is a standard used for Single Sign-On (SSO). It allows users to log in once to OneLogin and gain access to multiple connected apps (like G Suite, Zoom, or Salesforce) without logging in again.

How it works:

  • The user logs in to OneLogin.

  • OneLogin sends a secure login token (assertion) to the app (service provider).

  • The app trusts OneLogin and grants access, no separate password needed.

SAML is useful for improving security and user convenience. It’s often used alongside SCIM, where SAML handles authentication and SCIM handles user creation, updates, and removals.

Automatically Provision Users from OneLogin to an App Using SCIM 

Requirements: 

  • Target application must support SCIM (e.g., Slack, Zoom, Atlassian, etc.).
  • The app must be configured in OneLogin as a SCIM-enabled connector. 

Auto-Provision Users via SCIM in OneLogin 

SCIM (System for Cross-domain Identity Management) automates user account creation, updates, and deactivation between OneLogin and external apps. Once configured, OneLogin can instantly push user info like name, email, and title into SCIM-supported applications without manual import. This ensures consistent access control and keeps user account data accurate across systems. 

Steps upon setup

Set Up the App in OneLogin 
  1. Go to OneLogin Admin Portal → Apps → Add App.
  2. Search for the app (Slack, Zoom, Custom SCIM).
  3. Choose the SCIM-enabled version of the app.
  4. Save and configure it. 

Enable SCIM Provisioning 
  1. Go to the app’s Provisioning tab.  

  2. Enable "Enable provisioning".  

  3. Set up SCIM Base URL and Bearer Token (get these from the app you’re connecting to).  

  4. Save settings. 

Configure Provisioning Settings 
  • Still under Provisioning, configure:
  • When users are added, automatically provision user to the app
  • When users are removed, Suspend/delete in the app
  • When user is updated, Update info in the app
  • Toggle “Automatically” to avoid needing manual approval. 

Set up User Mappings 
  1. Go to Users → Mappings.

  2. Create or edit a mapping that assigns users to the app based on conditions (role, department).

  3. Assign roles and apps automatically based on user attributes. 

Assign the App to Users or Roles 

Either: 

  • Go to the Users section → Assign App directly to individual users
  • Or assign the app to a Role, and assign users to that role
  • If provisioning is set to auto, the SCIM call will trigger and send the user to the connected app. 

 

Now what happens? 

When a user is created or updated in OneLogin and matches the criteria (mapping or manual assignment), OneLogin will:

  • Auto-create the user in the SCIM-connected app.
  • Sync attributes (name, email, title, etc.).
  • Disable/suspend user in the app when removed in OneLogin.

 

No Manual Import Needed 
  •  
  • Provisioning: Enable in App settings (Provisioning tab)
    Auto-Provision:

    Enable auto-create/update/delete 

  • Assignment:

    Use Roles, Mappings, or direct assignment 

  • SCIM:

    Set endpoint URL and token from the app