Automatically Fetch User Accounts without Manually Importing for OneLogin (via SCIM)

OneLogin (via SCIM)

Introduction:

OneLogin gives users the ability to access the applications and other resources they need to do their job by logging in once to a single interface. Platforms like OneLogin are known as Identity and Access Management (IAM) solutions that are primarily used to provide their users with a Single Sign-on (SSO) experience. OneLogin allows you to automatically send user account data (name, email, role, etc.) into external apps like Slack, Zoom, Salesforce, or your custom platform using SCIM without any CSV uploads or manual entry.

SCIM

SCIM (System for Cross-domain Identity Management) is a standard protocol that automates how users are created, updated, or removed across applications. With SCIM, OneLogin can sync user details, like name, email, role to apps like Zoom, or custom platforms that support SCIM.

SCIM helps by:

Automatically creating users when they’re added to OneLogin
Updating user info when their OneLogin profile changes
Disabling or deleting users from apps when removed in OneLogin

SCIM is ideal for improving security, reducing IT overhead, and ensuring consistent identity data across platforms.

Just-in-Time (JIT) Provisioning

~~Some apps (like G Suite, Zoom, etc.) allow JIT provisioning~~ ~~via SAML when the user logs in for the first time. SCIM is still used for full lifecycle management (e.g., deprovisioning, updates).~~

SAML

SAML (Security Assertion Markup Language) is a standard used for Single Sign-On (SSO). It allows users to log in once to OneLogin and gain access to multiple connected apps (like G Suite, Zoom, or Salesforce) without logging in again.

How it works:

The user logs in to OneLogin.
OneLogin sends a secure login token (assertion) to the app (service provider).
The app trusts OneLogin and grants access, no separate password needed.

SAML is useful for improving security and user convenience. It’s often used alongside SCIM, where SAML handles authentication and SCIM handles user creation, updates, and removals.

What is Automatic User Provisioning via OneLogin?

Automatic provisioning means OneLogin pushes user details to your app when a user is added, updated, or deleted using the SCIM protocol. This reduces errors, saves IT time, and ensures data stays in sync.

What You Need to Integrate App with OneLogin (SCIM)

Requirement	Description
SCIM API Endpoint	A web link where OneLogin can send create/update/delete user requests
Bearer Token	A secret token (like a password) so OneLogin can authenticate securely
SCIM 2.0 Support	Your app must support SCIM 2.0 (understand user creation/update requests)

~~Automatically~~Set ~~Provision~~Up ~~Users~~SCIM Integration from OneLogin to anYour App

~~Using~~

Description:

Use OneLogin’s SCIM connector to automatically create, update, or deactivate user accounts in your SCIM-compatible application.

~~Requirements~~:What It Does:

~~Target~~ ~~application~~
Auto-creates ~~must~~users ~~support~~in ~~SCIM~~your ~~(e.g.,~~app.
~~Slack, Zoom, Atlassian, etc.).~~
~~The app must be configured in OneLogin as a SCIM-enabled connector~~.

Syncs

Auto-Provisionupdates Users via SCIM in OneLogin

~~SCIM (System for Cross-domain Identity Management) automates user account creation, updates, and deactivation between OneLogin and external apps. Once configured, OneLogin can instantly push~~to user info (like ~~name,~~title, ~~email,~~phone, ~~and title into SCIM-supported applications without manual import. This ensures consistent access control and keeps user account data accurate across systems.~~ etc.).

Deactivates/suspends users when removed in OneLogin.

StepsSetup upon setupSteps:

Prepare Your App for SCIM Integration

Create a SCIM 2.0-compatible API endpoint in your app.

Generate a Bearer Token your app will recognize.

Support basic SCIM actions:
- POST /Users (create)
- PATCH /Users/{id} (update)
- DELETE /Users/{id} or deactivate (active: false)

SetAdd Up theYour App in OneLogin

Go to ~~OneLogin~~ Admin Portal → Apps → Add App.
Search ~~for~~and select your app (e.g., Zoom, Slack, or Custom SCIM).

Save and go to the app ~~(Slack,~~configuration.
~~Zoom, Custom SCIM~~).
~~Choose the SCIM-enabled version of the app.~~

~~Save and configure it.~~

Enable SCIM Provisioning

GoNavigate to the ~~app’s~~Provisioning ~~Provisioning~~tab ~~tab.~~in the app.
Enable "Enable ~~provisioning"~~Provisioning".
~~Set~~Enter:
up
- SCIM Base URL ~~and Bearer Token~~ (~~get these~~ from ~~the~~your ~~app~~ ~~you’re~~ ~~connecting to).~~ app)
- ~~Save~~Bearer ~~settings~~.Token (from your app)

Save your settings.

Configure Provisioning Settings Behavior

Choose what OneLogin does when:
- ~~Still~~ ~~under Provisioning, configure:~~
- ~~When users are added, automatically~~ ~~provision user to the app~~
- ~~When users are removed,~~ ~~Suspend/delete~~ ~~in the app~~
- ~~When~~
  A user is ~~updated,~~added ~~Update~~→ ~~info~~Create in ~~the~~your app
- ~~Toggle “Automatically” to avoid needing manual approval.~~

Set up User Mappings

~~Go to Users → Mappings~~.
A user is updated → Sync changes

A user is removed → Suspend/Delete in your app

Toggle actions to "Automatically" if you don’t want manual approval.

Set Up User Mappings

Go to Users → Mappings.

Create or edit a mapping ~~that~~rule:
~~assigns~~
- Assign users to the app based on ~~conditions (~~role, ~~department).~~department, etc.
- ~~Assign~~Define ~~roles~~how ~~and~~OneLogin ~~apps~~sends ~~automatically~~attributes ~~based~~like onname, ~~user~~email, ~~attributes.~~ title.

Assign the App to Users or Roles

~~Either:~~

Go to the Users ~~section~~tab:
→
- Assign ~~App~~the app directly to ~~individual~~users
  ~~users~~
- Or assign ~~the app~~it to a ~~Role~~,Role, ~~and~~then assign users to that role

If provisioning is ~~set~~active, users matching the rules will be auto-synced to ~~auto, the SCIM call will trigger and send the user to the connected~~your app.

What
Happens
Now what happens? Next?

Once integrated:

When a user is added to OneLogin → They are automatically created orin updatedyour app.

If their profile changes in OneLogin and→ matchesYour theapp criteriais (mappingupdated.

If they’re removed → OneLogin disables or manualdeletes assignment), OneLogin will:

Auto-create the userthem in the SCIM-connectedyour app.

Sync attributes (name, email, title, etc.).

Disable/suspend user in the app when removed in OneLogin.

No Manual Import Needed
fromthe

ProvisioningRequirement Enable in App settings (Provisioning tab)Purpose

Auto-ProvisionSCIM API URL Endpoint
Enablewhere auto-create/update/deleteOneLogin
sends user actions

AssignmentBearer Token Authenticates
UseOneLogin Roles,to Mappings,your or direct assignment
app

SCIM 2.0 Support Lets
Setyour endpointapp understand and apply user changes
OneLogin Step Description
Add App Add your SCIM-compatible app to OneLogin
Enable Provisioning Enter SCIM URL and+ tokenToken

Set Provisioning Rules Choose when to create/update/delete users
Create Mappings Map OneLogin attributes to your app
fields
Assign Users/Roles Control which users get sent to your app

~~Provisioning~~Requirement	~~Enable in App settings (Provisioning tab)~~Purpose
~~Auto-Provision~~SCIM API URL	Endpoint ~~Enable~~where ~~auto-create/update/delete~~OneLogin sends user actions
~~Assignment~~Bearer Token	Authenticates ~~Use~~OneLogin ~~Roles,~~to ~~Mappings,~~your ~~or direct assignment~~ app
SCIM 2.0 Support	Lets ~~Set~~your ~~endpoint~~app understand and apply user changes
OneLogin Step	Description
Add App	Add your SCIM-compatible app to OneLogin
Enable Provisioning	Enter SCIM URL ~~and~~+ ~~token~~Token
Set Provisioning Rules	Choose when to create/update/delete users
Create Mappings	Map OneLogin attributes to your app fields
Assign Users/Roles	Control which users get sent to your app