See scim Menu

Step 3. Create a SCIM Test App

Create a SCIM test app in OneLogin to test the integration between your app’s SCIM implementation and OneLogin’s SCIM provisioning service.

Prerequisites

  • You can vastly simplify testing by opening up your SCIM development server to the internet.

    If you must test from behind a firewall, you must use an HTTP reverse proxy, such as Apache or IIS with Application Request Routing. The HTTP reverse proxy sits behind the firewall and brokers communication between your app’s SCIM server and OneLogin’s SCIM provisioning service. Contact scim-support@onelogin.com for more information.

  • Your SCIM implementation must support OAuth 2.0.

    Specifically, you must be able to generate an Authorization bearer token that is unique to each customer account, which the OneLogin SCIM provisioning service will use to access your SCIM API. Likewise, you must also be able to validate this Authorization bearer token when it is passed to your SCIM API by the OneLogin SCIM provisioning service.

Create Your SCIM Test App

  1. Access OneLogin and go to Apps > Add Apps.

  2. Search for and select SCIM Provisioner with SAML (Core Schema) or SCIM Provisioner with SAML (Enterprise Schema), depending on your schema needs. For details about these schemas, see Step 1. Define Your SCIM User Schema.

  3. Give your SCIM test app a Display Name value that will help you recognize it.

  4. Select Save.

Configure Your SCIM Test App

  1. Select the Configuration tab.

  2. If you are testing SAML, as well as SCIM, provide the appropriate values in the SAML Audience URL and SAML Consumer URL fields.

    • SAML Audience URL: Describes an entity that is expected to receive the SAML message. Typically, the format for this URL resembles a simple domain, so for a consumer URL of google.com/SAML/consume, the audience URL would be google.com.

    • SAML Consumer URL: Address to which the SAML response should be posted.

  3. Provide your SCIM Base URL value. This is the address that points OneLogin to your SCIM API server.

    • If your SCIM server is in the cloud, enter your SCIM server URL. For example: https://<final_destination>.com.

    • If your SCIM server is on-premise behind a firewall, you must add a prefix to the SCIM server URL. The prefix engages the reverse proxy that brokers requests and responses through the firewall. For example: https://proxy_service.example.com/<final_destination>.com.

      However, know that you can vastly simplify testing by opening up your SCIM development server to the internet.

      If you must test from behind a firewall, you must use an HTTP reverse proxy, such as Apache or IIS with Application Request Routing. The HTTP reverse proxy sits behind the firewall and brokers communication between your app’s SCIM server and OneLogin’s SCIM provisioning service. Contact scim-support@onelogin.com for more information.

  4. Provide your SCIM JSON Template value. See Step 1. Define Your SCIM User Schema for details about how to define your template.

    If you leave this field blank, we will use the OneLogin Core User Schema or OneLogin Enterprise User Schema, depending on the SCIM Provisioner with SAML app you added.

    Note: The active:{condition} attribute will be programmatically included in the user payload when creating, updating, or deactivating a user.

  5. Provide your Custom Headers value. This should typically include your host value, which is required only if your SCIM server resides behind a firewall. See Prerequisites for more info. In this case, set this field value to the target SCIM endpoint (same value that you entered in the SCIM Base URL field), but prefixed by Host:.

    For example: Host: https://proxy_service.example.com/<final_destination>.com

  6. Provide your SCIM Bearer Token value. This token authenticates requests and responses sent between the OneLogin SCIM provisioning service and your SCIM server.

  7. Select Save.

For a cloud-based SCIM server based on the SCIM Provisioner wth SAML (Core Schema) app and using the OneLogin Core User Schema as-is, your Configuration tab should look something like the following example. As mentioned earlier, when no SCIM JSON Template value is provided, the SCIM Provisioner wth SAML (Core Schema) app uses the OneLogin Core User Schema.

Connect Your SCIM Test App to Your SCIM Implementation

  1. Access the Configuration tab for your SCIM test app.
  2. Select Enable. The app will attempt to make an initial connection to the SCIM base URL defined for your SCIM test app.

    This initial connection does not invoke any actual provisioning and just makes a GET request for a user value that OneLogin knows does not exist. If the request receives a 404 status code as a response, it confirms that the endpoint is valid and the API Status displays as Enabled.

Provisioning Users into Groups

The SCIM Provisioner with SAML app (Core Schema or Enterprise Schema) supports group provisioning without the use of the SCIM JSON template defined for the app. By default, it is available as a parameter on the Parameters tab:

To enable group provisioning:

  1. Select the Parameters tab for your SCIM test app.

  2. Select Groups to display the Edit Field Groups panel.

  3. If the SCIM Base URL value you connected the app to on the Configuration tab contains groups, they will display in the Available values area as shown in the screenshot below.

    Note: To have your user groups display as available values when configuring provisioning, you must first refresh entitlements. To do this, in your Slack app, go to the Provisioning tab and click Refresh.

  4. Select the groups into which you want to provision users in the Available values column and move them to the Selected values column.

  5. Scroll down and select the Include in User Provisioning option.

    Note: This option displays only after you have connected your app on the Configuration tab and have selected the Enable provisioning for option on the Provisioning tab.

  6. Select Save.

Provisioning Custom User Fields to Users

The SCIM Provisioner with SAML app (Core Schema or Enterprise Schema) supports provisioning custom user field values to users. There are three steps to setting this up:

  1. Add custom attributes to your JSON template.

  2. Add custom user fields to OneLogin. Ensure that the Shortname value you provide is the same as the custom attribute name in your JSON template.

  3. Add custom user field parameters in your SCIM test app.

This section describes how to perform step 3.

To add custom user field parameters in your SCIM test app:

  1. Access the Parameters tab for your SCIM test app.

  2. Select Add parameter.

  3. In the Field Name field, enter the Shortname value that you entered when creating the custom user field in OneLogin as shown below. 

  4. Select the Include in User Provisioning option.

    Note: This option displays only after you have connected your app on the Configuration tab and have selected the Enable provisioning for option on the Provisioning tab.

  5. Select the parameter row you just created.

  6. In the Value drop-down, select the custom user field value you just created in OneLogin, if you know that the test user you are going to provision using this test SCIM provisioning app will be able to provision with this value.

    If not, select another value that you know the test user will contain.

    Because this app is for testing purposes, you just need to validate that the custom user attribute you defined in your user JSON template can receive a value.

  7. When you contact OneLogin to publish your app, we will do the work to ensure that your custom attribute can receive the actual appropriate values from your app’s customers.

Using Rules to Provision Users to Groups

You can define rules to provision subsets of OneLogin users into groups in your SCIM test app. For example, you can define a subset of users by filtering on a specific OneLogin user attribute value and then define an action that provisions the subset of users to a specific group in your SCIM test app.

To add group provisioning rules to your SCIM test app:

  1. Access the Rules tab for your SCIM test app.

  2. Click New rule to open the New Mapping dialog, where you can set the conditions and actions that determine which users will be provisioned from OneLogin to specific groups in your SCIM test app.

  3. Give your rule a name.

  4. In the Conditions area, click + to add a condition. Use the fields to define a condition that defines a subset of users to be acted upon by the rule. Conditions are based on OneLogin user attribute values.

    For examples, see these Rule Mapping Examples.

  5. In the Actions area, click + to add an action. Use the fields to define the action that will be performed on users by the rule. Available actions include:

    • Create a new group in your SCIM test app and provision users to it

    • Provision users to an existing group in your SCIM test app

    For examples, see these Rule Mapping Examples.

  6. Click Save.

  7. To add another provisioning rule, click New rule.

  8. The order in which rules are applied matters and can impact provisioning results. Drag and drop the rule rows to put them in the order that produces correct results. To test results, see the next step.

  9. Click Show Affected Users to see which users will be affected by the provisioning rule as configured. Review the list to ensure that only intended users are listed.

  10. Click Save.

  11. Go to the More Actions menu and click Reapply Provisioning Mappings to apply the new rule.

    Important! You must reapply mappings any time you create or update rules.

Rule Mapping Examples

Here are some rule configuration examples that address common implementation scenarios.

Provision Members of an AD/LDAP Security Group to New Groups in Your SCIM App

To do this, define a rule mapping like this one:

Conditions

For use cases like this one in which you are provisioning users to new groups in your SCIM app, no conditions need to be set. All settings are configured in the Actions area.

Actions

  1. In the first drop-down, select Set Groups in SCIM App Name to provision OneLogin users to groups in your SCIM app.

  2. Select the Map from OneLogin option to provision users to new groups in your SCIM app created based on information in OneLogin.

  3. Select a For each value of memberOf to provision users to your SCIM app based on their member_of user attribute value.

    The OneLogin member_of user attribute value is populated by Active Directory (AD) and reflects the user’s membership in an AD/LDAP security group.

  4. To identify the AD/LDAP security groups that will be used to create groups in your SCIM app and provision users to them, provide a regular expression (regex) in the adjacent field.

    Provisioning will parse through AD/LDAP security group data and apply the regex. For each matching value, a group will be created in your SCIM app. Any users who are members of a matching AD/LDAP security group in OneLogin will be provisioned to the newly created group in your SCIM app.

    For key regex guidance and examples, see Using Regex to Provision Members of AD/LDAP Groups to New App Groups.

Provision Members of an AD/LDAP Security Group to an Existing Group in Your SCIM App

To do this, define a rule mapping like this one:

Conditions

  1. In the first drop-down, select MemberOf to provision users based on their member_of user attribute value. The OneLogin member_of attribute value is populated by AD and reflects the user’s membership in an AD/LDAP security group.

  2. Use the two adjacent fields to write a condition to select the AD/LDAP security groups that contain the users that you want to provision to your app.

Actions

  1. In the first drop-down, select Set Groups in SCIM App Name to provision users in the selected AD/LDAP security groups.

  2. Select the From Existing option to provision users to an existing group in your SCIM app.

  3. Select the existing group in your SCIM app to which you want to provision the users who are members of the selected AD/LDAP security group.

    If you selected a subset of groups on the Parameters tab as discussed in Provisioning Users into Groups, only that subset of groups will be selectable here.


Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.