OneLogin (SCIM)
Follow the instructions below to set up the provisioning of users from OneLogin. Read more in OneLOgin's official SCIM documentation.
When configuring SAML or OIDC later, you will want to use the SCIM app you just created instead of creating a SAML/OIDC app described by the SAML/OIDC OneLogin wizard. The steps should otherwise be mostly the same for the generic SAML/OIDC app, with some minor differences. Make sure to select “accounts already exist” for the SAML/OIDC provisioning option.
To begin the SCIM configuration, select Cloud user provisioning, then select OneLogin under the SCIM header from the Add directory dropdown.
Introduction and network preparation
Tenant configuration
Configure SCIM in OneLogin
Open the OneLogin admin portal.
Click the Applications menu tab, then select Applications
Click the Add app button in the top right corner
Find and select the SCIM Provisioner with SAML (SCIM v2 Core) template
In the search box, enter SCIM Provisioner
Click the search result
Add a name for the app, then click Save
Configuration tab: Configure provisioning
Move to the Configuration tab. Make a note of the SAML configuration fields at the top. You will need these when configuring SAML SSO later. For now, we'll focus on provisioning.
Copy the SCIM tenant URL and application secret into OneLogin:
Copy the Base URL into the SCIM Base URL field
Copy the App secret into the SCIM Bearer Token field
Copy the below SCIM JSON template into OneLogin
{ "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" ], "userName": "{$parameters.scimusername}", "name": { "givenName": "{$user.firstname}", "familyName": "{$user.lastname}", "formatted": "{$user.display_name}" }, "emails": [{ "value": "{$user.email}", "type": "work", "primary": true }] }
Verify settings
Your OneLogin configuration tab should now look something like this. When done, click save, then enable
Enable provisioning
Go to the Provisioning tab and select Enable provisioning. Optionally deselect all admin approval requirements and change the user deletion action to delete instead of suspend, as shown in the below screenshot. Click Save
Configure group provisioning
Roles in OneLogin can be provisioned as Atlassian/SCIM groups using rules. You can skip this step if you only need to provision user accounts and intend to manage groups in the Atlassian application.
Add a role-to-groups rule.
Go to the Rules tab. Click Add Rule
Enter a name for the rule
Select Map from OneLogin (note, the option only becomes available once you enable provisioning)
Select
role
as the source and enter the pattern(.+)
to provision every role assigned to the application as a group
Finally, click Save
Enable group attribute provisioning
Go to the Parameters tab. Click on Groups in the parameter list, then select Include in user provisioning. Then click Save
Assign users/roles to the application
Click the Access tab and assign roles to the application. This controls the set of users that will have access to the application and be provisioned.
Forcing resync in OneLogin
There are multiple ways to force resync from OneLogin, on varying levels and granularity:
Under Applications > [Application], the top menu has a tools drawer with the options “Sync logins” and “Reapply mappings.”
Under Applications > [Application] > Users, there’s an “Apply to all” tools drawer with the options “Reset” and “Reapply mappings.”
Under Applications > [Application] > Provisioning, there’s a “Refresh” link at the bottom. Use this to reset/release group IDs.
On each user account/detail view, you may disassociate the user or reset the user’s login.
OneLogin notes
SCIM groups that have already been provisioned are not deleted when removing the corresponding roles in OneLogin. Users are merely unassigned. You must manually delete these groups if you want to get rid of them.