Guides Home MangoApps Website Community & Support Blog & Resources

SCIM Setup for OneLogin

Introduction

SCIM (System for Cross-Domain Identity Management) is an open standard that allows for the automation of user provisioning and user lifecycle management, supported by modern IDP vendor OneLogin.

MangoApps now supports SCIM with OneLogin via SAML. With MangoApps configured along with OneLogin SCIM provisioning, it acts as the SCIM service provider implementing the SCIM APIs at its end. With this new feature, you can create, update, modify, deactivate users in One Login which automatically syncs the information to MangoApps and updates the user information.

Configure SCIM Provisioning in OneLogin

You can configure user mappings to sync user profiles via SAML based provisioning with SCIM.

  1. Login to the OneLogin Portal with administrator rights.

  2. Click on the Administration option.

From the One Login Admin Portal, go to the Application Tab.

From the Application Tab, click Add App.

In the Search Tab, enter SCIM in the field. Select the required version of SCIM from the list:

  • SCIM Provisioner with SAML (Scheme v2 Core)

  • SCIM Provisioner with SAML (Scheme v2 Enterprises)

Configuration:

You need to create a profile first, to create a profile follow the steps below:

  1. Enter the name of the SAML IDP (Identity Provider) such as OneLogin in the Display Field.

  2. Upload the logo if you wish too.

  3. Enter the description.

  4. Click Save.

Once the profile is created, then enter Application details in the Configuration tab.

  • Enter the SAML Audience URL from the MangoApps Admin Portal. Refer Add SSO Connection for SAML Audience URL details.

  • Enter the SAML Consumer URL from the MangoApps Admin Portal. Refer Add SSO Connection for Consumer URL details.

  • Go to More Actions and select SAML Metadata. This will download the metadata file.

Use the IDP provided metadata URL/File to simplify the configuration process. The metadata prepopulates IDP information like: EntityID, Endpoints (Single Sign On Service Endpoint, Single Logout Service Endpoint), public X.509 cert, NameId Format. Upload the metadata file to MangoApps One Login connector that you will create from the MangoApps Admin portal.

You can select the option for Upload and then upload the file.

Enable API Connection:

To enable the API Connection:

  1. Enter the SCIM Base URL from the MangoApps. Refer to Configure Mapping to get SCIM Base URL.

  2. Copy Enterprise schema from MangoApps to OneLogin.

  3. Configure SCIM bearer token generated by MangoApps in your company’s OneLogin account.

  4. Enable the API Connection.

Refer to Configure Mapping for more details.

Provisioning

MangoApps is SCIM 2.0 compliant and supports user provisioning, user updates & user de-provisioning using SCIM protocol.

The following SCIM APIs are supported by MangoApps:

  • Get User With UserName Filter

  • Get User By ID

  • Create User

  • Update User

  • De-Activate/Activate User

  • Get Users

User de-provisioning / de-activation in MangoApps also happens in real time when the user is de-provisioned in OneLogin.

  1. Enable Provisioning from OneLogin.

  2. Select the actions from the list:

    1. Create User

    2. Delete User

    3. Update user

    Note: When any user is either deleted or deactivated from OneLogin. MangoApps will only deactivate the user.

  3. Click Save.

Users

Go to the Users Tab.

  1. Open any user’s profile.

  3. Admin can approve the user request for creating account in the MangoApps through SCIM.

  4. All users provisioned via OneLogin over SAML/SCIM will be network users.

  5. Users cannot be permanently deleted from MangoApps via SCIM, they can only be deactivated.

  6. When creating a new user, if anything in the user profile field value is invalid, all profile fields will be dropped.

Connector Logs

  1. Connector logs in the admin portal capture the requests & responses payloads for SCIM APIs.

  2. Admins can view & export these connector logs for troubleshooting & analysis.

Add SSO Connection

This section describes the steps to configure SSO for MangoApps using an IDP.

Log in to the MangoApps Admin portal. Click on SSO, then click on SAML (under Connections). Click ‘Add SSO Connection’.

  1. Select from a list of well-known IDPs.

  2. Confirm the Application label. You can edit the default label.

  3. (Optional) JIT has the ability to dynamically create user accounts for IDP authenticated users when they access MangoApps for the first time. For ex - with a just-in-time provisioning solution in place, when John accesses Mango's website for the first time, the SAML-based federated single sign-on process automatically creates John Doe's account and grants access to his requested resources.

  4. Use the IDP provided metadata URL/File to simplify the configuration process. The metadata prepopulates IDP information like: EntityID, Endpoints (Single Sign On Service Endpoint, Single Logout Service Endpoint), public X.509 cert, NameId Format. It can be read from URL or alternatively uploaded as a file.

  5. Choose ‘Configure manually’ if the IDP Metadata isn’t available.

  6. Enter the Entity ID/Issuer URL from the IDP side. An entity ID is a globally unique name for a SAML entity.

  7. Copy the ACS URL and configure it on the IDP. ACS here is MangoApps (service provider's endpoint) URL that is responsible for receiving and parsing a SAML assertion.

  8. Enter the SSO URL from IDP to redirect users to Authentication requests.

  9. Enter a logout URL where users will be redirected after signing off from MangoApps.

  10. Select a ‘User Identifier’ as one of ‘Email’ or ‘samAccountName’ or ‘EmployeeID’

  11. Paste the x509 certificate from the IDP.

Configure User Mapping

Configure user mappings to sync user profiles via SAML supports two options:

  • SAML based provisioning

  • SAML based provisioning with SCIM

SAML based provisioning

  • In this the user provisioning and user profile sync happens when the user logs in successfully in MangoApps for the first time using SSO with OneLogin.

  • On every subsequent successful login, the user profile in MangoApps is also synched with OneLogin.

SAML based provisioning with SCIM

  • In this the user provisioning and user profile sync happens ahead of time via SCIM APIs integration.

  • User profiles in MangoApps are kept in sync in real time with OneLogin via SCIM APIs.

Steps:

Go to MangoApps Admin Portal, click SSO>CONNECTION>SAML> SAML IDP (OneLogin)>Configure User Mapping.

Select Sync user profile with SAML provisioning with SCIM.

SCIM Base URL: Copy the URL and enter it in the API Connection SCIM Base tab (OneLogin).

SCIM Bearer Token: Copy the token and enter it in the API Connection SCIM Bearer Token tab (OneLogin).

SCIM User Parameter Mapping: You can create users’ profile by entering their Email, Emp Id, Full Name, First Name, Last Name and so on and click Save.

Click View Enterprise User Schema: Copy the JSON. Enterprise schema with custom field mappings is available to copy from MangoApps to OneLogin.

Note: Every time a new attribute mapping is added to the MangoApps, we need to re-copy the JSON file and then paste the same in One Login configuration and save it.

PreviousApplicationsNextSCIM Setup for Okta

Last updated