SCIM Setup for OneLogin
Overview
SCIM (System for Cross-Domain Identity Management) is a modern open standard for automating user provisioning and lifecycle management. MangoApps supports SCIM integration with OneLogin via SAML, allowing you to seamlessly synchronize user data between OneLogin and MangoApps. This ensures efficient identity management with automatic user creation, updates, and deactivation based on changes made in OneLogin.
Required Roles
The configuration process requires administrative privileges on both the OneLogin and MangoApps platforms. These permissions are necessary for creating apps, managing SSO connections, configuring API integrations, and performing testing.
OneLogin: Administrator access to the OneLogin Admin Portal.
MangoApps: Administrator access to the MangoApps Admin Portal with permission to configure SSO, SCIM, and user provisioning settings.
Setup in OneLogin
To start, we will create an application in OneLogin to provision users via SCIM and authenticate them via SAML. This includes setting up the SCIM connector, enabling the API connection, and configuring user provisioning rules.
Steps
Log into the OneLogin Admin Portal.
From here, navigate to Applications and click the Add App button located in the top right of the page.
In the Search box, enter "SCIM" in the field. Select the required version of SCIM from the list:
SCIM Provisioner with SAML (Scheme v2 Core)
SCIM Provisioner with SAML (Scheme v2 Enterprises)
Clicking your selection will take you to the Configuration menu.
In this menu, create a profile by entering the name of the SAML IDP (Identity Provider) in the Display Name field. Then, upload an and add a description; these are optional. Once complete, click Save.
Once the profile is created, we will enter the Application details in the Configuration tab within the profile.
Enter the SAML Audience URL and SAML Consumer URL from MangoApps.
Click the More Actions button in the top right of the page and select SAML Metadata to download the metadata for the integration.
You can use the metadata URL or file provided by the Identity Provider (IDP) to simplify the configuration process in MangoApps. It automatically populates key IDP details such as Entity ID, endpoints (Single Sign-On and Single Logout service URLs), public X.509 certificate, and NameID format.
Upload this metadata file to MangoApps OneLogin connector, which will first need to be created in the MangoApps admin portal.
Enable API Connection
To enable the API Connection from the Configuration menu.
Enter the SCIM Base URL from MangoApps.
Copy the Enterprise User Schema JSON from MangoApps.
Configure the SCIM Bearer Token.
These can be found below in the MangoApps user mapping configurations section.
Finally, enable API access.
Setup in MangoApps
MangoApps must be configured to receive and process SCIM API requests from OneLogin, enabling automatic provisioning and synchronization of user data.
Steps
Log into the MangoApps Admin Portal and navigate to SSO > Connections and click the SAML tab. Click the Add SSO Connection button in the top right.
In the pop-up menu that appears, select OneLogin from the dropdown to begin configuration using metadata, or scroll down to the Configure Manually section to set up the connection manually.
Create a Name for the connection as it will appear in the SAML connections list in MangoApps.
The "JIT user provisioning" and "Remember user" features are optional. By default, these will be toggled OFF.
JIT has the ability to dynamically create user accounts for IDP authenticated users when they access MangoApps for the first time.
For example, with a just-in-time provisioning solution in place, when a user, John Doe, accesses your MangoApps' domain for the first time, the SAML-based federated single sign-on process automatically creates John Doe's account and grants access to his requested resources.
Next, input/attach the IDP provided metadata URL/File to simplify the configuration process. The metadata prepopulates IDP information like: EntityID, Endpoints (Single Sign On Service Endpoint, Single Logout Service Endpoint), public X.509 cert, NameId Format. It can be read from URL or alternatively uploaded as a file.
If the metadata is unavailable, you will need to configure the connection manually by clicking the Configure Manually dropdown carat to access additional fields.
Enter the Issuer URL/Entity ID (HTTPS), ACS URL(HTTPS), SAML 2.0 Endpoint/SSO URL(HTTPS), Remote Logout URL(HTTPS), choose your Authentication Method, and input your x509 Certificate from OneLogin. These fields are mandatory and must be entered to complete the connection.
Once configured, click Save.
Configure User Mapping
OneLogin will now appear in the SAML configuration list (unless you have customized the connection name, then that name will appear in the list instead). The next step is to Configure User Mappings.
Click the option next to the OneLogin entry to access the User Mappings pop-up menu.
From the dropdown menu, select SAML based provisioning with SCIM. Once selected, additional menu options will appear.
Copy the SCIM Base URL and SCIM earer Token. These will be used when setting up the OneLogin API.
Click the SCIM User Parameters Mapping down carat to set up users’ profiles by entering their Email, Emp Id, Full Name, First Name, Last Name, etc. in the provided fields. Make sure to click Save!
Once complete, click the View Enterprise User Schema button and copy the Enterprise Schema JSON. This will also be used when connecting the API.
Each time a new attribute mapping is added in MangoApps, you must re-copy the updated JSON file and apply it to your OneLogin configuration.
Save the configuration.
Testing Considerations
Proper testing helps confirm that user provisioning and de-provisioning are working as expected, reducing potential disruptions during rollout.
Recommendations:
Test with a small group of users.
Validate the creation, update, and deactivation of users.
Monitor logs in MangoApps for API calls and payloads.
Confirm user profile field mappings are accurate and complete.
Ensure error handling is visible and understandable for troubleshooting.
Security Considerations
Maintaining secure authentication and user data exchange is critical in SCIM integrations.
Best Practices:
Use secure bearer tokens and rotate them periodically.
Restrict SCIM access in OneLogin to trusted administrators only.
Upload IDP metadata securely to avoid configuration errors.
Validate certificates (x509) during the SSO setup.
Monitor connector logs for unauthorized or failed attempts.
End User Experience
While most of the SCIM functionality operates in the background, end users benefit from seamless access and up-to-date profile information without needing to take any action.
Key Points:
Users are automatically created or updated in MangoApps based on OneLogin changes.
Deactivated users lose access immediately, improving security.
All users created via SCIM will be network users in MangoApps.
Just-In-Time (JIT) provisioning can supplement SCIM for dynamic account creation upon login.
Invalid profile values during creation will result in the entire user profile being dropped.
Rollout Recommendations
Careful planning is crucial to ensure a smooth deployment of SCIM provisioning across your organization. Once testing is successful, you can gradually roll out SCIM provisioning to the broader organization with minimal disruption.
Suggested Rollout Plan:
Pilot Phase – Start with a few departments to identify any configuration or mapping issues.
Training & Documentation – Educate admins and support staff on SCIM behavior and troubleshooting.
Full Deployment – Enable SCIM provisioning for all users.
Monitoring – Continuously monitor logs and performance metrics.
Periodic Reviews – Revisit schema mappings and token validity regularly.
Last updated