OneLogin SCIM provisioning
info
This is a Kisi-built integration, maintained and supported by Kisi.
Before you start, make sure you have SSO set up for your organization. Then just follow the next steps to generate a SCIM token and enable SCIM for your organization.
Generate your SCIM token in Kisi
- Sign in to Kisi as the organization owner
- Under Settings click on SSO & SCIM
- Enable SCIM and click on Generate Token
- Copy the token (shown once)
Set up SCIM with OneLogin
- Sign in to OneLogin
- Select Applications in the main navigation, and click Add App
- Search for SCIM and click on SCIM Provisioner with SAML (SCIM v2 Core)
- Change the Display Name (optional), and click Save
- Once saved, the page will reload and you should see additional sections in the left-hand side menu. Click on Configuration
- Under API Connection, fill out the following:
- SCIM Base URL:
https://api.kisi.io/scim/v2
- Custom Headers: add
Accept: application/json
andContent-Type: application/json
- SCIM Bearer Token: paste the SCIM Token that you generated in Kisi
- SCIM Base URL:
- Click Enable to enable the API Status
- Click Save
- From the side menu, open Parameters
- Ensure that SCIM Username maps to Email (you can edit these values by clicking on the row with the SCIM Username). A pop-up window will appear, under Value select Email. Click Save.
- Next, click on the blue add (+) sign to add a custom field
- In the new pop-up, enter
name : givenName
in the field name and tick Include in User Provisioning. Click Save. - Select First Name as the value from the dropdown menu. Click Save.
- Create another custom field and enter
name : familyName
in the field name and tick Include in User Provisioning. Click Save. - Select Last Name as the value from the dropdown menu. Click Save.
- Once done, you will be back on the Parameters page. Click Save at the top right-hand corner.
- Navigate to Provisioning
- Under Workflow, check Enable provisioning
Note: By default, OneLogin will create provisioning tasks that will require admin approval whenever you create, delete or update a user (available at Activity > Events). If you’d rather approve all tasks automatically, you can check off those options under Require admin approval before this action is performed.
- There are two more options here:
- When users are deleted in OneLogin, or the user’s app access is removed, perform the below action, and
- When user accounts are suspended in OneLogin, perform the following action.
Here, you have the following options:
- Delete: this will remove the user from the Kisi system
- Suspend: this will deactivate user - they’ll still be able to login in and see places, groups and other resources they had access to before, but they won’t be able to open any of the locks.
- Navigate to Access > Roles and choose a role. All users with that role will be provisioned. You can select multiple roles. With no role selected, none of the users will be provisioned.
- Click Save when complete