Skip to content
  • There are no suggestions because the search field is empty.

How do I set up SCIM provisioning with OneLogin?

SCIM automates user account creation, updates, and deactivation in Siit based on your OneLogin directory. This guide shows you how to connect OneLogin to Siit using SCIM.

Before you begin:

  • Your Siit workspace must be on the Pro plan
  • You need OneLogin admin permissions
  • Identify which OneLogin roles should map to Siit permissions

Step 1: Create or open your Siit application in OneLogin

If you don't have a Siit app yet:

  1. Log into OneLogin Admin Console
  2. Go to Applications → Applications
  3. Click Add App
  4. Search for SCIM Provisioner with SAML (SCIM v2 Core)
  5. Select it

Step 2: Get SCIM credentials from Siit

  1. Log into Siit and go to Settings → Security → SCIM
  2. You'll see two values:
    • SCIM URL (e.g., https://back.siit.io/scim_v2)
    • SCIM Token (starts with TOKEN_FROM_SIIT)
  3. Keep this page open for the next step

 

Step 3: Connect OneLogin to Siit

  1. In your OneLogin Siit application, click the Configuration tab
  2. Scroll to API Connection
  3. Set API Status to Enabled
  4. Paste the SCIM Base URL from Siit
  5. In the Custom Headers field (if present), leave it empty
  6. Paste the SCIM Bearer Token from Siit
  7. Click Save

OneLogin will test the connection. If successful, you'll see a confirmation.

Step 4: Enable provisioning (with approvals first)

  1. Click the Provisioning tab
  2. Check Enable provisioning
  3. Under Workflow, enable all three actions:
    • ☑️ Create user
    • ☑️ Delete user
    • ☑️ Update user
  4. Important: Leave Require admin approval before this action is performed checked for all three options (for now)
    • This prevents automatic provisioning until you finish setup
  5. Set deprovisioning behavior:
    • When users are deleted in OneLogin: Select Delete
    • When user accounts are suspended in OneLogin: Select Suspend
  6. Click Save

Step 5: Configure the username parameter

  1. Click the Parameters tab
  2. Find scimusername in the list and click on it
  3. Set Value to Email
  4. Click Save

This ensures Siit uses email addresses as usernames.

Step 6: Enable group synchronization

  1. Still in the Parameters tab, find the Groups parameter
  2. Click on it to edit
  3. Check Include in User Provisioning
  4. Click Save

This allows OneLogin roles to sync to Siit as role assignments.

Step 7: Create a role mapping rule

  1. Click the Rules tab
  2. Click Add Rule
  3. Configure the rule:
    • Name: Sync Groups (or any name you prefer)
    • Conditions: Leave empty (this applies to all users)
    • Actions:
      • Click Set Groups in Siit
      • Select Map from OneLogin
      • Set the condition: For each role with value that matches siit-.*

About the pattern:

  • siit-.* matches roles starting with "siit-" (e.g., siit-admin, siit-support)
  • Adjust this pattern to match your OneLogin role naming convention
  • Examples:
    • Siit-.* for roles like Siit-Admin, Siit-Support
    • support-.* for roles like support-admin, support-agent
  1. Click Save

Step 8: Prepare matching roles in Siit

Before approving users, create matching roles in Siit:

  1. In Siit, go to Settings → Roles
  2. For each OneLogin role that matches your pattern (e.g., siit-admin, siit-support):
    • Create a role in Siit with the matching name (e.g., admin, support)
    • The name must match exactly (case-sensitive), excluding the prefix pattern
  3. Configure permissions for each role

Example mapping:

  • OneLogin role: siit-admin → Siit role: admin
  • OneLogin role: siit-support → Siit role: support
  • OneLogin role: siit-viewer → Siit role: viewer

Step 9: Remove approval requirements (optional)

Once you're confident in your setup, you can enable automatic provisioning:

  1. Return to the Provisioning tab
  2. Under Require admin approval before this action is performed:
    • Uncheck the boxes for Create user, Delete user, and Update user
    • This allows automatic provisioning without manual approval
  3. Click Save

Note: You can leave approvals enabled if you prefer manual control over provisioning.

Step 10: Approve pending users

  1. Click the Users tab in your Siit application
  2. You'll see users with Pending provisioning status
  3. Click on Pending
  4. Click Bulk approve X pending login for the same app
  5. Confirm the approval

Users will be created in Siit within a few minutes.

Step 11: Verify and assign new users

To verify successful provisioning:

  1. In Siit, go to Settings → Team
  2. Check that the users appear in the team list
  3. Verify their roles match their OneLogin role assignments

To assign the Siit app to new users:

  1. In OneLogin, go to Users → All Users
  2. Select a user
  3. Click Applications
  4. Click + and select your Siit application
  5. The user will be automatically created in Siit (if auto-provisioning is enabled)