Provisioning is a key component of Identity Lifecycle Management in OneLogin that makes it easy to create, update, and delete users in the applications that your organization uses. This means that you can quickly add new users to multiple apps and de-provision users from those apps instantly when they change roles or leave your organization. This article provides a high-level overview of user provisioning and explores concepts that are applied in the of the provisioning process and in app-specific provisioning instructions.
In a basic provisioning workflow, you add an app to a OneLogin role and map OneLogin attributes or entitlements like Email, AD user name, Title, or License level to analogous app attributes. Then whenever a new user is added to that role, they're created in the app, and whenever their OneLogin attributes change, they're updated in the app as well.
For example, you might map the Department attribute "Sales" in OneLogin to "Sales and Marketing" in an app's Group attribute. Whenever a user in the "Sales" Department in OneLogin is added to a role that includes the app, they're provisioned to the app as a member of the app's "Sales and Marketing" Group. If their OneLogin Department is later changed, OneLogin's provisioning engine updates the user's Group in the app accordingly.
When it's time to de-provision a user from their apps, you simply disable the user in either OneLogin or a third-party directory like Active Directory, and the user's accounts in all OneLogin-managed apps will be deleted or suspended, depending on your settings.
Not all apps support provisioning through OneLogin, but OneLogin supports SCIM (System for Cross-domain Identity Management), a provisioning standard that provides full support for creating, deleting, and updating users in any cloud or on-prem app.
To find out which apps support SCIM provisioning or to request that an app support SCIM, contact email@example.com.
For more information about developing a SCIM-enabled app, see Dev Overview of SCIM.
Unless stated otherwise, OneLogin user provisioning refers to user provisioning performed via an API connection. However, as an alternative to API-based provisioning, some apps in OneLogin provide SAML-based "just-in-time" (JIT) provisioning. With JIT provisioning, instead of creating user accounts in apps manually or using an API connection, the first time a user logs in to an app via OneLogin SAML SSO, the app takes user information in the SAML assertion and creates the user's app account on the fly.
For example, when a user without an account in Docker Hub logs in to Docker Hub via OneLogin SAML SSO for the first time, a new Docker Hub user account is immediately created for them.
However, while API-based provisioning can keep user information between OneLogin and the app in sync beyond the initial user account creation, JIT provisioning only works to create the initial user account and does not stay synced with OneLogin beyond that point.
Enabling Basic Provisioning
These steps are typical for the majority of apps in OneLogin, but specific app configurations may vary. Consult the app's own documentation and OneLogin's app-specific documentation for details.
Add the app to OneLogin and configure it for SSO.
Go to Configuration in the app connector in OneLogin. Under API Connection, enter your admin username and password for the app and click Enable to allow OneLogin to connect to the app's API.
Go to Provisioning and check Enable provisioning. Decide which actions you want to require admin approval and what you want to happen when user accounts are suspended or deleted in OneLogin, and adjust your settings accordingly.
Save your changes. OneLogin will now be able to provision users to the app.
Enabling Entitlement Provisioning
Entitlement provisioning is not available for all applications. If the following options don't appear in OneLogin, the app does not currently support provisioning entitlements. Contact the app developers for more information.
After enabling basic provisioning, return to Configuration. Enter your organization's domain and check the box for Provision Entitlements.
Return to Provisioning and click Refresh under Entitlements to import the entitlement values from the app to OneLogin.
The specific attributes available will vary by application. Consult the app's own documentation and OneLogin's app-specific documentation for details.
Go to Parameters and verify that Configured by admin is selected. Select an existing parameter to edit its mapping, or click + to map a new parameter.
Enter the name of the attribute you want to map to OneLogin exactly as it appears in the application and click Save.
In the Value dropdown menu, select the OneLogin attribute that you want to map to the application. Click Save.
After creating and mapping all parameters you wish to use, create any rules you wish to fine-tune the groups of users who receive given attributes in the app.
Some parameters configured by the application may appear as a boolean type.
Rather than associating with a specific attribute, these fields offer a simple checkbox to select or deselect.
In this example, the Is Admin attribute is set to False to ensure that all users are marked as not administrators by default unless overridden manually or by a rule.
To allow a parameter to contain multiple values, select Multi-value parameter during its creation.
It appears in the Parameters list as the multi_select type and permits you to search for and select values to include in its Added Items.
Monitoring User Provisioning
To monitor the current status and event history of user provisioning events in OneLogin, go to Users > Provisioning. You can search for a particular user, select a specific app, or filter the events by their event status.
Tip: You can also monitor provisioning events for a specific app by going to Users in its app connector page in OneLogin, or for a specific user by going to Applications in their user settings page.
User Provisioning Statuses
This is the first step in the provisioning workflow if you opted to require manual admin approval for user provisioning. Click the status to approve or reject the provisioning event.
The user is currently in the process of being provisioned to the app.
The user is currently in the process of being modified or updated in the app.
The user was successfully provisioned to the app.
The user could not be provisioned to the app. Click the status to view the reason for failure, such as Invalid authentication, which often indicates that OneLogin's connection to the app's provisioning API needs to be refreshed or re-authenticated in the app connector's Configuration page.
The user is currently being deleted from the app.
This is likely caused by using using the Disassociate login option on the app login for the user. To resolve this status, click the user's name and select Rematch login to match the user with the correct login information.