Configuring SCIM with OneLogin

Configuring SCIM 2.0 provisioning for 15Five

This guide provides the steps required to configure provisioning for 15Five, and includes the following sections:

• Features
• Prerequisites
• Configuration Steps
• Groups
• Troubleshooting Tips 

Features

Automatic User Provisioning is supported for the 15Five application.
This enables OneLogin to:

• Add new users to 15Five
• Update select fields in users’ profile information in 15Five
• Deactivate users in 15Five

The following provisioning features are supported:

• Push New Users
• New users created through OneLogin will also be created in 15Five.
• Push Profile Updates
• Updates made to the user's profile through OneLogin will be pushed to 15Five.
• Push User Deactivation
• Deactivating the user or disabling the user's access to the application through OneLogin will deactivate the user in 15Five.
• Import New Users
• New users created in the third party application will be downloaded and turned into new AppUser objects, for matching against existing OneLogin users.

Prerequisites

Before you configure provisioning in OneLogin...

1. Click on 'Settings' from the left navigation.

2. Then click on 'Features' to expand the feature settings.

3. Last, click on 'Integrations'.

4. Click on 'Enable' to the right of the SCIM 2.0 option.

5. Generate an Access Token.

Configuration Steps

Configure your Configuration settings for 15Five in OneLogin as follows:

• Under Apps > Add Apps, search for "15Five" and save a new application with the default configuration. 
• Within the new 15Five application, click on the "Configuration" tab.

Under Configuration > Application Details > Subdomain:

• Type the subdomain associated with your 15Five account. Usually, this subdomain will be “my”. If you have a custom subdomain with 15Five, replace “my” in the URL with your specific subdomain.

Under Configuration > API Connection:

• Enter the SCIM 2.0 Base Url found on this page. Typically, this URL will be the following: https://my.15five.com/scim/v2. Please be sure to remove the trailing slash if there is one. Ie. Please use https://my.15five.com/scim/v2 instead of https://my.15five.com/scim/v2/.
• Enter the SCIM Bearer Token found in 15Five on the page you found the SCIM 2.0 Base URL.
• Click the Enable button and check that your credentials were verified successfully. The API Status indicator will change to a green “Enabled” if the credentials were verified successfully.

Under Provisioning > Workflow:

• Ensure “Enable provisioning” is enabled.
• Ensure “When users are deleted in OneLogin, perform this action in 15Five” is set to “Delete”.

Please Note:

In order for updates of users in OneLogin to propagate down to 15Five, those users in 15Five must be known to OneLogin. Thus, after setting up SCIM it's important to:

1. Check that all the users who were in 15Five prior to setting up SCIM are added to the 15Five application in OneLogin. Once added to the 15Five application in OneLogin, users will be matched with their corresponding user in 15Five.

2. Navigate to the "Users" page in the OneLogin application and check that the "Provisioning State" for each user is listed as "provisioned". 

Emails

When giving 15Five access to a OneLogin user for the first time, a new user in 15Five will be created. If SSO is enabled for that user’s company in 15Five, that user will be sent a welcome email with a link to the SSO page at 15Five. If SSO is not enabled, that user will be sent a link to sign in and set their password.

Groups

Looking to have your 15Five groups managed via OneLogin? 

Groups created within OneLogin (at https://subdomain.onelogin.com/groups) cannot be pushed to 15Five. Instead, in order for user membership to be managed via SCIM, groups must be created in 15Five and imported into OneLogin.

First, add your group in 15Five at https://my.15five.com/group/list.

Below, we've added a group called Leadership.

Then, within OneLogin, navigate to the 15Five app and then to the Provisioning tab within that app. 

Under Entitlements, click the Refresh link. Clicking this link will import all of the groups available in 15Five into OneLogin. You will now be able to associate a user with a group within OneLogin and have that association propagated to 15Five via SCIM. 

To associate a group with a user, navigate to that user's profile in OneLogin, move the group from the "Available Values" section to the "Selected values" section, and click save. 

The user should now be a member of the group in 15Five. 

Group types

When a new group gets created and synced over via SCIM, that new group will go into the 'Groups' group type. In terms of attributes, the only thing 15Five will read from SCIM in regards to groups and group types is the group ID. After a group is appearing in 15Five, it will be up to the account admins to reorganize this group(s) to other group types as needed. Groups can be moved to a new group type (manually, via CSV, or via API) in 15Five and SCIM syncs will not override the group type because the group ID itself hasn't changed.

The jist: Group types within 15Five do not talk to SCIM. SCIM does not talk to 15Five about group types. SCIM only talks to 15Five from a group perspective (ie creating a group, naming a group, adding or removing members, deleting a group). The group type organization and maintenance is manually done in 15Five alone (ie creating a new group type, moving to a group type, enabling features per group type). 

Start Dates

Interested in having your users enter 15Five for the first time on a specific day? With 15Five Start Dates, you can send a date before which your users will not be able to log in to 15Five nor will they receive notifications. One the specified date, they will be sent an email notifying them that they can log in.

To send Start Dates to 15Five, follow these steps:

• Within OneLogin, click on the "Users" tab and then on the "Custom User Fields" tab.
• Click on "New User Field"
• Enter the following information for the new field:
  • Name: Start Date
  • Shortname: startDate
• Navigate to the 15Five integration within OneLogin. 
• Navigate to Parameters and click on Start Date under "Optional Parameters".
  • Change the start date parameter to use the value in the "Start Date (Custom)" user field. 
  • Ensure "Include in User Provisioning" is checked. 
  • Click Save.

Please note that you must add the start date to the user before assigning the user to 15Five for the first time. If a user is assigned to 15Five for the first time without a start date, it is assumed that the user should start immediately and a welcome email will be sent immediately.

Troubleshooting, Support, and FAQs

Manager/Reviewer not syncing?

Make sure that the manager exists within 15Five prior to provisioning any reporters for that manager. 15Five will ignore any manager assignments that include managers not present in 15Five.

Please note, for consistency reasons, manager updates are not performed during active Best-Self Reviews. 

Changing a username?

15Five depends on the uniqueness of a user’s email address. Therefore, provisioning will fail if a user’s userName is updated but their email address is not. Ensure these two values (userName and email) are the same and retry the provision if it has failed.

Users not updated when they should be? 

Sometimes users are not updated in 15Five to reflect the changes that have happened in OneLogin. Such a discrepancy can be due to a number of causes. A first attempt at correcting the issue can be removing and adding back the application from the user within OneLogin. If this does not resolve the issue, please reach out to support to our support team.

Bulk Syncing?

There is no way to sync users in bulk in OneLogin. You must remove and add back each user to the application in OneLogin.

Q: My user has a SCIM ID. Does that mean they were provisioned via SCIM?
A: No. All users are given a SCIM ID upon account creation regardless of whether or not they were provisioned via SCIM. Assigning these IDs helps 15Five stay consistent and organized. It's the value which is used to look up the user when a SCIM call comes in of the form /scim/v2/Users/<scim id>.

Q: We have data currently in 15Five, if we turn on SCIM provisioning do we risk having data deleted for people with existing data?
A: No, the data will not be deleted if the email addresses are the same. You will need to reimport all of your people so that SCIM will work with users that were active in 15Five prior to SCIM being enabled. Doing this does not affect check-ins, objectives, and other user-generated content.

Q: Can I sync employee timezones via SCIM?
A: Not at this time.

Q: If SCIM is on can I still add people on a one-off basis?
A: No, if SCIM is on you cannot manually add users via the 'Manage people' page or the team 15Five page. Importing new users via CSV is an option if SCIM is enabled for your organization. Please reach out to Support, your Implementation Specialist, or your Customer Success Manager to support you with this.

Q: Should we make groups in our IdP and then push them over to 15Five? If so, how do we pass over the group admin?
A: It is advisable to pass over the groups through an Identity Provider. However, there is no way to pass over a group admin. The field for group admin will be blank in 15Five. After you set up the groups between IdP and 15Five, you can add a group admin for each group.

Q: What is the frequency of SCIM uploads from our IdP to 15Five?
A: It’s an on-demand basis, i.e. you make a change and your IdP pushes it immediately to 15Five.

Have questions that need a human touch? 

This integration is built and supported by 15Five and our Support Team. Contact the 15Five Support Team at support@15five.com if any issues arise. Thanks!