You can use SCIM to onboard new employees into 15Five, as well as update and deactivate then by syncing directly from OneLogin to 15Five. This saves you lots of time and ensures that data is accurate and up to date for all your employees.
Typically customers enable both Single Sign-On (SSO) and SCIM together. See our article on SSO to see if the integration is the right fit for your company. If you want to set up SSO, be sure to set that up before you set up SCIM. If you are using SSO and SCIM together, SSO will only pass Email and Name ID. All other attributes will be updated by SCIM.
What you’ll find in this article:
- Features synced
- How to set up SCIM with OneLogin
- How to disconnect
- Troubleshooting and FAQs
Automatic User Provisioning is supported for the 15Five application.
The 15Five <> OneLogin integration allows you to:
- Add new people to 15Five. New people created through OneLogin will also be created in 15Five.
- Update select fields in people’s profile information in 15Five. Updates made to the individual's profile through OneLogin will be pushed to 15Five.
- Deactivate people in 15Five. Deactivating the individual or disabling the individual's access to the application through OneLogin will deactivate the person in 15Five.
- Import new people. New individuals created in the third-party application will be downloaded and turned into new AppUser objects, for matching against existing OneLogin users.
How to set up SCIM with OneLogin
Ready to set up the SCIM integration with OneLogin? Here are the steps to do so, with any tips you may need to know along the way.
If you want to use 15Five’s start date functionality, and the hire/start date in OneLogin is not the date you want the employee to get access to 15Five (ex. in the past), it is recommended that you first do a bulk import to bring all of your employees to 15Five, and turn off the ‘Start date’ option in 15Five’s SCIM settings. Since 15Five syncs the hire date from OneLogin, and can not accept a past Start date, this would be the best way to onboard your existing employees.
Set up SCIM with OneLogin
1. Set up SSO first if you will be using that integration too.
2. Click on the Settings menu at the upper right corner of your 15Five account and then click Features under 'ADMIN SETTINGS'.
3. Click on 'Integrations'.
4. Click on Enable to the right of the SCIM 2.0 option.
5. Generate an access token by clicking the Generate OAuth token. This page will show you all access tokens that have been generated, and who generated them.
6. Log into OneLogin and go to ‘Applications’, click on the 15Five application.
7. Click on the Configuration setting to open up the SCIM settings in OneLogin.
8. Enter your SCIM token in your OneLogin Configuration setting and the SCIM URL that you generated in 15Five. Typically, this URL will be the following: https://yoursubdomain.15five.com/scim/v2.
9. Click the Enable button and check that your credentials were verified successfully. The API Status indicator will change to a green “Enabled” if the credentials were verified successfully.
10. Click the ‘Provisioning’ tab and scroll to the ‘Workflow’ section. Ensure the 'Enable provisioning' box is checked and ‘When individuals are deleted in OneLogin, perform this action in 15Five’ is set to Delete.
In order for updates made to people in OneLogin to propagate down to 15Five, those people in 15Five must be known to OneLogin. Thus, after setting up SCIM it's important to: 1. Check that all the people who were in 15Five prior to setting up SCIM are added to the 15Five application in OneLogin. Once added to the 15Five application in OneLogin, individuals will be matched with the corresponding person in 15Five. 2. Navigate to the "Users" page in the OneLogin application and check that the "Provisioning State" for each person is listed as "provisioned".
11. Assign the 15Five application to each person. If you would like to delay provisioning an individual to 15Five before a certain date, see the section below about ‘Start Dates’ before assigning them to 15Five. When giving 15Five access to a OneLogin user for the first time, a new person will be created in 15Five.
Interested in having people enter 15Five for the first time on a specific day? With 15Five start dates, you can send a date before which your people will not be able to log in to 15Five nor will they receive notifications. On the specified date, they will be sent an email notifying them that they can log in.
You must add the start date for the individual before assigning the person to 15Five for the first time. If an individual is assigned to 15Five for the first time without a start date, it is assumed that they should start immediately and a welcome email will be sent immediately.
To send start dates to 15Five, follow these steps:
1. Within OneLogin, click on the 'Users' tab and then on the 'Custom User Fields' tab.
2. Click on New User Field.
3. Enter the following information for the new field:
- Name: Start Date
- Shortname: startDate
4. Navigate to the 15Five integration within OneLogin.
5. Go to Parameters and click on Start Date under 'Optional Parameters'.
- Change the start date parameter to use the value in the 'Start Date (Custom)' field.
- Ensure 'Include in User Provisioning' is checked.
- Click Save.
Syncing through SCIM is done when a field changes. You can test a sync by updating the desired field, which will jump start a sync.
We verify people by SCIM ID, then User ID, then Email, then Employee ID, stopping at any point if we hit a match. If you are seeing issues with the managerId field not syncing correctly, check the id that you have mapped here or any downstream software you have syncing to Okta. If you are having issues with fields not syncing correctly, email our Support Team at support@15Five.com and we can take a look!
Groups created within OneLogin (at https://subdomain.onelogin.com/groups) cannot be pushed to 15Five. Instead, in order for membership to be managed via SCIM, groups must be created in 15Five and imported into OneLogin. First, add your group in 15Five (https://my.15five.com/group/list.).
Below, we've added a group called "Leadership".
Then, within OneLogin, navigate to the 15Five app and to the 'Provisioning' tab within the app.
Under 'Entitlements', click the Refresh link. Clicking this link will import all of the groups available in 15Five into OneLogin. You will now be able to associate an individual with a group within OneLogin and have that association propagated to 15Five via SCIM. To associate a group with an individual, navigate to that person's profile in OneLogin, move the group from the 'Available Values' section to the 'Selected values' section, and click Save. The person should now be a member of the group in 15Five.
When a new group gets created and synced over via SCIM, that new group will go into the 'Groups' group type. In terms of attributes, the only thing 15Five will read from SCIM in regards to groups and group types is the group ID. After a group is appearing in 15Five, it will be up to the account administrators to reorganize this group(s) to other group types as needed. Groups can be moved to a new group type (manually, via CSV, or via API) in 15Five and SCIM syncs will not override the group type because the group ID itself hasn't changed.
The gist: Group types within 15Five do not talk to SCIM. SCIM does not talk to 15Five about group types. SCIM only talks to 15Five from a group perspective (ie creating a group, naming a group, adding or removing members, deleting a group). The group type organization and maintenance is manually done in 15Five alone (ie creating a new group type, moving to a group type, enabling features per group type).
If an existing group and department (or two groups) need to be combined, this action will need to be taken in SCIM and then 15Five will update accordingly.
How to disconnect
Disconnecting the SCIM integration is a matter of unchecking the ‘Enabled’ box in your SCIM settings:
Once deactivated, all people's accounts will remain active in 15Five, but will no longer be automatically updated by OneLogin.
Troubleshooting, Support, and FAQs
Q: What is the frequency of SCIM uploads from our IdP to 15Five?
A: It’s an on-demand basis, i.e. you make a change and your IdP pushes it immediately to 15Five.
Q: Can SCIM update custom attributes in 15Five?
A: No, not at this time. You can update them using bulk imports or by manually updating the employee’s profile. The bulk import option is not automatically turned on for companies that use SCIM. If you would like this turned on, email support@15Five.com.
Q: Is there a way to bulk sync in OneLogin
There is no way to sync people in bulk in OneLogin. You must remove and add back each individual to the application in OneLogin.
Q: If SCIM is on can I still add people on a one-off basis?
A: No, if SCIM is on you cannot manually add people via the 'Manage people' page or the team 15Five page. Importing new individuals via CSV is an option if SCIM is enabled for your organization. Please reach out to Support at support@15Five.com to get this turned on for your company.
Q: We have data currently in 15Five, if we turn on SCIM provisioning do we risk having data deleted for people with existing data?
A: No, the data will not be deleted if the email addresses are the same. You will need to reimport all of your people so that SCIM will work with individuals that were active in 15Five prior to SCIM being enabled. Doing this does not affect check-ins, objectives, and other user-generated content.
Q: Can I sync employee timezones via SCIM?
A: Not at this time.
Q: Why is an employee’s Manager/Reviewer is not syncing.
A: There are a few potential reasons for this:
- Confirm that ‘Sync Managers’ is selected in your SCIM settings.
- There's an active Best-Self Review cycle in your company's account. Since changing reviewers during a review cycle causes changes to the review cycle, manager updates are not performed during active Best-Self Reviews.
- Did the manager exist in 15Five before assigning them to the employee in Okta? If not, try a ‘Force Sync’ or changing their manager field to initiate another sync. You can review the system logs within Okta for details about what jobs have taken place.
- Un-assign and re-assign the direct report to the 15Five application. Please note this will trigger a "Welcome Back" email to be sent to the re-assigned individuals(s).
Q: Should we make groups in our IdP and then push them over to 15Five? If so, how do we pass over the group admin?
A: It is advisable to pass over the groups through an Identity Provider. However, there is no way to pass over a group admin. The field for group admin will be blank in 15Five. After you set up the groups between IdP and 15Five, you can add a group admin for each group.