Set up SCIM provisioning with OneLogin

Ben Pemstein Ben Pemstein
· Updated

This article covers connecting OneLogin to 15Five via SCIM so that employees are automatically created, updated, and deactivated in 15Five when changes are made in OneLogin. When setup is complete, the API Status indicator in OneLogin displays a green Enabled status.

Before You Begin

  • If you plan to use both SSO and SCIM, set up SSO first. See Set up SAML Single Sign-On (SSO) in 15Five for instructions.
  • You must have Manage integrations permission in 15Five.
  • If you want to delay employee access using start dates, see before assigning employees in step 18.

Steps

In 15Five

  1. Click the settings gear icon in the bottom-left corner of 15Five.
  2. Select Integrations from the menu.
  3. Click Enable to the right of SCIM 2.0.
  4. Check the Enabled box and click Save.
  5. Click Generate OAuth token.
  6. Copy the access token that appears.
  7. Copy the SCIM URL displayed on the same screen.

> Note: The SCIM URL follows this format: https://yoursubdomain.15five.com/scim/v2. Remove any trailing slash. The URL must end with /v2, not /v2/.

In OneLogin

  1. Log in to OneLogin and go to Applications.
  2. Click the 15Five application.
  3. Click Configuration to open SCIM settings.
  4. Paste the access token from step 6 into the SCIM Bearer Token field.
  5. Paste the SCIM URL from step 7 into the SCIM Base URL field.
  6. Click Enable.
  7. Confirm the API Status indicator displays a green Enabled status.

> If the indicator does not turn green, the token or URL was entered incorrectly. Repeat steps 11–13.

  1. Click the Provisioning tab.
  2. Scroll to the Workflow section.
  3. Check Enable provisioning.
  4. Set When individuals are deleted in OneLogin, perform this action in 15Five to Delete.
  5. Assign the 15Five application to each person in OneLogin.

> When a person is assigned to the 15Five application for the first time, 15Five creates a new account for that person.

After Setup — Match Existing 15Five Users to OneLogin

Complete these steps if employees already existed in 15Five before you configured SCIM.

  1. Add each existing 15Five employee to the 15Five application in OneLogin. OneLogin matches each person by email address to their existing 15Five account.
  2. Go to the Users page in the OneLogin application.
  3. Confirm the Provisioning State for each person shows Provisioned.

If Something Goes Wrong

Issue Check Fix
API Status does not turn green after clicking Enable Token or SCIM URL is incorrect Re-copy the token and URL from 15Five SCIM settings and re-enter them in OneLogin Configuration
Employee is created as a duplicate instead of matched to existing account Email address in OneLogin does not match email in 15Five Update the email in OneLogin or 15Five so both match exactly, then reassign the person to the 15Five application
Manager field is not syncing Sync Managers is not enabled in SCIM settings Enable Sync Managers in 15Five SCIM settings, then update the manager field in OneLogin to trigger a sync
Manager sync still fails after enabling Sync Managers Manager did not exist in 15Five at time of assignment Remove and reassign the person to the 15Five application in OneLogin to trigger a new sync
Provisioning State shows a status other than Provisioned Person was not assigned to the 15Five application in OneLogin Assign the person to the 15Five application in OneLogin

Not Covered Here

This article does not cover start date configuration, group syncing, or disconnecting the integration. See the related articles below.

Related Articles

-

Was this article helpful?

Sorry to hear that. Tell us what was missing →