We know how important it is for some companies to automate user management and ensure secure, scalable access control.
Now, with SCIM (System for Cross-domain Identity Management) support, you can automatically manage users in Tomorro directly from your Identity Provider.
This allows you to use your Identity Provider to automatically manage access, roles, and groups within Tomorro. Specifically, you can:
Provision a user (grant access)
Deprovision a user (remove access)
Assign and update a user’s role (Admin, Manager, Contributor)
Create and delete Tomorro groups
Assign users to specific Tomorro groups
Connect on Tomorro
Connect on Tomorro
In order to set up the integration, please go to the integration setup page on Tomorro and open the section User Provisioning to start the setup. Only admins have access to this section.
Two options here :
Default Substitute
A default substitute user can be configured by the organization directly within Tomorro. This substitute will be automatically assigned whenever a user is removed via SCIM.
This substitution logic is specific to Tomorro and is not part of the SCIM standard, meaning Identity Providers cannot send the necessary information for this process. The default substitute is therefore our solution to ensure continuity and data ownership when users are deprovisioned through SCIM.
Restrict group assignment to your identity provider only
You can choose to restrict group assignment in Tomorro to your Identity Provider only. When this setting is enabled, groups and user-group memberships can no longer be edited manually in Tomorro — they are fully managed via SCIM.
This ensures consistency between your Identity Provider and Tomorro, avoids manual errors, and reinforces centralized access management. It’s especially useful for organizations looking to enforce strict governance and automation over user roles and group structures.
Set up on your identity provider OneLogin
Set up on your identity provider OneLogin
STEP 1 - Create a custom app on OneLogin
STEP 1 - Create a custom app on OneLogin
If you're already using a Tomorro application for SAML login you can skip ahead to step 2.
In your administrator area, go to the "Applications" section, then click on "Add App" at the top right of the page
Select an application type "SCIM provisioner with SAML (SCIM v2 Core w/SCIM2 Groups)" from the list
Enter the application name, for example "Tomorro", add a logo and icon, then save
STEP 2 - Enable SCIM provisioning on your application
STEP 2 - Enable SCIM provisioning on your application
Open the "Configuration" options, then enter the information for your Tomorro SCIM integration module in the various fields
{ "schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "{$parameters.scimusername}",
"userType": "{$user.title}",
"name": {
"givenName": "{$user.firstname}",
"familyName": "{$user.lastname}"
}
}Then activate the API, and save using the button at top right
In the parameters, change the value of the "scimusername" field to "email", then save
Add a rule based on members' "active" status, remind them that the scimusername must be their email address, then save
In the "Provisioning" settings, enable provisioning, then, if you want provisioning to be automatic, disable administrator approvals before "create users", "delete users" or "update users"
STEP 3 - Provision individual users
STEP 3 - Provision individual users
Go to the "Users" section, under "Users", from the top ribbon navigation
Select one of your users, then go to the "Applications" section, and click on the "+" icon on the right of the screen
Select the Tomorro application, then click on "Continue".
Simply click on "Save" on the next screen, without modifying anything
Your user is provisioned in Tomorro!
STEP 4 - Provision users from OneLogin roles
STEP 4 - Provision users from OneLogin roles
Go to "Roles", under "Users"
Click on "New Role" in the top right-hand corner, then give your role a name, select the Tomorro application, and save
You can now use this role to provision the Tomorro application directly
STEP 5 - Choose the Tomorro role for your users from OneLogin
STEP 5 - Choose the Tomorro role for your users from OneLogin
L'attribut OneLogin "Title" est utilisé pour renseigner le rôle Tomorro (admin, manager, contributeur) selon le mapping suivant :
OneLogin attribute | Tomorro role | Tomorro role |
admin | Admin | Admin |
manager | Manager | Creator - Manager |
user | Contributor | Creator - Contributor |
viewer | Viewer |
You can fill in this field to see the correct role assigned to the user in Tomorro. This field can be filled in individually on each user, or automatically according to the associated role
From user’s profile
Go to the profile of one of your users, then choose the value of "Title", and save
From roles
Go to the "Mappings" section under "Users", then create a new mapping using the button at the top right of the page
Here is an example of a mapping that will set the "Title" field to "admin" for all users with the Legal role
STEP 6 - Configure group assignment from OneLogin
STEP 6 - Configure group assignment from OneLogin
You must create Tomorro groups in Tomorro and create mappings to keep them in sync with OneLogin fields. You cannot add groups to Tomorro using OneLogin.
Verify group synchronisation
Go to the Provisionning tab
Click on Refresh
Go to the Parameters tab
Verify that all of the group names were successfully imported from Tomorro
Manual Group Assignment:
Go to the Users tab in the OneLogin SCIM app.
Select the user to edit and manually set group values.
Automated Group Assignment via Rules:
Use OneLogin rules (mappings) to auto-assign users to Tomorro groups based on a OneLogin attribute, like Role.
Example:
Assign all users with the OneLogin Role "Legal" to the Tomorro "legal" group.
Go to the Rules tab, create a New Rule with:
Condition: Roles – include – Legal
Action: Set Groups in Tomorro to – legal
Migrating Group Assignments from Tomorro to OneLogin
If you already have group assignments configured in Tomorro and want to migrate to OneLogin, follow the previous steps and:
Manually replicate the current Tomorro group assignments in OneLogin, then make any necessary adjustments.
Remove all existing group assignments in Tomorro
Resynchronize assignments from OneLogin
Manage group assignment on OneLogin exclusively
To streamline user group assignments, you may prefer a single method. In Tomorro, you can disable direct group assignment, allowing OneLogin to manage it exclusively.
In Tomorro go to the Scim settings and check "Restrict group assignment to your identity provider only" (https://app.gotomorro.com/settings/integrations)
The SAML protocol is now activated for Tomorro !
Additional Information & Our Recommendations
Groups created in Tomorro cannot be synced back to Okta. We recommend recreating these groups directly in Okta, then provisioning them to Tomorro via SCIM to assign access to the various folders and templates. Although this requires an initial time investment, it will save you valuable time in the long run by automating more granular access control in Tomorro directly from Okta.
It can be clearer and more efficient to separate “access” groups and “permission” groups. For example, you might have different groups for your departments or geographic regions granting access to specific templates or parts of your contract library, and then have an “Admins” group and a “Managers” group that manage the userType attribute.