Skip to main content

Setting up SCIM with OneLogin

Updated over 8 months ago

If you use OneLogin as your identity provider, please follow this guide to set up the SCIM protocol for your Tomorro organization.

Note: only an admin can manage these settings on Tomorro.

If you're already using a Tomorro application for, say, a SAML connection, go straight to step 2.

Step 1 - Create an application on OneLogin

  • In your administrator area, go to the "Applications" section, then click on "Add App" at the top right of the page

  • Select an application type "SCIM provisioner with SAML (SCIM v2 Core w/SCIM2 Groups)" from the list

  • Enter the application name, for example "Tomorro", add a logo and icon, then save

Step 2 - Enable SCIM provisioning on your application

  • Open the "Configuration" options, then enter the information for your Tomorro SCIM integration module in the various fields

{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "{$parameters.scimusername}",
"userType": "{$user.title}",
"name": {
"givenName": "{$user.firstname}",
"familyName": "{$user.lastname}"
}
}

  • Then activate the API, and save using the button at top right

  • In the parameters, change the value of the "scimusername" field to "email", then save

  • Add a rule based on members' "active" status, remind them that the scimusername must be their email address, then save

  • In the "Provisioning" settings, enable provisioning, then, if you want provisioning to be automatic, disable administrator approvals before "create users", "delete users" or "update users"

Step 3 - Provision individual users

  • Go to the "Users" section, under "Users", from the top ribbon navigation

  • Select one of your users, then go to the "Applications" section, and click on the "+" icon on the right of the screen

  • Select the Tomorro application, then click on "Continue".

  • Simply click on "Save" on the next screen, without modifying anything

  • Your user is provisioned in Tomorro! ✨

Step 4 - Provision users from OneLogin roles

  • Go to "Roles", under "Users"

  • Click on "New Role" in the top right-hand corner, then give your role a name, select the Tomorro application, and save

  • You can now use this role to provision the Tomorro application directly

Step 5 - Choose the Tomorro role for your users from OneLogin

  • L'attribut OneLogin "Title" est utilisé pour renseigner le rôle Tomorro (admin, manager, contributeur) selon le mapping suivant:

OneLogin attribute ➡️ Tomorro Role

admin ➡️ Admin

manager ➡️ Manager

user ➡️ Contributor

  • You can fill in this field to see the correct role assigned to the user in Tomorro. This field can be filled in individually on each user, or automatically according to the associated role

1. From user's profiles

  • Go to the profile of one of your users, then choose the value of "Title", and save

2. From roles

  • Go to the "Mappings" section under "Users", then create a new mapping using the button at the top right of the page

  • Here is an example of a mapping that will set the "Title" field to "admin" for all users with the Legal role

Step 6 - Configure group assignment from OneLogin

You must create Tomorro groups in Tomorro and create mappings to keep them in sync with OneLogin fields. You cannot add groups to Tomorro using OneLogin.

Verify group synchronisation

  • Go to the Provisionning tab

  • Click on Refresh

  • Go to the Parameters tab

  • Verify that all of the group names were successfully imported from Tomorro

Manual Group Assignment:

  • Go to the Users tab in the OneLogin SCIM app.

  • Select the user to edit and manually set group values.

Automated Group Assignment via Rules:

  • Use OneLogin rules (mappings) to auto-assign users to Tomorro groups based on a OneLogin attribute, like Role.

  • Example:

    • Assign all users with the OneLogin Role "Legal" to the Tomorro "legal" group.

    • Go to the Rules tab, create a New Rule with:

      • Condition: Roles – include – Legal

      • Action: Set Groups in Tomorro to – legal

Migrating Group Assignments from Tomorro to OneLogin

If you already have group assignments configured in Tomorro and want to migrate to OneLogin, follow the previous steps and:

  • Manually replicate the current Tomorro group assignments in OneLogin, then make any necessary adjustments.

  • Remove all existing group assignments in Tomorro

  • Resynchronize assignments from OneLogin

Manage group assignment on OneLogin exclusively

To streamline user group assignments, you may prefer a single method. In Tomorro, you can disable direct group assignment, allowing OneLogin to manage it exclusively.

And that's it, the SCIM protocol is now enabled for Tomorro! 🚀

Did this answer your question?