If you use OneLogin as your identity provider, please follow this guide to set up the SCIM protocol for your Tomorro organization.
Note: only an admin can manage these settings on Tomorro.
If you're already using a Tomorro application for, say, a SAML connection, go straight to step 2.
Step 1 - Create an application on OneLogin
In your administrator area, go to the "Applications" section, then click on "Add App" at the top right of the page
Select an application type "SCIM provisioner with SAML (SCIM v2 Core w/SCIM2 Groups)" from the list
Enter the application name, for example "Tomorro", add a logo and icon, then save
Step 2 - Enable SCIM provisioning on your application
Open the "Configuration" options, then enter the information for your Tomorro SCIM integration module in the various fields
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "{$parameters.scimusername}",
"userType": "{$user.title}",
"name": {
"givenName": "{$user.firstname}",
"familyName": "{$user.lastname}"
}
}
Then activate the API, and save using the button at top right
In the parameters, change the value of the "scimusername" field to "email", then save
Add a rule based on members' "active" status, remind them that the scimusername must be their email address, then save
In the "Provisioning" settings, enable provisioning, then, if you want provisioning to be automatic, disable administrator approvals before "create users", "delete users" or "update users"
Step 3 - Provision individual users
Go to the "Users" section, under "Users", from the top ribbon navigation
Select one of your users, then go to the "Applications" section, and click on the "+" icon on the right of the screen
Select the Tomorro application, then click on "Continue".
Simply click on "Save" on the next screen, without modifying anything
Your user is provisioned in Tomorro! ✨
Step 4 - Provision users from OneLogin roles
Go to "Roles", under "Users"
Click on "New Role" in the top right-hand corner, then give your role a name, select the Tomorro application, and save
You can now use this role to provision the Tomorro application directly
Step 5 - Choose the Tomorro role for your users from OneLogin
L'attribut OneLogin "Title" est utilisé pour renseigner le rôle Tomorro (admin, manager, contributeur) selon le mapping suivant:
OneLogin attribute ➡️ Tomorro Role
admin ➡️ Admin
manager ➡️ Manager
user ➡️ Contributor
You can fill in this field to see the correct role assigned to the user in Tomorro. This field can be filled in individually on each user, or automatically according to the associated role
1. From user's profiles
Go to the profile of one of your users, then choose the value of "Title", and save
2. From roles
Go to the "Mappings" section under "Users", then create a new mapping using the button at the top right of the page
Here is an example of a mapping that will set the "Title" field to "admin" for all users with the Legal role
Step 6 - Configure group assignment from OneLogin
You must create Tomorro groups in Tomorro and create mappings to keep them in sync with OneLogin fields. You cannot add groups to Tomorro using OneLogin.
Verify group synchronisation
Go to the Provisionning tab
Click on Refresh
Go to the Parameters tab
Verify that all of the group names were successfully imported from Tomorro
Manual Group Assignment:
Go to the Users tab in the OneLogin SCIM app.
Select the user to edit and manually set group values.
Automated Group Assignment via Rules:
Use OneLogin rules (mappings) to auto-assign users to Tomorro groups based on a OneLogin attribute, like Role.
Example:
Assign all users with the OneLogin Role "Legal" to the Tomorro "legal" group.
Go to the Rules tab, create a New Rule with:
Condition: Roles – include – Legal
Action: Set Groups in Tomorro to – legal
Migrating Group Assignments from Tomorro to OneLogin
If you already have group assignments configured in Tomorro and want to migrate to OneLogin, follow the previous steps and:
Manually replicate the current Tomorro group assignments in OneLogin, then make any necessary adjustments.
Remove all existing group assignments in Tomorro
Resynchronize assignments from OneLogin
Manage group assignment on OneLogin exclusively
To streamline user group assignments, you may prefer a single method. In Tomorro, you can disable direct group assignment, allowing OneLogin to manage it exclusively.
In Tomorro go to the Scim settings and check "Restrict group assignment to your identity provider only" (https://app.gotomorro.com/settings/integrations)
And that's it, the SCIM protocol is now enabled for Tomorro! 🚀