SCIM

Configure SCIM for OneLogin

In this article, you will learn how to configure SCIM for OneLogin. Configuring SCIM for OneLogin will allow you to populate and manage users in your KSAT account using OneLogin. For information on how to enable SCIM for your KSAT account, see our SCIM Configuration Guide.

Note:The instructions below are for third-party software. If you run into issues with user provisioning in OneLogin, we recommend reaching out to OneLogin for specific instructions. You can also contact our support team whenever you need assistance.

Configuring SCIM for OneLogin

Follow the steps below to finish configuring your SCIM settings with OneLogin. Please note that these steps should be configured SCIM in your KSAT account. To configure SCIM in KSAT account, follow the steps in our SCIM Configuration Guide.

  1. Log in to your OneLogin account and click Administration.
  2. Navigate to Applications > Applications.
  3. Click Add App.
  4. Use the search bar to find the KnowBe4 application.
  5. Click on the application.
  6. In the Display Name field, enter the name you would like to use for the application and click Save.
  7. From the Configuration tab, enter the following information:
    1. SAML Audience URL: This field is set to “KnowBe4” by default. However, if you have enabled SAML in your KSAT account and have generated a unique entity ID, you will need to enter that ID here. For more information about SAML settings, see our How to Set Up SAML Single Sign-on for the Security Awareness Training Platform article.
    2. API Status: Click Enable to enable the API connection between OneLogin and your KSAT account.
    3. SCIM Base URL: Paste the Tenant URL from your KSAT account settings into the SCIM Base URL field. For instructions on how to get your Tenant URL, please see the Configuration Steps section of our SCIM Configuration Guide.
    4. SCIM Bearer Token: Paste the SCIM token from your KSAT account settings into the API Token field. For instructions on how to get your SCIM token, please see the Configuration Steps section of our SCIM Configuration Guide.
  8. From the Parameters tab, the minimum required parameters are populated automatically. You have the option to add additional parameters under the Optional Parameters section. For more information on adding additional parameters, see our Attribute Mappings section below.
  9. From the Access tab, define which users you want to be synced. You have the option to select users based on one of your policies or by user role. For more information, see the Defining Which Users to Sync section below.
  10. From the Provisioning tab, select the Enable provisioning check box.
  11. If you would like OneLogin to prompt you to approve specific actions before performing them, you can leave the check boxes under the Require admin approval before this action is performed section selected. We recommend only selecting this option when testing your SCIM connection. Once cleared, the provisioning process will become fully automated. For more information about admin approval for provisioning, see our Approving Provisioning section below.
  12. Once you have finished configuring your settings, click Save.

Defining Which Users to Sync

After completing the steps in the Configuring SCIM for OneLogin section above, you can decide which users you would like to sync.

Important:Group syncing is not available at this time.

To choose which users you would like to sync, follow the steps below:

  1. Log in to your OneLogin account and click Administration.
  2. Navigate to Applications > Applications.
  3. Click the KSAT app.
  4. Navigate to the Access tab.

From the Access tab, you have the option to define which users to sync. You can sync users either through a policy you’ve created or by selecting the roles you would like to sync.

Syncing Users by Policy

To sync users by policy, follow the steps below:

  1. From the Policy drop-down menu, select the policy you would like to use.
  2. Click Save to apply the policy.

For more information about creating policies to apply security restrictions, see OneLogin’s User Policies article.

Syncing Users by Roles

To sync users by policy, follow the steps below:

  1. From the Roles section, select the roles you would like to sync.
  2. Click Save to apply the policy.

For more information on creating policies to apply security restrictions, see OneLogin’s Roles article

Starting Your Sync

After you have configured SCIM and have added the users you want to sync, you can start the sync.

To start the sync, follow the steps below:

  1. From the KSAT account, navigate to your Account Settings.
  2. Navigate to User Management.
  3. Open your SCIM Settings and then click Force Sync.

After the sync is run, you can view the report from your KSAT account. However, if you have selected any check boxes under the Require admin approval before this action is performed section, you will need to approve the SCIM changes to see these changes in the report. See the Approving Provisioning section below for more information.

Approving Provisioning

If any of the check boxes under the Require admin approval before this action is performed section were selected, you will need to follow the steps below to approve any SCIM changes.

  1. Log in to your OneLogin account and click Administration.
  2. Navigate to Applications > Applications.
  3. Click the KSAT app.
  4. Navigate to the Users tab.
  5. Click on a user that is awaiting SCIM approval.
  6. Click Approve.
    Note:You also have the option to bulk approve provisioning changes by selecting the Bulk approve option instead.
  7. Then, click Save.

If you would like to automate this process, you can clear the check boxes under the Require admin approval before this action is performed option on the Provisioning tab.

Viewing Your Sync Reports

You can view sync reports to see the status of your syncs as well as any errors and additional information about your syncs. To view your sync reports, log in to your KSAT account and navigate to Users > Provisioning

Test Mode

Once you are sure that your users and groups are configured correctly, you will need to turn off Test Mode in your KSAT account. Turning off Test Mode will allow your users to be added or archived in KSAT during the next sync. For more information about turning off test mode, see the Configuration Steps section of our SCIM Configuration Guide.

If you have any of the check boxes under the Require admin approval before this action is performed section selected, we recommend that you clear the check boxes to make provisioning automatic.

Attribute Mappings

By enabling SCIM, the fields in your identity provider are automatically connected to the corresponding fields in your KSAT account. If you want to change the default mapping or add custom fields, you have the option to update these fields from your identity provider.

To modify these attribute mappings, follow the steps below:

  1. Log in to your OneLogin account and click Administration.
  2. Navigate to Applications > Applications.
  3. Click the KSAT app.
  4. Navigate to the Parameters tab.
  5. Under Optional Parameters, click on the parameter you would like to map.
  6. From the modal that opens, select an option for the Value drop-down menu.
  7. Then, select the Include in User Provisioning check box.
    Note:If you do not see this check box, you will need to navigate to the Provisioning tab and select the Enable provisioning check box.
  8. In the modal, click Save.
  9. Repeat steps 5-8 until you’ve added all the fields you would like to add.
  10. Then, click Reapply Mappings in the top-right corner of the page.
Note:We recommend that you download a CSV file from KSAT to have a backup of all user field information in case of an unexpected error.

For more information about OneLogin attribute mappings, see the Attribute Mappings section below.

Available Attributes

The available field mappings are shown in the table below:

KnowBe4 Field

SCIM Attribute

OneLogin Field

Email

userName

SAML NameID (Subject) / scimusername

First Name

givenName

firstname

Last Name

familyName

lastname

Location

formatted

- No default -

customDate1

urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customDate1

Important:The dates in this field must be formatted in ISO 8601 format. The format is as follows: YYYY-MM-DD “T” hh:mm:ssZ. For example, 2022-04-04T04:23:30Z.

customDate2

urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customDate2

Important:The dates in this field must be formatted in ISO 8601 format. The format is as follows: YYYY-MM-DD “T” hh:mm:ssZ. For example, 2022-04-04T04:23:30Z.

customField1

urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customField1

 

customField2

urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customField2

 

customField3

urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customField3

 

customField4

urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customField4

 

Phone Number

primaryPhone

Phone

Division

division

- No default -

Employee Number

employeeNumber

- No default -

Job Title

title

title

Department

department

Department

Mobile Phone Number

mobilePhone

- No default -

Manager Display Name

managerDisplayName

Manager Name

Manager Email

managerEmail

Manager Email

Can't find what you're looking for?

Contact Support