In this article, you will learn how to configure SCIM for OneLogin. Configuring SCIM for OneLogin will allow you to populate and manage users in your KSAT account using OneLogin. For information on how to enable SCIM for your KSAT account, see our SCIM Configuration Guide.
Configuring SCIM for OneLogin
Follow the steps below to finish configuring your SCIM settings with OneLogin. Please note that these steps should be configured SCIM in your KSAT account. To configure SCIM in KSAT account, follow the steps in our SCIM Configuration Guide.
- Log in to your OneLogin account and click Administration.
- Navigate to Applications > Applications.
- Click Add App.
- Use the search bar to find the KnowBe4 application.
- Click on the application.
- In the Display Name field, enter the name you would like to use for the application and click Save.
- From the Configuration tab, enter the following information:
- SAML Audience URL: This field is set to “KnowBe4” by default. However, if you have enabled SAML in your KSAT account and have generated a unique entity ID, you will need to enter that ID here. For more information about SAML settings, see our How to Set Up SAML Single Sign-on for the Security Awareness Training Platform article.
- API Status: Click Enable to enable the API connection between OneLogin and your KSAT account.
- SCIM Base URL: Paste the Tenant URL from your KSAT account settings into the SCIM Base URL field. For instructions on how to get your Tenant URL, please see the Configuration Steps section of our SCIM Configuration Guide.
- SCIM Bearer Token: Paste the SCIM token from your KSAT account settings into the API Token field. For instructions on how to get your SCIM token, please see the Configuration Steps section of our SCIM Configuration Guide.
- From the Parameters tab, the minimum required parameters are populated automatically. You have the option to add additional parameters under the Optional Parameters section. For more information on adding additional parameters, see our Attribute Mappings section below.
- From the Access tab, define which users you want to be synced. You have the option to select users based on one of your policies or by user role. For more information, see the Defining Which Users to Sync section below.
- From the Provisioning tab, select the Enable provisioning check box.
- If you would like OneLogin to prompt you to approve specific actions before performing them, you can leave the check boxes under the Require admin approval before this action is performed section selected. We recommend only selecting this option when testing your SCIM connection. Once cleared, the provisioning process will become fully automated. For more information about admin approval for provisioning, see our Approving Provisioning section below.
- Once you have finished configuring your settings, click Save.
Defining Which Users to Sync
After completing the steps in the Configuring SCIM for OneLogin section above, you can decide which users you would like to sync.
To choose which users you would like to sync, follow the steps below:
- Log in to your OneLogin account and click Administration.
- Navigate to Applications > Applications.
- Click the KSAT app.
- Navigate to the Access tab.
From the Access tab, you have the option to define which users to sync. You can sync users either through a policy you’ve created or by selecting the roles you would like to sync.
Syncing Users by Policy
To sync users by policy, follow the steps below:
- From the Policy drop-down menu, select the policy you would like to use.
- Click Save to apply the policy.
For more information about creating policies to apply security restrictions, see OneLogin’s User Policies article.
Syncing Users by Roles
To sync users by policy, follow the steps below:
- From the Roles section, select the roles you would like to sync.
- Click Save to apply the policy.
For more information on creating policies to apply security restrictions, see OneLogin’s Roles article
Starting Your Sync
After you have configured SCIM and have added the users you want to sync, you can start the sync.
To start the sync, follow the steps below:
- From the KSAT account, navigate to your Account Settings.
- Navigate to User Management.
- Open your SCIM Settings and then click Force Sync.
After the sync is run, you can view the report from your KSAT account. However, if you have selected any check boxes under the Require admin approval before this action is performed section, you will need to approve the SCIM changes to see these changes in the report. See the Approving Provisioning section below for more information.
Approving Provisioning
If any of the check boxes under the Require admin approval before this action is performed section were selected, you will need to follow the steps below to approve any SCIM changes.
- Log in to your OneLogin account and click Administration.
- Navigate to Applications > Applications.
- Click the KSAT app.
- Navigate to the Users tab.
- Click on a user that is awaiting SCIM approval.
- Click Approve.
Note:You also have the option to bulk approve provisioning changes by selecting the Bulk approve option instead.
- Then, click Save.
If you would like to automate this process, you can clear the check boxes under the Require admin approval before this action is performed option on the Provisioning tab.
Viewing Your Sync Reports
You can view sync reports to see the status of your syncs as well as any errors and additional information about your syncs. To view your sync reports, log in to your KSAT account and navigate to Users > Provisioning
Test Mode
Once you are sure that your users and groups are configured correctly, you will need to turn off Test Mode in your KSAT account. Turning off Test Mode will allow your users to be added or archived in KSAT during the next sync. For more information about turning off test mode, see the Configuration Steps section of our SCIM Configuration Guide.
If you have any of the check boxes under the Require admin approval before this action is performed section selected, we recommend that you clear the check boxes to make provisioning automatic.
Attribute Mappings
By enabling SCIM, the fields in your identity provider are automatically connected to the corresponding fields in your KSAT account. If you want to change the default mapping or add custom fields, you have the option to update these fields from your identity provider.
To modify these attribute mappings, follow the steps below:
- Log in to your OneLogin account and click Administration.
- Navigate to Applications > Applications.
- Click the KSAT app.
- Navigate to the Parameters tab.
- Under Optional Parameters, click on the parameter you would like to map.
- From the modal that opens, select an option for the Value drop-down menu.
- Then, select the Include in User Provisioning check box.
Note:If you do not see this check box, you will need to navigate to the Provisioning tab and select the Enable provisioning check box.
- In the modal, click Save.
- Repeat steps 5-8 until you’ve added all the fields you would like to add.
- Then, click Reapply Mappings in the top-right corner of the page.
For more information about OneLogin attribute mappings, see the Attribute Mappings section below.
Available Attributes
The available field mappings are shown in the table below:
KnowBe4 Field |
SCIM Attribute |
OneLogin Field |
|
userName |
SAML NameID (Subject) / scimusername |
First Name |
givenName |
firstname |
Last Name |
familyName |
lastname |
Location |
formatted |
- No default - |
customDate1 |
urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customDate1 |
Important:The dates in this field must be formatted in ISO 8601 format. The format is as follows: YYYY-MM-DD “T” hh:mm:ssZ. For example, 2022-04-04T04:23:30Z.
|
customDate2 |
urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customDate2 |
Important:The dates in this field must be formatted in ISO 8601 format. The format is as follows: YYYY-MM-DD “T” hh:mm:ssZ. For example, 2022-04-04T04:23:30Z.
|
customField1 |
urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customField1 |
|
customField2 |
urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customField2 |
|
customField3 |
urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customField3 |
|
customField4 |
urn:ietf:params:scim:schemas:extension:knowbe4:kmsat:2.0:User:customField4 |
|
Phone Number |
primaryPhone |
Phone |
Division |
division |
- No default - |
Employee Number |
employeeNumber |
- No default - |
Job Title |
title |
title |
Department |
department |
Department |
Mobile Phone Number |
mobilePhone |
- No default - |
Manager Display Name |
managerDisplayName |
Manager Name |
Manager Email |
managerEmail |
Manager Email |