All Collections
Integrations
SSO and SCIM
OneLogin Integration Guide (SCIM)
OneLogin Integration Guide (SCIM)
Dev Team avatar
Written by Dev Team
Updated over a week ago

This guide contains the following sections:

  1. Supported Features

    • Create Users. New users created in OneLogin will be automatically synced and created in Fellow

    • Update User Attributes. Changes in OneLogin users profiles, assigned to an application, will be synced to Fellow

    • Deactivate Users. Deactivation of users in OneLogin will result in unable them to log in plus marking as "Inactive" in Fellow

    • Reactivate Users. Users, reactivated in OneLogin, will be able to log in into Fellow again and be marked as "Active"

    • Group Push. Groups created in OneLogin can be synced into Fellow as Teams

  2. Requirements

    You need to have a Fellow account with an Enterprise plan to use this feature, and it must be enabled by a team including a Fellow admin and a OneLogin admin (or your IT team)

  3. Enable the integration in Fellow

    1. From a workspace administrator account, navigate to the Account Integrations section in Settings, and then to the SCIM card.

    2. Click the Connect button on the top right corner of the page

    3. You will then see this form:

    4. Then press Regenerate token, confirm an action:

    5. After, copy your SCIM token, save it temporarily in a safe place, it is required for the next step


  4. Configuring SCIM params in OneLogin

    1. Log in to your OneLogin account, and navigate to Applications (URL: https://<your_workspace>.onelogin.com/admin2/apps)

    2. Click on the "Add app" button

    3. In the search input, type "SCIM" and select "SCIM Provisioner with SAML (SCIM v2 Enterprise)" app

    4. Specify basic params and click "Save" at the next screen

    5. On the app detail page, navigate to the "Configuration" tab

      1. Set http://fellow.app/scim/v2 as a "SCIM Base URL"

      2. Paste this config into a "SCIM JSON Template":

        {
        "schemas": [
        "urn:scim:schemas:core:2.0",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
        ],
        "userName": "{$parameters.scimusername}",
        "name": {
        "familyName": "{$user.lastname}",
        "givenName": "{$user.firstname}",
        "formatted": "{$user.display_name}"
        },
        "emails": [{
        "value": "{$user.email}",
        "type": "work",
        "primary": true
        }],
        "title": "{$parameters.title}",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
        "department": "{$parameters.department}",
        "manager": {
        "value": "{$parameters.managerEmail}",
        "displayName": "{$user.manager_firstname} {$user.manager_lastname}"
        }
        }
        }

      3. Copy your token from Fellow into the "SCIM Bearer Token" field, then click the "Save" button

      4. On the same page, click on the "Enable" button

    6. Navigate to the "Parameters" tab and hit a "+" button to add a new param

      1. In the "Field name" type "managerEmail", check the "Include in User Provisioning" checkbox, then click "Save"

      2. In the next modal, select a related field as a "Manager Email" (you can start typing to search for it)

      3. Then click on the "SCIM Username" field


      4. And select the "email" as a value, then click "Save"

      5. So the resulting params page should be like that:

    7. [Optional] To add groups sync, you can add custom rules. See the OneLogin article for that

    8. Finally, the last step - navigate to "Provisioning" tab, check "Enable provisioning" and click "Save"

    9. Now you can assign users to an app and have them synced to Fellow

Did this answer your question?