Our SCIM integration with OneLogin allows admins to add and remove users within OneLogin itself, without having to sign in to Sequr. With the integration, newly boarded users also get an email notifying them to download their mobile key to the office.
The SCIM push-based system treats the OneLogin directory as your source of truth. When changes are made in OneLogin, they are immediately pushed to Sequr. This means you never have to worry about the Sequr employee directory being out of sync with OneLogin.
The following tutorial walks through the process of integrating OneLogin with Sequr. You will need admin privileges in both OneLogin and Sequr to complete this integration.
Step 1 : Prepare to enable the Sequr + OneLogin provisioning integration.
- Create Access Groups - You can grant permissions to specific door groups in Sequr based upon your OneLogin organizational roles or any other attributes. Please create the appropriate Access Groups in Sequr based upon your specific office needs (this could reflect your OneLogin roles/groups structure). For example, let's say you've created Employees, Contractors, and IT Admin access groups.
- If you have multiple office locations enabled with Sequr, decide whether you’d like to sync all users to all locations, or to sync specific users per location. This will affect how you set up the integration.
- Decide whether you would like to assign mobile keys to all newly boarded users by default.
Step 2 : Enable Sequr + OneLogin provisioning integration on Sequr.
- First, login to the Sequr Web application and click on the 'Integrations' tab.
- Find the OneLogin integration and click 'Install.'
- Once installed you will be assigned a secured token for your OneLogin provisioning integration. Please copy this token as you will need it in the next step when we copy it onto your OneLogin account.
Step 3 : Configure your OneLogin Account.
- Login to your OneLogin account as an admin.
- Go to Apps -> Add Apps -> Search for: “Sequr”
- Click on "Save."
- Once you’ve installed the Sequr app on OneLogin, go to the 'Configuration' tab under the app. Paste the token generated in the above steps from the Sequr integration page in the SCIM Bearer token field. Click on ‘Enable’ button.
- Under the Provisioning tab, please enable provisioning for Sequr.
- Under the Parameters tab, we need to configure all the marked parameters and their mappings as described below.
SCIM Username : Change the mapping for SCIM Username to Email as shown below.
Please edit all parameters and enable the "Include in User Provisioning" and Save. Parameters like Department, DistinguishedName, MemberOf, Title & Role in their respective edit wizards.
- Save the changes.
Step 4 : Configure Rules for Employee Sync
Please go to Sequr dashboard to configure provisioning rules. This step is crucial since there must be at least one rule specified for each property in order for a successful synchronization. All of your properties will be listed in the rules section where you can manage rules for respective properties.
With provisioning rules, you can:
- Map your organizational groups to Sequr "door access groups."
- Decide which role needs to be assigned to each user.
- Decide whether newly on-boarded employees should automatically receive a mobile key.
- Manage access to multiple office locations.
Simple Provisioning Rule:
You can create one default simple rule where every synced employee is granted common door access, as well as added under the regular user role.
For example, you can define a rule where every employee synced from Onelogin is assigned to the "Employee" access group and added under the "User" role.
As you can see in the following screenshot, in this case you do not need to add any conditions to the rule for a simple default rule.
Advanced Provisioning Rules
With this upgrade, you can get more specific with the rule engine to make sure certain groups of users in your organization are assigned to their proper access group.
As shown below, based upon your "Onelogin Roles," you can assign appropriate door access to appropriate users. If you have multiple office locations, you can also choose which specific employees get synced to which specific office locations.
You can drag these rules up or down to set their execution priority. Rules are executed in order based upon their priority. Once one rule is matched and executed, the rest of the rules will be skipped.
You can also add multiple conditions to a single rule as shown below. If you have multiple conditions applied to a single rule, you can select to either "match all" conditions or "match any" condition.
- Once you have configured the provisioning rules on Sequr side you can start syncing users from OneLogin.
- To sync users to from OneLogin you can either assign the Sequr app directly to users or you can assign roles to users and then define rules to assign the Sequr app to Onelogin roles.
USER UPDATE FLAGS
While setting up your integration, you may choose to enable or disable certain user updates from OneLogin to Sequr.
If your integration set-up includes a few basic and/or broad rules, or if you plan on changing user attributes manually within Sequr after users have been synced via OneLogin, we recommend disabling the ‘Override Roles on Update’ and ‘Override Access Groups on Update’ update flags. If enabled, these User Update flags may override manual changes made to your users’ roles and/or access groups in Sequr.
Delete User If No Rules Match: if changes have been made to a user’s profile within OneLogin that no longer qualify them for any of your integration rules, the user will be deactivated within Sequr. IMPORTANT NOTE: This flag will only come into play during directory updates. If you deactivate or suspend a user within your directory, the user will automatically be deactivated within Sequr, regardless of whether this User Update flag is enabled or not.
IMPORTANT NOTE: If your integration does not include a specialized rule for provisioning system administrators, we recommend disabling the ‘Override Roles on Update’ flag as system administrator privileges may be revoked for existing administrators during updates. To avoid losing administrative privileges while keeping this flag enabled, we recommend creating a specialized rule within your integration that will provision system administrators. Ensure that this rule is placed first within your rule priority list so that system administrators will be provisioned first, then remaining users will be matched to the following rules accordingly.
- Please ensure to define rules on Sequr dasboard for provisioning to work. If no rules are defined then any provisioning request from Onelogin will be dropped.
- When already provisioned user gets updated in Onelogin, it will re-evaluate the rules and then apply the necessary updates. But if no rules matched in this scenario then that user will be de-activated in that property. For example, you have rule that "Any user that belongs to Employees role in Onelogin gets assigned to Regular Employees access group in Sequr". Once user have been created with this rule in Sequr and then moved from this Onelogin role to Contractors role for which we have no rules in Sequr then this user will be deactivated in Sequr.
If you need assistance or have any questions about this integration, please feel free to reach out to us at email@example.com