# SCIM integration with OneLogin

{% hint style="info" %}
You must be on a [Forest Admin Enterprise plan](https://www.forestadmin.com/pricing) to have access to this feature.
{% endhint %}

## Supported features

* Provisioning users from OneLogin to Forest Admin
* Updating user role, permission level, and tags from OneLogin to Forest Admin: Enabling SCIM will disable user editing from Forest Admin.
* Deleting user in Forest Admin when user is removed from Forest Admin app in OneLogin.
* SCIM Groups are used to assign users to team.

## Adding the Forest Admin app

Go to the Application tab and click "Add App"

<figure><img src="https://85223878-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOx0Wo3NZjrQrGQthTy6o%2Fuploads%2Fgit-blob-1af4eacb516a5ddee2f158ca3fe91742fa7cb058%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

In the search bar, look for SCIM and select "SCIM Provisioner with SAML (SCIM v2 Core)"

<figure><img src="https://85223878-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOx0Wo3NZjrQrGQthTy6o%2Fuploads%2Fgit-blob-c1a8bf0bd0d6a971ae4615b5b1f05c8c2db6648b%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

## Authenticating OneLogin in Forest Admin

Name your app, then go to your Forest Admin project settings and enable the User provisioning feature: this will automatically generate a **token** that you will need to paste into your OneLogin app:

<figure><img src="https://85223878-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOx0Wo3NZjrQrGQthTy6o%2Fuploads%2Fgit-blob-6415cc3f05cc4ffc5a9b0881da7fc1be971e9ba4%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Add the following baseUrl and paste your token generated on Forest Admin:

* SCIM Base URL: `https://api.forestadmin.com/scim`

<figure><img src="https://85223878-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOx0Wo3NZjrQrGQthTy6o%2Fuploads%2Fgit-blob-5aeb705c441a992980d51f94e5b39eec24448b00%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

## Configuring the app

SCIM JSON Template: add the following:

```json
{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User",
    "urn:ietf:params:scim:schemas:extension:forest:2.0:User"
  ],
  "userName": "{$user.email}",
  "name": {
    "givenName": "{$user.firstname}",
    "familyName": "{$user.lastname}"
  },
  "emails": [
    {
      "value": "{$user.email}",
      "primary": true,
      "type": "work"
    }
  ],
  "urn:ietf:params:scim:schemas:extension:forest:2.0:User": {
    "permissionLevel": "{$parameters.permission_level}",
    "role": "{$parameters.role}",
    "tags": "{$parameters.tags}",
    "teams": "{$parameters.teams}"
  }
}
```

## Adding Forest Admin custom parameters

* permissionLevel (`string`): should match exactly an existing permissionLevel in Forest Admin.
* teams (`string`): comma separated list of names exactly matching a team name in the project. ex: `"Operators,Support"`. This should either be filled in via a custom mapping rule or ignored if you are using Groups.
* role (`string`): should match exactly an existing role in the project.
* tags (optional `string`): key/value pairs, separated with a semicolon. ex: `"regions:France,Italie;job:developer"`

<figure><img src="https://85223878-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOx0Wo3NZjrQrGQthTy6o%2Fuploads%2FSprXu4OVL2LGKLs1UU61%2Fimage.png?alt=media&#x26;token=542c549b-2917-4b9b-aad1-6663ce94d336" alt=""><figcaption></figcaption></figure>

## Managing mapping rules

Create mapping rules to automatically provide values to mandatory parameters `role`, and `permissionLevel`, and optionally `tags`. If you don’t create mapping rules, you will have to provide these values manually for each user provisioned.

<figure><img src="https://85223878-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOx0Wo3NZjrQrGQthTy6o%2Fuploads%2Fgit-blob-fc140719e3cf64b09f030e61d157562411d493d2%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

## Adding custom user attributes

You may want to add custom user attributes to base your mapping rules on. To do so, go in the "Custom User Fields" section of the Users tab.

![](https://85223878-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOx0Wo3NZjrQrGQthTy6o%2Fuploads%2Fgit-blob-eb260a9e12bafbc1a4a3a027c536cf0c9576403f%2Fimage.png?alt=media)

## Managing teams with SCIM groups

Groups allow you to create mapping rules between oneLogin roles and Forest Admin teams.

First, go to the Provisioning tab and on the Entitlement section, click on "Refresh" to fetch teams in OneLogin.

<figure><img src="https://85223878-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOx0Wo3NZjrQrGQthTy6o%2Fuploads%2Fgit-blob-372bb06be4c82c68b5e4aa60cc2a67de2fd82bf2%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

You can then create a rule for each role you want to map with an existing Forest Admin team.

<figure><img src="https://85223878-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOx0Wo3NZjrQrGQthTy6o%2Fuploads%2Fgit-blob-861fa2e3311013d9908e2a6827251c67ae6e92b8%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

When a role is added a removed from a user, it will be automatically added or removed to the corresponding Forest Admin team.