Provision and manage users from OneLogin

Joan uses a System for Cross-Domain Identity Management (SCIM) to enable the automatic provisioning of users from OneLogin. When enabled, all user management will be done only in OneLogin and disabled on Joan's side.

1. Enable SCIM integration in MyJoan

Navigate to user directory and click on SCIM. When a new window opens, enable the integration and generate a new token. That token will be used to authenticate the connection between OneLogin and Joan.

scim-2

2. Create a new application in your OneLogin account.

In the "Applications" subpage search for "scim" and select "SCIM Provisioner with SAML (SCIM v2 Enterprise)". That is a generic SCIM integration application provided by OneLogin.

Screenshot 2021-03-25 at 10.59.56

 

Enter the application display name (e.g. Joan Integration) and click Save. A new application will be created. In the next steps, we'll configure it to connect to your Joan account.

 

Screenshot 2021-03-25 at 12.02.33

 

3. Configure Joan SCIM OneLogin application

Now that a new application is created, we need to configure it. Go to the "Configuration" subpage.

To connect a newly created application with Joan please use the following:

SCIM Base URL: https://portal.getjoan.com/api/scim/v2
SCIM Bearer Token: copy it from Joan SCIM configuration page.
SCIM JSON Template:

{
"schemas": [
"urn:scim:schemas:core:2.0"
],
"active": "{$user.status}",
"userName": "{$user.email}",
"name": {
"givenName": "{$user.firstname}",
"familyName": "{$user.lastname}"
},
"externalId":"{$user.external_id}",
"userType":"{$user.custom_fields.userType}"
}

All fields, apart from the "userType" are mandatory. A "userType" field is used to properly map roles from your OneLogin directory to Joan. It helps you automatically manage roles and permissions in your Joan account. If the "userType" field is not included or empty all created users will have a default "User" role assigned in your Joan account. 

Currently supported Joan account roles:

- User

- Office Manager

Screenshot 2021-03-25 at 12.04.34

 

Click Save.

Should you wish to configure automatic role sync from OneLogin, please continue to the 2a step below. If not, please continue to step 3.

 

2a.  [Optional] Configure userType custom field

Should you wish to automatically sync roles with Joan, follow the steps below to configure mappings from OneLogin.

a. Create a new Custom User Field

To create a custom user field called "userType", go to Users -> Custom User Fields and click on "New User Field".

 

Screenshot 2021-03-25 at 12.14.13

Screenshot 2021-03-25 at 12.15.05

When creating a new user field, please use the following values:
Name: userType
Shortname: userType

Click Save.

 

Screenshot 2021-03-25 at 12.15.32

 

b. Add a new userType application parameter

Go to Applications and select the newly created Joan integration. On the left side menu, click "Parameters" and then a "+" sign to add a new one.

Screenshot 2021-03-25 at 12.07.59

 

In the Field name type "userType" and make sure the "Include in SAML assertion" box is checked. Click Save.

 

Screenshot 2021-03-25 at 12.09.02

 

Now that a new application parameter is set, we need to edit it and map it to the correct value. For the "Value" select the previously created custom user field - "userType" and click Save.

 

Screenshot 2021-03-25 at 12.11.10

 

c. Create mapping

Now that we have custom fields set, we need to properly map your OneLogin roles to Joan roles. Go to Users -> Mappings and create a new mapping.

 

Screenshot 2021-03-25 at 12.16.04

Joan currently supports the following account roles:

- User

- Office Manager

Since all users from OneLogin will by default have a "User" role, we only need to define one mapping, that is for the "Office Manager".  Make sure that in the "Actions" dropdown "Set userType" is selected and mapping is set to "Office Manager". After done, click Save.

 

Screenshot 2021-03-25 at 12.17.46

 

3.  Enable integration

To enable the integration go to Configuration -> API Connection and click Enable. API Status should change to green/Enabled.

Screenshot 2021-03-25 at 12.06.49

After the API connection is established, we need to make sure the provisioning is enabled.  Go to "Provisioning" subpage and make sure that the following checkboxes and values are set:

Screenshot 2021-03-25 at 12.12.09

 

That's it. You can now start adding users. They will automatically sync with your Joan account. 

 

If you encounter any issues, please contact support@getjoan.com.