OneLogin SAML + SCIM

Configure OneLogin to automatically provision users in Doppler using SCIM

This guide will show you how to set up a OneLogin SCIM 2.0 application to automatically provision and manage user access to Doppler.

πŸ“˜

SCIM requires a Pro subscription

Want to try it out first? Start a free 30-day trial.

Requirements

Create OneLogin Application

Open the OneLogin admin console and click Applications from the top navigation menu.

Then click Add App.

Enter "SCIM v2 Core" into the search field, then click the SCIM Provisioner with SAML (SCIM v2 Core) box.

Name the application Doppler and click the Save button to create the application.

Click on Configuration from the left menu.

Then populate the form with the following values:

It should look like the following.

Now download the required SAML metadata for the application as you'll need that to paste into the Doppler dashboard.

Copy the contents of the downloaded XML file which you'll use in the next step.

SAML

In a separate tab, navigate to the Team page, then click on the SSO tab.

Scroll to the SAML Single Sign-On form and paste the contents of the XML into the IDP XML field. Then click Save.

The value for SSO URL is the best URL to provide to users with, although they can also follow the link provided by the Doppler application in OneLogin.

SCIM

While still in the SSO section, ensure SCIM is enabled by scrolling to the SCIM 2.0 form, changing Status to Enabled. Then click Save.

Once the page reloads, scroll to the SCIM 2.0 form again and copy the value of the Base URI field.

πŸ“˜

The Access level field controls which permissions a user will initially receive when provisioned. We recommend keeping it at Collaborator access to follow the principle of least privilege.

Now head back to OneLogin and paste the value into SCIM Base URL field, then click Enable.

The API Connection should now be Enabled.

Now head back to the Doppler dashboard to get the SCIM Basic Auth token.

Click on the Manage link in the SCIM form which will open a new window, taking you to the Tokens page with the SCIM tab selected.

To get new SCIM credentials, click on the Roll link.

Then click the Roll button from the modal.

Copy the Basic Auth Header value.

And paste it into the Custom Headers field prepended with Authorization: .

Then click Save.

Logos

Change the logos for the application by uploading the images below, then slick Save.

Parameters

We now need to configure the user parameters that will be sent to Doppler when provisioning a user.

To start, click on Parameters from the left menu.

Click on SCIM Username to bring up the edit field modal, changing the Value field to Email, then click Save.

Next, create a new email field by first clicking on the + button to the right of the form.

Enter email as the name, checking the Include in SAML assertion and Include in User Provisioning checkboxes. Then click Save.

Select Email for the Value field, checking the Include in SAML assertion checkbox, then click Save.

The last remaining field to create is the name field which compromises of the user's first and last name. Click on the + button to the right of the form to launch the New Field modal.

Enter name as the Field name value, checking the Include in SAML assertion and Include in User Provisioning checkboxes. Then click Save.

Select - Macro - for the Value field, and enter {firstname} {lastname} in the textfield below it. Check the Include in SAML assertion checkbox and click Save.

The list of parameters should now look like the following.

Provisioning

The final step is to enable the OneLogin application to automatically provision, update, and delete users in Doppler.

Click on Provisioning from the left menu, then adjust the form so it matches the below settings.

Then click Save.

πŸ“˜

Suspend not supported

Users should be deleted from the Doppler application (not suspended) as we do not support the concept of a suspended user.

Now, whenever new users are added, updated, or deleted from the application, Doppler will receive the relevant API call to sync changes to the user records for the workplace.

Test

To quickly test provisioning is working, create or use a test user account, then from the Applications section, manually add them to the Doppler application. Then click Continue.

Confirm that the provisioned fields are correct but if not, don't change them here and instead, edit the User's record directly.

If everything looks good, click Save.

Once the page has reloaded, the user should be in the Pending state. Click on Pending from the user's record, then click Approve to confirm the user will be added to the Doppler application.

Upon page reload, the user should be in the Provisioning state.

Then after 10-20 seconds, the status should automatically change to Provisioned.

You should now see the new user added to the Team page.

The next step is using your Roles and Groups in OneLogin to bulk provide access to the OneLogin Doppler application.

πŸ‘

Awesome Work!

You've successfully configured a OneLogin SCIM 2.0 application to automatically provision and manage user access to Doppler.


Did this page help you?