Configuring SCIM in OneLogin

This document outlines the steps required to help you configure automatic provisioning/deprovisioning of your users and groups in Pulumi using SCIM 2.0.

Please note that some advanced SCIM features aren’t supported yet. For more information, see Known Limitations.

Prerequisites

  • You must be an admin of your Pulumi organization.
  • (Optional, but highly recommended) You should have more than one admin for your Pulumi organization.

Configuring the OneLogin Application

The first step is to create a new OneLogin Application for Pulumi SCIM:

  1. From the OneLogin Administration portal, go to the Applications page and select the Add App button.

  2. Search for SCIM Provisioner with SAML (SCIM v2 Core) and select it.

  3. Enter a Display Name and optionally a logo. See Pulumi Logos.

  4. Select Save.

Configuration Settings

Select the Configuration view for the application and enter/confirm the values in the following table.

Configuration SettingsValue
SAML Audience URLhttps://api.pulumi.com/login/acmecorp/sso/saml/metadata
SAML Consumer URLhttps://api.pulumi.com/login/acmecorp/sso/saml/acs
SCIM Base URLhttps://api.pulumi.com/scim/v2/acmecorp
API ConnectionEnabled

SSO Settings

Select the SSO view for the application and confirm/update the values in the following table.

SSO SettingsValue
SAML Signature AlgorithmSHA-512

Provisioning Settings

Select the Provisioning view for the application and confirm/update the following settings:

Provisioning SettingsValue
Enable provisioningbox is checked
Require admin approval …Create user, Delete user, Update user boxes are all unchecked.
When users are deleted in OneLogin …Suspend (DO NOT set to Delete)
When user accounts are suspended in OneLogin …Suspend

Parameters Settings

Select the Parameters view for the application and add the fields as per the following table.

SCIM Provisioning Field NameValue
firstNameFirst Name
lastNameLast Name
emailEmail

Be sure to check the Include in SAML assertion checkbox for each of the added fields.

Optionally, you can override the default value for scimusername and use the Macro setting. For example, {firstname}{lastname} as per OneLogin Macros

Select Save to save the application settings.

Configuring Communications Between Pulumi and OneLogin

These next steps configure the Pulumi Service with details on your new OneLogin-based application and configure OneLogin to be able to authenticate to the Pulumi Service.

For the first step, you need to obtain the IDP metadata document from OneLogin and then provide it to Pulumi.

  1. Navigate to the OneLogin Application you created above and select the More Actions drop down menu button and select SAML Metadata to download the metadata XML file.
  2. Open the file and copy the entire block of XML text in your clipboard.
  3. Open the Pulumi Service and navigate to organization for which you are enabling SAML/SCIM.
  4. Select the Settings tab, and then select Access Management.
  5. In the Membership Requirements section, select the Change requirements button.
  6. Select SAML SSO and then select Next.
  7. Paste the IDP metadata XML into the bottom card titled SAML SSO Settings
  8. Select Apply changes at the bottom of the card.
  9. Refresh the browser to see that SAML is configured.

At this point Pulumi is able to accept communications from OneLogin. The next step is to provide OneLogin a token to allow Pulumi to authenticaticate the communications from OneLogin.

  1. Navigate to the Pulumi Service Access management view.
  2. Scroll to the SCIM block at the bottom of the page.
  3. Select Generate new token
  4. Copy the token
  5. Navigate back to the OneLogin Application you created.
  6. Select the Configuration view.
  7. Paste the SCIM token copied from Pulumi above into the SCIM Bearer Token field.
  8. Save the application.

At this point, SCIM provisioning of users into the Pulumi organization will work as you add the OneLogin Pulumi application created above to your OneLogin users.

Configuring Group Provisioning

Beyond managing users, Pulumi’s SCIM support enables you to manage Pulumi Teams and team membership. To set this up, Pulumi supports using OneLogin’s Role-Group mapping to manage Pulumi teams membership.

Set up OneLogin Application to Manage Groups in Pulumi

Navigate to the SCIM application in OneLogin.

  1. Select the Parameters view for the application and select the Groups parameter.

  2. Check the Include in User Provisioning checkbox.

  3. Select the Rules view for the application.

  4. For each Pulumi Team you want to manage in OneLogin do the following:

    • Select Add Rule
    • Name the rule using the Pulumi Team name you are managing (e.g. AlphaTeam or DevEngineers, etc.)
    • Conditions: leave blank so that the rule applies to all users.
    • Actions: Set Groups … Map from OneLogin … For each role … with value that matches your team name (e.g. AlphaTeam)
    • Save the rule. Application Rule
  5. Save the Application updates.

Configure Roles in OneLogin to Map to Groups

These next steps create the Roles that are used to map users to Groups in OneLogin and, by extension, Teams in Pulumi.

  1. Navigate to the Users->Roles view in OneLogin.
  2. For each Group rule you created above for the Application, do the following:
    1. Select New Role
    2. Give it a name that matches the Group/Team name you are managing. (e.g. AlphaTeam)
    3. Associate the role with the OneLogin SCIM application you created above.
    4. Select Save

Configure Users with Applicable Roles

These next steps associate users with given roles and, by extension, the Pulumi Team they should be added to.

  1. Navigate to the Users->Users view in OneLogin.
  2. For each user, select the user and then select the Applications view and select the applicable Role(s).
  3. Select Save User.

Removing Users from Group Provisioning

When ready to delete or suspend a user, execute the following steps to ensure the user is removed from the applicable Pulumi Team as well as the Pulumi Organization:

  1. In OneLogin navigate to the user being deleted or suspended.
  2. Select the Applications view.
  3. Deselect the Role(s) that represent Pulumi Team(s) for the given user.
  4. Select Save User. This will remove the user from the applicable Pulumi Team(s).
  5. Now you can suspend or delete the user from OneLogin.