Docs Home Pulumi IaC Pulumi ESC Pulumi Insights Pulumi IDP Pulumi Cloud Packages Tutorials
  1. Docs
  2. Pulumi Cloud
  3. Identity & access management
  4. SCIM
  5. OneLogin

SCIM: Configuring OneLogin

    This document outlines the steps required to help you configure automatic provisioning/deprovisioning of your users and groups in Pulumi using SCIM 2.0.

    Please note that some advanced SCIM features aren’t supported yet. For more information, see Known Limitations.

    Prerequisites

    • You must be an admin of your Pulumi organization.
    • (Optional, but highly recommended) You should have more than one admin for your Pulumi organization.

    Configuring the OneLogin Application

    The first step is to create a new OneLogin Application for Pulumi SCIM:

    1. From the OneLogin Administration portal, go to the Applications page and select the Add App button.

    2. Search for SCIM Provisioner with SAML (SCIM v2 Core) and select it.

    3. Enter a Display Name and optionally a logo. See Pulumi Logos.

    4. Select Save.

    Configuration Settings

    Select the Configuration view for the application and enter/confirm the values in the following table.

    The values you need to use are dependent upon your Pulumi organization name. Be sure to replace acmecorp with your actual organization name.

    Configuration SettingsValue
    SAML Audience URLhttps://api.pulumi.com/login/acmecorp/sso/saml/metadata
    SAML Consumer URLhttps://api.pulumi.com/login/acmecorp/sso/saml/acs
    SCIM Base URLhttps://api.pulumi.com/scim/v2/acmecorp
    API ConnectionEnabled

    SSO Settings

    Select the SSO view for the application and confirm/update the values in the following table.

    SSO SettingsValue
    SAML Signature AlgorithmSHA-512

    Provisioning Settings

    Select the Provisioning view for the application and confirm/update the following settings:

    Provisioning SettingsValue
    Enable provisioningbox is checked
    Require admin approval …Create user, Delete user, Update user boxes are all unchecked.
    When users are deleted in OneLogin …Suspend (DO NOT set to Delete)
    When user accounts are suspended in OneLogin …Suspend

    Parameters Settings

    Select the Parameters view for the application and add the fields as per the following table.

    SCIM Provisioning Field NameValue
    firstNameFirst Name
    lastNameLast Name
    emailEmail

    Be sure to check the Include in SAML assertion checkbox for each of the added fields.

    Optionally, you can override the default value for scimusername and use the Macro setting. For example, {firstname}{lastname} as per OneLogin Macros

    Select Save to save the application settings.

    Configuring Communications Between Pulumi and OneLogin

    These next steps configure the Pulumi Cloud with details on your new OneLogin-based application and configure OneLogin to be able to authenticate to the Pulumi Cloud.

    For the first step, you need to obtain the IDP metadata document from OneLogin and then provide it to Pulumi.

    1. Navigate to the OneLogin Application you created above and select the More Actions drop down menu button and select SAML Metadata to download the metadata XML file.
    2. Open the file and copy the entire block of XML text in your clipboard.
    3. Open the Pulumi Cloud and navigate to the organization for which you are enabling SAML/SCIM.
    4. Select the Settings tab, and then select Access Management.
    5. In the Membership Requirements section, select the Change requirements button.
    6. Select SAML SSO and then select Next.
    7. Paste the IDP metadata XML into the bottom card titled SAML SSO Settings
    8. Select Apply changes at the bottom of the card.
    9. Refresh the browser to see that SAML is configured.

    At this point Pulumi is able to accept communications from OneLogin. The next step is to provide OneLogin a token to allow Pulumi to authenticate the communications from OneLogin.

    1. Navigate to the Pulumi Cloud, then Settings, then Access management.
    2. Scroll to the SCIM block at the bottom of the page.
    3. Select Generate new token
    4. Copy the token
    5. Navigate back to the OneLogin Application you created.
    6. Select the Configuration view.
    7. Paste the SCIM token copied from Pulumi above into the SCIM Bearer Token field.
    8. Save the application.

    At this point, SCIM provisioning of users into the Pulumi organization will work as you add the OneLogin Pulumi application created above to your OneLogin users.

    Configuring Group Provisioning

    Beyond managing users, Pulumi’s SCIM support enables you to manage Pulumi Teams and team membership. To set this up, Pulumi supports using OneLogin’s Role-Group mapping to manage Pulumi teams membership.

    Team name character limit: Pulumi team names created via SCIM must not exceed 40 characters. If your OneLogin group name is longer than this limit, you’ll need to rename the group before pushing it to Pulumi. Otherwise, the provisioning will fail.

    Set up OneLogin Application to Manage Groups in Pulumi

    Navigate to the SCIM application in OneLogin.

    1. Select the Parameters view for the application and select the Groups parameter.

    2. Check the Include in User Provisioning checkbox.

    3. Select the Rules view for the application.

    4. For each Pulumi Team you want to manage in OneLogin do the following:

      • Select Add Rule
      • Name the rule using the Pulumi Team name you are managing (e.g. AlphaTeam or DevEngineers, etc.)
      • Conditions: leave blank so that the rule applies to all users.
      • Actions: Set Groups … Map from OneLogin … For each role … with value that matches your team name (e.g. AlphaTeam)
      • Save the rule. Application Rule

    5. Save the Application updates.

    Configure Roles in OneLogin to Map to Groups

    These next steps create the Roles that are used to map users to Groups in OneLogin and, by extension, Teams in Pulumi.

    1. Navigate to the Users->Roles view in OneLogin.
    2. For each Group rule you created above for the Application, do the following:
      1. Select New Role
      2. Give it a name that matches the Group/Team name you are managing. (e.g. AlphaTeam)
      3. Associate the role with the OneLogin SCIM application you created above.
      4. Select Save

    Configure Users with Applicable Roles

    These next steps associate users with given roles and, by extension, the Pulumi Team they should be added to.

    1. Navigate to the Users->Users view in OneLogin.
    2. For each user, select the user and then select the Applications view and select the applicable Role(s).
    3. Select Save User.

    Removing Users from Group Provisioning

    When ready to delete or suspend a user, execute the following steps to ensure the user is removed from the applicable Pulumi Team as well as the Pulumi Organization:

    1. In OneLogin navigate to the user being deleted or suspended.
    2. Select the Applications view.
    3. Deselect the Role(s) that represent Pulumi Team(s) for the given user.
    4. Select Save User. This will remove the user from the applicable Pulumi Team(s).
    5. Now you can suspend or delete the user from OneLogin.