Our SCIM integration with OneLogin allows admins to add and remove users within OneLogin itself, without having to sign in to Genea. With the integration, newly boarded users also get an email notifying them to download their mobile key to the office.
The SCIM push-based system treats the OneLogin directory as your source of truth. When changes are made in OneLogin, they are immediately pushed to Genea. This means you never have to worry about the Genea employee directory being out of sync with OneLogin.
The following instructions walk through the process of integrating OneLogin with Genea. You will need admin privileges in both OneLogin and Genea to complete this integration.
Step 1: Prepare to enable the Genea + OneLogin provisioning integration.
Create Access Groups - You can grant permissions to specific door groups in Genea based upon your OneLogin organizational roles or any other attributes. Please create the appropriate Access Groups in Genea based upon your specific office needs (this could reflect your OneLogin roles/groups structure). For example, let's say you've created Employees, Contractors, and IT Admin access groups.
If you have multiple office locations enabled with Genea, decide whether you’d like to sync all users to all locations, or to sync specific users per location. This will affect how you set up the integration.
Decide whether you would like to assign mobile keys to all newly boarded users by default.
Step 2: Enable Genea + OneLogin provisioning integration on Genea.
Login to the Genea Web application and click on the 'Integrations' tab.
Find the OneLogin integration and click 'Install.'
Once installed you will be assigned a secured token for your OneLogin provisioning integration. Please copy this token as you will need it in the next step when we copy it onto your OneLogin account.
Step 3: Configure your OneLogin Account.
Login to your OneLogin account as an admin.
Go to 'Applications' > Search for: 'Genea Access Control'
Click on 'Save.'
Once you’ve installed the Genea Access Control app on OneLogin, go to the 'Configuration' tab under the Genea Access Control application. Paste the Genea generated token from the above steps in the SCIM Bearer token field. Click on the ‘Enable’ button.
Under the 'Provisioning' tab, enable provisioning for Genea.
Under the 'Parameters' tab, we need to configure all the marked parameters and their mappings as pictured below.
To enable Group provisioning, click on Groups and a pop up appears. Check the box “Include in User Provisioning” and “Save”.
SCIM Username: Change the mapping for SCIM Username to Email, as shown below.
Edit all parameters to enable 'Include in User Provisioning.' You will need to enable all parameters, including Department, DistinguishedName, MemberOf, Title & Role, in their respective edit wizards. Enable 'Include in User Provisioning' for all.
Save the changes.
Provision Groups from OneLogin to Genea
Users can provision groups from OneLogin to Genea only if the User Group feature is enabled for their portal. To enable User Groups, please reach out to the Genea Support team.
Step 1: Now navigate to ‘the Genea Access Control’ application and select the “Rules” tab on the left. Then, click on “Add Rule”.
Add rule name as "Add Role (e.g., Tokyo_Employee_Access) as User Group in Genea".
From the “Actions” menu, select “Set Groups in Genea Access Control”.
Select Map from OneLogin.
Set For each to Role.
Set With value that matches to the Role name (e.g., Tokyo_Employee_Access).
Save the rule and the app.
Step 2: Assign Genea application to Role
To synchronize users and groups, you must assign them to the Genea application.
From the top menu, select “Users”, then choose “Roles” from the dropdown. Click on “New Role”.
Name the role. This role will be created as a User group in Genea. Select the ‘Genea Access Control’ application and click 'Save’.
Note: If you change the role name in OneLogin, a new user group in Genea will be created based on the rule configured in OneLogin in the Genea Access Control application.
Navigate to the "Users" tab for the 'New York Employees' role. Search for the users you want to assign to this role, then click "Add to Role" and "Save".
From the Genea Access Control application, under the “Users” tab, please approve if any user provisioning is pending.
Troubleshooting for OneLogin
I’ve deleted or disabled a group in OneLogin, but it still appears in Genea
OneLogin currently does not support the
SCIM DELETEoperation for groups, which means that the group continues to exist in Genea. Please contact the Genea support team to delete the user group managed by OneLogin in Genea.
If you need assistance or have any questions about this integration, please feel free to reach out to us at acsupport@getgenea.com