Our SCIM integration with OneLogin allows admins to add and remove users within OneLogin itself, without having to sign in to Genea. With the integration, newly boarded users also get an email notifying them to download their mobile key to the office.
The SCIM push-based system treats the OneLogin directory as your source of truth. When changes are made in OneLogin, they are immediately pushed to Genea. This means you never have to worry about the Genea employee directory being out of sync with OneLogin.
The following instructions walk through the process of integrating OneLogin with Genea. You will need admin privileges in both OneLogin and Genea to complete this integration.
Step 1 : Prepare to enable the Genea + OneLogin provisioning integration.
- Create Access Groups - You can grant permissions to specific door groups in Genea based upon your OneLogin organizational roles or any other attributes. Please create the appropriate Access Groups in Genea based upon your specific office needs (this could reflect your OneLogin roles/groups structure). For example, let's say you've created Employees, Contractors, and IT Admin access groups.
- If you have multiple office locations enabled with Genea, decide whether you’d like to sync all users to all locations, or to sync specific users per location. This will affect how you set up the integration.
- Decide whether you would like to assign mobile keys to all newly boarded users by default.
Step 2 : Enable Genea + OneLogin provisioning integration on Genea.
- Login to the Genea Web application and click on the 'Integrations' tab.
- Find the OneLogin integration and click 'Install.'
- Once installed you will be assigned a secured token for your OneLogin provisioning integration. Please copy this token as you will need it in the next step when we copy it onto your OneLogin account.
Step 3 : Configure your OneLogin Account.
- Login to your OneLogin account as an admin.
- Go to 'Applications' >
- Apps > Search for: 'Sequr'
- Click on 'Save.'
- Once you’ve installed the Sequr app on OneLogin, go to the 'Configuration' tab under the Sequr application. Paste the Sequr generated token from the above steps in the SCIM Bearer token field. Click on the ‘Enable’ button.
- Under the 'Provisioning' tab, enable provisioning for Sequr.
- Under the 'Parameters' tab, we need to configure all the marked parameters and their mappings as pictured below.
SCIM Username : Change the mapping for SCIM Username to Email, as shown below.
- Edit all parameters to enable 'Include in User Provisioning.' You will ned to enable all parameters, including Department, DistinguishedName, MemberOf, Title & Role, in their respective edit wizards. Enable 'Include in User Provisioning' for all.
- Save the changes.
Step 4 : Configure Rules for Employee Sync
Navigate back to your Genea admin dashboard to configure the provisioning rules. This step is crucial since there must be at least one rule specified for each property in order for a successful synchronization. All of your properties will be listed in the rules section where you can manage rules for each respective properties.
With provisioning rules, you can:
- Map your organizational groups to your Genea Access Groups.
- Decide which role needs to be assigned to each user.
- Decide whether newly on-boarded employees should automatically receive a mobile key.
- Manage access to multiple office locations.
Simple Provisioning Rule:
You can create one default simple rule where every synced employee is granted common door access, as well as added under the regular user role.
For example, you can define a rule where every employee synced from OneLogin is assigned to the 'Employee' access group and added under the 'User' role.
As you can see in the following screenshot, in this case you do not need to add any conditions to the rule for a simple default rule.
Advanced Provisioning Rules
With advanced provisioning, you can get more specific with the rule engine to ensure certain groups of users in your organization are assigned to their proper access group.
As shown below, based upon your 'OneLogin Roles,' you can assign appropriate door access to appropriate users. If you have multiple office locations, you can also choose which specific employees get synced to which specific office locations.
You can drag these rules up or down to set their execution priority. Rules are executed in order based upon their priority. Once one rule is matched and executed, the rest of the rules will be skipped.
You can also add multiple conditions to a single rule as shown below. If you have multiple conditions applied to a single rule, you can select to either 'match all' conditions or 'match any' condition.
- Once you have configured the provisioning rules on Genea side you can start syncing users from OneLogin.
- To sync users to from OneLogin you can either assign the Sequr app directly to users or you can assign roles to users and then define rules to assign the Sequr app to OneLogin roles.
USER UPDATE FLAGS
While setting up your integration, you may choose to enable or disable certain user updates from OneLogin to Genea.
If your integration set-up includes a few basic and/or broad rules, or if you plan on changing user attributes manually within Genea after users have been synced via OneLogin, we recommend disabling the ‘Override Roles on Update’ and ‘Override Access Groups on Update’ update flags. If enabled, these User Update flags may override manual changes made to your users’ roles and/or access groups in Genea.
Delete User If No Rules Match: if changes have been made to a user’s profile within OneLogin that no longer qualify them for any of your integration rules, the user will be deactivated within Genea. IMPORTANT NOTE: This flag will only come into play during directory updates. If you deactivate or suspend a user within your directory, the user will automatically be deactivated within Genea, regardless of whether this User Update flag is enabled or not.
IMPORTANT NOTE: If your integration does not include a specialized rule for provisioning system administrators, we recommend disabling the ‘Override Roles on Update’ flag as system administrator privileges may be revoked for existing administrators during updates. To avoid losing administrative privileges while keeping this flag enabled, we recommend creating a specialized rule within your integration that will provision system administrators. Ensure that this rule is placed first within your rule priority list so that system administrators will be provisioned first, then remaining users will be matched to the following rules accordingly.
- Please ensure to define rules within your Genea admin dashboard in order for provisioning to work. If no rules are defined, then any provisioning request from OneLogin will be dropped.
- When users that have already been provisioned within Genea are updated in OneLogin, the integration will re-evaluate the rules and then apply the necessary updates. If no rules match under this scenario, then the users will be de-activated at that property. For example, you may have rule a that "Any user that belongs to the Employees role within OneLogin will be assigned to Regular Employees access group in Genea." If the user has been created with this rule in Genea, then they are moved from the Employees OneLogin role to a Contractors role for which no rules have been created in Genea, then this user will be deactivated within Genea.
If you need assistance or have any questions about this integration, please feel free to reach out to us at firstname.lastname@example.org