OneLogin user provisioning integration with SCIM

If your organization uses OneLogin to manage your employees’ access to tools and services, you can take advantage of OneLogin’s “Provisioning” feature to automatically grant access to Contentful to your users, and add them to Contentful Teams.

The integration between OneLogin and Contentful that enables this provisioning to occur is built around an industry-standard protocol known as SCIM (System for Cross-domain Identity Management). To learn more about how OneLogin works with SCIM, please see this article.

The remainder of this guide is focused on enabling you to configure both Contentful and OneLogin to get provisioning up and running for your organization.

Features

The following provisioning features are supported by Contentful at present:

  • Push Users. Users in OneLogin that are assigned to the Contentful application in OneLogin are automatically added as members to your organization in Contentful.

  • Provision Users into Teams. Import Teams from Contentful organizations to provision users into Groups

Presently, Contentful does not support the following OneLogin provisioning features, but may in the future:

  • Update user attributes

  • Deactivate/reactivate users

  • Remove users*

  • Sync password

  • Users import

  • Group push

*Removing users (as opposed to deactivating them) is supported by Contentful, but not by OneLogin.

Requirements

SCIM-based user provisioning is available to Premium/Enterprise customers on High Availability and Scale platform plans.

Configure provisioning

Configure your Provisioning settings for Contentful as follows.

Enable provisioning functionality

In Contentful

  1. If you have not already done so, create a “Service User” account in Contentful to use with OneLogin provisioning. All provisioning permissions for OneLogin will be provided through this account. Contentful recommends that you choose “Owner” as the organization role for this account when you add it to your organization.

  2. Log out of Contentful with your normal user account and log in as the Service User you created in Step 1.

  3. Under Organization settings & subscriptions, click the Access Tools tab and select User provisioning from the drop-down menu.

    NOTE: Here you will find the configuration details you need to take from Contentful and use in OneLogin.

  4. Click Generate personal access token to create an authentication token to be used for the provisioning tool in OneLogin.

  5. A new window will open. Next, give your Personal Access Token a meaningful name and click Generate.

  6. The configuration details required by OneLogin will now be available for copying to OneLogin.

  7. Leave the browser window open, and log in to your OneLogin instance to complete the configuration on the OneLogin side.

User provisioning organization settings

In OneLogin

Log in to your OneLogin admin portal and complete the following steps:

  1. Under the Applications tab, navigate to the Contentful application.

  2. Click on the Configuration tab in the application. Copy and paste the access token from Contentful into the SCIM Bearer Token field in the API Connection section. Copy and paste the SCIM URL from Contentful in the SCIM Base URL field.

Screenshot 2020-09-02 at 13.50.14

3. Test your connection by clicking Enable. If the status switches to Enabled, the configuration is correct.

Screenshot 2020-09-02 at 14.31.47

4. Click Save to save your configuration in OneLogin.

5. Click the Provisioning tab in the application. Under the Workflow section, check the box next to Enable provisioning and click Save.

Screenshot 07 09 20 13 03


Provision users

In OneLogin

  1. To create a new user, go to the Users tab and click New User.

  2. Fill in the First name, Last name, Email and Username fields. Text entered into the Email and Username fields should be the same, because they will be used as the SCIM identifier. Click Save User.

  3. To provision the user, go to the Applications tab of the newly created user.

Screenshot 07 09 20 13 28

4. Click the plus-sign and select the Contentful application you created.

add app (1)

5. Confirm the user data. When satisfied, click Save.

Screenshot 07 09 20 13 30

Note: All users will be invited to the Contentful organization with the default role of Member. You can later change these roles and permissions in Contentful.

6. If you see Provisioned status, the user has been added to your Contentful organization.

Screenshot 2020-09-07 at 13.33.13

Note: If the status is Pending, it means the provision requires administrator approval. If you have the correct privileges you can click on it and approve the provision yourself, which will trigger the provision. Admin approval can be disabled in the Provisioning tab of the application.

Screenshot 07 09 20 13 32

7. You should now be able to assign your OneLogin users to the Contentful application as needed. These users will be automatically invited to your Contentful organization, and will receive an email with an invitation link.

Provision users into Contentful teams

You can provision users into already existing Contentful teams through OneLogin.

  1. In OneLogin, go to the Contentful app and click the Provisioning tab. Under the Entitlements section, click Refresh to make sure the Contentful teams are imported.

Screenshot 07 09 20 13 48

2. Next, go to the Parameters tab and click on Groups.

unnamed

3. Select and add the Contentful teams you want to provision users in and check the box next to Include in User Provisioning.

Screenshot 07 09 20 15 02

4. Click Save to maintain the new application configuration.

Screenshot 07 09 20 15 11

5. When adding a new user to your Contentful organization, you can select which team you’d like to add them to in the Groups section.

Screenshot 07 09 20 15 05

Note: You can manage team roles and permissions in Contentful.

Troubleshooting

If you have questions or difficulties with your Contentful/OneLogin SCIM integration, please contact Contentful support via support@contentful.com.