If your organization uses OneLogin to manage your employees’ access to tools and services, you can take advantage of OneLogin’s “Provisioning” feature to automatically grant access to Contentful to your users, and add them to Contentful Teams.
The integration between OneLogin and Contentful that enables this provisioning to occur is built around an industry-standard protocol known as SCIM (System for Cross-domain Identity Management). To learn more about how OneLogin works with SCIM, please see this article.
The remainder of this guide is focused on enabling you to configure both Contentful and OneLogin to get provisioning up and running for your organization.
The following provisioning features are supported by Contentful at present:
Push Users. Users in OneLogin that are assigned to the Contentful application in OneLogin are automatically added as members to your organization in Contentful.
Provision Users into Teams. Import Teams from Contentful organizations to provision users into Groups
Presently, Contentful does not support the following OneLogin provisioning features, but may in the future:
Update user attributes
*Removing users (as opposed to deactivating them) is supported by Contentful, but not by OneLogin.
SCIM-based user provisioning is available to Enterprise customers on High Availability and Scale platform plans.
Configure your Provisioning settings for Contentful as follows.
If you have not already done so, create a “Service User” account in Contentful to use with OneLogin provisioning. All provisioning permissions for OneLogin will be provided through this account. Contentful recommends that you choose “Owner” as the organization role for this account when you add it to your organization.
Log out of Contentful with your normal user account and log in as the Service User you created in Step 1.
Under Organization settings, click the Access Tools tab and select User provisioning from the drop-down menu:
Here you will find the configuration details you need to take from Contentful and use in OneLogin.
Click Generate personal access token to create an authentication token to be used for the provisioning tool in OneLogin:
2. A new window will open. Next, give your Personal Access Token a meaningful name and click Generate:
3. The configuration details required by OneLogin will now be available for copying to OneLogin:
4. Leave the browser window open, and log in to your OneLogin instance to complete the configuration on the OneLogin side.
Log in to your OneLogin admin portal and complete the following steps:
Under the Applications tab, navigate to the Contentful application.
Click on the Configuration tab in the application. Copy and paste the access token from Contentful into the SCIM Bearer Token field in the API Connection section. Copy and paste the SCIM URL from Contentful in the SCIM Base URL field.
3. Test your connection by clicking Enable. If the status switches to Enabled, the configuration is correct.
4. Click Save to save your configuration in OneLogin.
5. Click the Provisioning tab in the application. Under the Workflow section, check the box next to Enable provisioning and click Save.
To create a new user, go to the Users tab and click New User.
Fill in the First name, Last name, Email and Username fields. Text entered into the Email and Username fields should be the same, because they will be used as the SCIM identifier. Click Save User.
To provision the user, go to the Applications tab of the newly created user.
4. Click the plus-sign and select the Contentful application you created.
5. Confirm the user data. When satisfied, click Save.
Note: All users will be invited to the Contentful organization with the default role of Member. You can later change these roles and permissions in Contentful.
6. If you see Provisioned status, the user has been added to your Contentful organization.
Note: If the status is Pending, it means the provision requires administrator approval. If you have the correct privileges you can click on it and approve the provision yourself, which will trigger the provision. Admin approval can be disabled in the Provisioning tab of the application.
7. You should now be able to assign your OneLogin users to the Contentful application as needed. These users will be automatically invited to your Contentful organization, and will receive an email with an invitation link.
You can provision users into already existing Contentful teams through OneLogin.
In OneLogin, go to the Contentful app and click the Provisioning tab. Under the Entitlements section, click Refresh to make sure the Contentful teams are imported.
2. Next, go to the Parameters tab and click on Groups.
3. Select and add the Contentful teams you want to provision users in and check the box next to Include in User Provisioning.
4. Click Save to maintain the new application configuration.
5. When adding a new user to your Contentful organization, you can select which team you’d like to add them to in the Groups section.
Note: You can manage team roles and permissions in Contentful.
If you have questions or difficulties with your Contentful/OneLogin SCIM integration, please contact Contentful support via firstname.lastname@example.org.