Provision Users with OneLogin (SCIM)

Updated 1 month ago by Michael Cretzman

You can use OneLogin to provision your organization's users in Harness.

Harness' SCIM integration enables OneLogin to serve as a single identity manager for adding and removing users. This is especially efficient for managing large numbers of users.

This topic describes how to set up OneLogin provisioning for Harness.

In this topic:

Before You Begin

Review: Harness and OneLogin Requirements

To provision Harness users via OneLogin​, you must be an Administrator in your OneLogin​ account, and must have the Account Administrator role in Harness.

Step 1: ​Add Harness App to OneLogin​

The first step is adding the Harness app to your OneLogin Applications.

To add the app, you must be in OneLogin Administration:

To add the Harness app, follow the steps for adding custom apps in OneLogin's documentation: Introduction to App Management.

When you are done, the Harness OneLogin app appears:

Step 2: SCIM Base URL

Next, add a special Harness account URL to the OneLogin app's SCIM Base URL.

  1. Log into your Harness account.
  2. In Harness Manager's address bar, copy the Harness account from your Harness URL.
    The Harness account ID comes after account in the URL. For example, in the following URL, the account ID is PVyBOd5NseCZSn9pe6xn87: https://app.harness.io/#/account/PVyBOd5NseCZSn9pe6xn87.
  3. Add your account ID to the end of the following URL: https://app.harness.io/gateway/api/scim/account/<account_ID>
  4. Copy the full URL.
  5. In OneLogin, open the Harness OneLogin app.
  6. Click Configuration.
  7. In SCIM Base URL, paste the Harness URL you copied.
    You can ignore the SCIM JSON Template and Custom Headers settings.

Next we will use a Harness API access key for the SCIM Bearer Token setting in your Harness OneLogin app.

Step 3: SCIM Bearer Token

The SCIM Bearer Token value is used to authenticate requests and responses sent between the OneLogin SCIM provisioning service and Harness.

  1. In Harness Manager, create an API key by following the instructions in API Keys.

    Make sure this key's permissions are inherited from the Account Administrator User Group, as shown here:
  2. Copy the new API key.
  3. In OneLogin, paste the API key in the SCIM Bearer Token setting in your Harness OneLogin app.

Step 4: Enable API Connection

In the Harness OneLogin app, ensure that the API Status is enabled:

Click Save to save setting up the app's configuration.

Step 5: Set Up Harness OneLogin App Provisioning

Next, you will set the required provisioning settings for the Harness OneLogin app.

Ensure these settings are set up exactly as shown below.

  1. In the Harness OneLogin app, click Provisioning.
  2. In Workflow, ensure the following are selected:
  • Enable provisioning
  • Create user
  • Delete user
  • Update user
  • When users are deleted in OneLogin, or the user's app access is removed, perform the below action: Delete.
  • When user accounts are suspended in OneLogin, perform the following action: Suspend.

When you are done, it will look like this:

  1. Click Save.

Step 6: Add OneLogin Users to Harness OneLogin App

Next, we will add users to the Harness OneLogin app. Once OneLogin SSO in enabled in Harness. these users will be provisioned in Harness automatically.

  1. In OneLogin, click Users.
  2. Click a user.
  3. In User Info, ensure that user has First name, Last name, and Email completed.
Only First name, Last name, and Email are permitted for Harness OneLogin SCIM provisioning. Do not use any additional User Info settings.
  1. Click Applications.
  2. In the Applications table, click the add button (+).
  3. In the Assign new login settings, select the Harness OneLogin App, and click Continue.
  4. In SCIM Username, enter the email address for the user. This is the same email address in the NameID setting.
    When you are done, the settings will look something like this:
  5. Click Save. The status in the Applications table is now Pending.
  6. Click Pending. The Create User in Application settings appear:
  7. Click Approve. The Provisioning status will turn to Provisioned.

If provisioning fails, you might see something like the following error:

The most common reason is incorrect SCIM Base URL or SCIM Bearer Token settings in the OneLogin app.

Step 7: Verify Provisioning in Harness

Now that you have provisioning confirmation from OneLogin, let's verify that the provisioned user is in Harness.

  1. In Harness, click Continuous Security, and then select Access Management.
  2. Click Users.
  3. Locate the provisioned user.

The provisioned user is not registered automatically. The user needs to register via the email invite sent by Harness.

Step 8: User Registers and Logs into Harness

Provisioned users will received an email invite from Harness.

When users click SIGN UP they are sent to Harness where they can create a password and log in.

Limitations

This integration does not support updating a provisioned user's Email in OneLogin. Once the user is provisioned in Harness, the user's email address must remain the same. If you change the email address in OneLogin and then try to remove the user from Harness, the removal will fail.

Once a user is provisioned in Harness, you cannot delete the user in the Harness Manager. You must delete the user in OneLogin.

The provisioned user cannot use the Harness OneLogin app to log into Harness unless OneLogin is also set up for OneLogin SAML authentication in Harness. They must use their email address and password.

Next Steps


How did we do?