OneLogin: Configure and manage SCIM group syncing

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Cloud - This article applies to Atlassian products on the cloud platform.

Jump to...

Introduction

Atlassian Guard allows customers to configure user/group provisioning using SCIM. This knowledge base(KB) article explains how group(role) syncing works in OneLogin and provides steps on how to configure group syncing with OneLogin as the identity provider(IdP). This KB assumes that you are already aware of Atlassian Guard features, know how to configure SAML or SCIM with Guard and how Guard billing works.

Prerequisites

  • An active Atlassian Guard subscription - Atlassian Guard
  • Org. admin access to the Atlassian organization where Guard is subscribed
  • At least 1 claimed domain on the Atlassian organization - Verify a domain to manage accounts
  • An active OneLogin tenant with admin access
  • The OneLogin tenant already has an instance of the "Atlassian Cloud" app added. If not, please see: OneLogin: Configuring SAML for Atlassian Cloud apps (steps 1, 2 and 3). From that document:

    1. Log into OneLogin as an admin.

    2. Go to Apps > Add Apps, search for Atlassian Cloud, and select it.

    3. On the initial Configuration tab, click Save to add the app to your Company Apps and display additional configuration tabs.

How group syncing in OneLogin works

In OneLogin, there is the concept of "roles" and end users are mapped(assigned) to those roles. The roles are then synced via SCIM provisioning and appear as "groups" in the Atlassian organization UI(adminhub). It is important to know that in OneLogin, the concept of "groups" in the typical sense does not exist. In OneLogin, users a grouped or organized into "roles".

Example:

This is a list of role names in OneLogin:

Those roles are synced to the Atlassian provisioning directory. This is a list of the corresponding group names in the Atlassian organization UI:

Role assignment in OneLogin uses "mapping rules". In this example, there is a mapping rule called SyncGroup2_mapping. The mapping logic states that if an end user's department user attribute = Finance, then that user is made a member of the role called SyncGroup2 which in turn is synced via SCIM provisioning to the Atlassian provisioning directory as a group called SyncGroup2

Fig. 1: Role mapping example - the role name in OneLogin is "SyncGroup2":

It is also possible to assign(add) users directly to a role instead of using a attribute or event based mapping. In this example(Fig. 1), there is a single user added to the role SyncGroup2 and there are no users in the OneLogin tenant who have department = Finance as shown in Fig. 2

Fig. 2: OneLogin user report searching for users where the Department user attribute = Finance. The report returned zero results, i.e. there are no users in this OneLogin tenant where Department = Finance:

Fig. 3: Corresponding synced group("SyncGroup2") in the Atlassian organization UI. Due to the manual assignment of the role in OneLogin shown in Fig. 1, there is 1 group member synced:

Syncing groups(roles) without any members

Since role sync is based on user sync events, it's not possible to sync roles that don't have any users mapped to the role. In other words, it is not possible to sync a role that doesn't have any users assigned to that role so that a group gets created in the Atlassian organization without any group members. One way around this is to sync a test/temporary user to trigger a sync of the role to the Atlassian provisioning directory and then change the mapping in OneLogin to an invalid value such as department = "invalid". The subsequent sync operation will remove the temp./test user from the group on the Atlassian organization - leaving a synced group with zero members in the Atlassian organization UI.

Configure group provisioning sync via SCIM in OneLogin (high level steps)

For detailed instructions on how to configure SCIM sync with OneLogin, please see: OneLogin: Provision users to Atlassian Cloud but skip step 8 in that document and continue on to the How to sync groups(roles) in OneLogin section of this KB.

Skip to step 8 in the table below if you already have configured SCIM provisioning user syncing with OneLogin.


  1. In the Atlassian organization, select the identity provider(IdP) - Security > Identity providers. If one isn't already configured for enforced SSO(SAML) please see: Choose your identity provider

  2. Click Set up provisioning
  3. Copy the SCIM base URL and API key

  4. Open the "Atlassian Cloud" app in OneLogin - Applications > Applications. Select the "Atlassian Cloud" App
  5. Click the Configuration tab
  6. Click Enable enter the API GUID extracted from the copied the SCIM base URL and the SCIM Bearer Token(API key). Click Save to confirm the changes
  7. Click Provisioning and configure these settings as per your team's requirements or preferences. The screenshot shows the configuration used for the purposes of this demonstration/KB. Click Save to confirm any changes
  8. Click Parameters. Locate the Groups parameter for provisioning sync, select Groups and click Include in User Provisioning. Click Save to confirm the changes on the modal, and then click Save on the Parameters page to confirm the changes

How to sync groups(roles) in OneLogin

Demo video(no audio)

Video Timestamps
  • Create a role (0m 0sec)
  • Configure a mapping rule for a specific role (0m 30sec)

  • Sync mapping changes to the Atlassian provisioning directory and verify successful group sync in organization UI (1m 34sec)

Create a role

  1. In OneLogin, click Users > Roles
  2. Click New Role
  3. (Optional) Select the app the role is going to be assigned to. Adding the role to an app allows the assigned role members to have access to that particular app - which is out of scope for this KB
  4. Give the role a name
  5. Click Save to confirm the changes

Configure a mapping rule for a specific role

  1. In OneLogin, click Users  > Roles 
  2. Search for the role, e.g. "SyncGroup5"
  3. Select the role you'd like to map users to and click Users

  4. Click New Mapping
  5. Under Conditions, select the appropriate condition for your requirement. In this example, we are using the First Name user attribute = "first". All users in the OneLogin tenant who have their First Name value equalling "first" will be mapped to this role.



    This demo OneLogin tenant has 2 x users matching this criteria, so the synced group will have 2 members:
  6. Give the mapping a name
  7. Under Actions select Set Role and set the value to be the role name. In this example, the role name is "SyncGroup5"
  8. Click Save to confirm the changes

Sync mapping changes to the Atlassian provisioning directory

  1. In OneLogin, click Users  > Mappings 
  2. Click Reapply All Mappings

Verify the group has synced with the correct members

  1. In the Atlassian organization, go to Directory > Groups 
  2. Search for the synced role(group) - e.g. "SyncGroup5"
  3. Select the group to verify group members
Last modified on Jan 22, 2025

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.