PrivaceraCloud Documentation

Preview: OneLogin UserSync

:

Currently as a Preview functionality, OneLogin can be configured to sync identities with Privacera UserSync

Prerequisites

  • OneLogin Administrator account access with user provisioning enabled.

Privacera UserSync Configuration

Privacera Cloud
  • In PrivaceraCloud add the following property under Configure Connector -> Advanced tab -> Custom Properties:

    usersync.connector.bearer.token={BEARER_TOKEN_VALUE}

    Where {BEARER_TOKEN_VALUE} can be any value.

    Note

    The PrivaceraCloud UI for configuring/generating the bearer token will be available in an upcoming update.

Privacera Platform
  • The Privacera Manager variable SCIM_SERVER_BEARER_TOKEN: “{BEARER_TOKEN_VALUE}” needs to be added to the vars.privacera-usersync.scimserver.yml file in config/custom_vars.

OneLogin Configuration

SCIM Test App Configuration
  1. Publishing of Privacera branded OneLogin is in progress, currently you will need to create a SCIM Test App, for more details of steps see OneLogin documentation.

    Configuration values
    • SCIM BASE URL: Provide the Privacera Usersync SCIM Server URL.

      https://{HOST}/api/pus/public/scim/v2/{CONNECTOR_NAME} 
    • SCIM Bearer Token: Provide the configured bearer token for SCIM Server connector.

    • SCIM JSON Template: Modify JSON Template for any custom attribute mappings required. (No changes required for default mapping.)  Note that the user field that is mapped to userName and must have a value for the integration .

  2. In the SCIM Test App, select the Parameters tab, then Groups. Scroll down and select the Include in User Provisioning option.

  3. Select the Rules tab-> New Rule.

    Note

    Since Roles are created as part of a rule, some features do not perform as expected:

    • Role delete- If a role is deleted, users in Privacera will not be removed from the group and the group will not be made inactive. To account for this, remove all users from the Role prior to deleting the Role in OneLogin, then delete the matching group in Privacera.

    • Role rename- Renaming a Role in OneLogin will create a new group in Privacera.  Users will be removed from the group having the previous name and correctly associated with the new group.  The group with the old Role name can be manually deleted from Privacera Portal.

    Rule Mapping
    • Name: Provide desired name of rule. (Role to Group mapping)

    • Conditions: No changes.

    • Actions:

      1. Select Set Groups in {APP_NAME}.

      2. Select Map from OneLogin.

      3. For each “role” with value that matches “.*” set {APP_NAME} Groups name after roles.

  4. Under the Access tab, select any Roles containing users you require to be provisioned.

  5. Under the Provisioning tab:

    1. Check Enable Provisioning.

    2. Select actions that require approval before being provisioned: (For automatic provisioning unselect all actions.)

      • Create user

      • Delete user

      • Update user

    3. In the "When users are deleted in OneLogin…" dropdown, select Delete.

    4. In the "When user accounts are suspended in OneLogin..." dropdown, select Suspend.

  6. Click the Users tab to view a list of “assigned” users and current provisioning state.

  7. No changes are required in the Priviledges tab.