Skip to main content

OneLogin SCIM provisioning


This is a Kisi-built integration, maintained and supported by Kisi.

Before you start, make sure you have SSO set up for your organization. Then just follow the next steps to generate a SCIM token and enable SCIM for your organization.

Generate your SCIM token in Kisi

  1. Sign in to Kisi as the organization owner
  2. Under Settings click on SSO & SCIM
  3. Enable SCIM and click on Generate Token
  4. Copy the token (shown once)

Set up SCIM with OneLogin

  1. Sign in to OneLogin
  2. Select Applications in the main navigation, and click Add App
  3. Search for SCIM and click on SCIM Provisioner with SAML (SCIM v2 Core)
  4. Change the Display Name (optional), and click Save
  5. Once saved, the page will reload and you should see additional sections in the left-hand side menu. Click on Configuration
  6. Under API Connection, fill out the following:
    • SCIM Base URL:
    • Custom Headers: add Accept: application/json and Content-Type: application/json
    • SCIM Bearer Token: paste the SCIM Token that you generated in Kisi
  7. Click Enable to enable the API Status
  8. Click Save
  9. From the side menu, open Parameters
  10. Ensure that SCIM Username maps to Email (you can edit these values by clicking on the row with the SCIM Username). A pop-up window will appear, under Value select Email. Click Save.
  11. Next, click on the blue add (+) sign to add a custom field
  12. In the new pop-up, enter name : givenName in the field name and tick Include in User Provisioning. Click Save.
  13. Select First Name as the value from the dropdown menu. Click Save.
  14. Create another custom field and enter name : familyName in the field name and tick Include in User Provisioning. Click Save.
  15. Select Last Name as the value from the dropdown menu. Click Save.
  16. Once done, you will be back on the Parameters page. Click Save at the top right-hand corner.
  17. Navigate to Provisioning
  18. Under Workflow, check Enable provisioning

Note: By default, OneLogin will create provisioning tasks that will require admin approval whenever you create, delete or update a user (available at Activity > Events). If you’d rather approve all tasks automatically, you can check off those options under Require admin approval before this action is performed.

  1. There are two more options here:
    • When users are deleted in OneLogin, or the user’s app access is removed, perform the below action, and
    • When user accounts are suspended in OneLogin, perform the following action.

Here, you have the following options:

  • Delete: this will remove the user from the Kisi system
  • Suspend: this will deactivate user - they’ll still be able to login in and see places, groups and other resources they had access to before, but they won’t be able to open any of the locks.
  1. Navigate to Access > Roles and choose a role. All users with that role will be provisioned. You can select multiple roles. With no role selected, none of the users will be provisioned.
  2. Click Save when complete