Skip to main content


As a Kisi organization owner you can set up OneLogin single sign-on (SSO) for your Kisi users. To further control your SSO integration, you can sync it with your OneLogin directory members and groups with SCIM.

Enable SSO on OneLogin

Set up the integration in OneLogin

  1. Sign in to OneLogin
  2. At the top, select Applications and click on Add App
  3. Search for Kisi and click on the app
  4. Click Save to create the application
  5. Navigate to Configuration and enter your Kisi Domain. (You can find your Kisi organization domain in Kisi, under Organization Setup > Settings)
  6. Navigate to SSO and copy the Issuer URL
  7. Click Save

Set up the integration in Kisi

  1. Sign in to Kisi
  2. Under Organization Setup, click on SSO & SCIM
  3. Under Metadata URL, paste the Issuer URL you have previously copied in OneLogin
  4. Click Save
  5. Click on Generate Certificate

Now that you have generated the encryption certificate, go back to OneLogin and follow the steps below to complete the configuration.

  1. Under Configurations > SAML Encryption, in the Public key section, paste the contents of the encryption certificate you downloaded from Kisi
  2. Click Save
  3. Assign users to the created Kisi application

Enable SCIM on OneLogin

Before you start, make sure you have SSO set up for your organization. Then just follow the next steps to generate a SCIM token and enable SCIM for your organization.

Generate your SCIM Token in Kisi

  1. Sign in to Kisi
  2. Under Organization setup, click on SSO & SCIM
  3. Enable SCIM and click on Generate Token
  4. Copy the token (shown once)

Set up SCIM with OneLogin

  1. Sign in to OneLogin
  2. Select Applications in the main navigation, and click Add App
  3. Search for SCIM and click on SCIM Provisioner with SAML (SCIM v2 Core)
  4. Change the Display Name (optional), and click Save
  5. Once saved, the page will reload and you should see additional sections in the left-hand side menu. Click on Configuration
  6. Under API Connection, fill out the following:
  • SCIM Base URL:
  • Custom Headers: add Accept: application/json and Content-Type: application/json
  • SCIM Bearer Token: paste the SCIM Token that you generated in Kisi
  1. Click Enable to enable the API Status
  2. Click Save
  3. From the side menu, open Parameters
  4. Ensure that SCIM Username maps to Email (you can edit these values by clicking on the row with the SCIM Username). A pop-up window will appear, under Value select Email. Click Save.
  5. Next, click on the blue add (+) sign to add a custom field
  6. In the new pop-up, enter name : givenName in the field name and tick Include in User Provisioning. Click Save.
  7. Select First Name as the value from the dropdown menu. Click Save.
  8. Create another custom field and enter name : familyName in the field name and tick Include in User Provisioning. Click Save.
  9. Select Last Name as the value from the dropdown menu. Click Save.
  10. Once done, you will be back on the Parameters page. Click Save at the top right-hand corner.
  11. Navigate to Provisioning
  12. Under Workflow, check Enable provisioning

Note: By default, OneLogin will create provisioning tasks that will require admin approval whenever you create, delete or update a user (available at Activity > Events). If you’d rather approve all tasks automatically, you can check off those options under Require admin approval before this action is performed.

  1. There are two more options here:
  • When users are deleted in OneLogin, or the user’s app access is removed, perform the below action, and
  • When user accounts are suspended in OneLogin, perform the following action

Here, you have the following options:

  • Delete: this will remove the user from the Kisi system
  • Suspend: this will deactivate user - they’ll still be able to login in and see places, groups and other resources they had access to before, but they won’t be able to open any of the locks.
  1. Navigate to Access > Roles and choose a role. All users with that role will be provisioned. You can select multiple roles. With no role selected, none of the users will be provisioned.
  2. Click Save when complete

For troubleshooting tips and more details on how to configure OneLogin, please visit SCIM: Provisioning and Deprovisioning Kisi Organization Members with OneLogin.