SCIM provisioning allows you to add and remove teammates in Heap directly from OneLogin. OneLogin offers ease of access, the ability to quickly block credentials for departed team members, multi-factor authentication, and more.
To set up SCIM provisioning with OneLogin, you’ll need to have the following:
- An existing OneLogin SSO configuration
- Admin access to your organization’s Heap account
- Administrator rights in your organization’s OneLogin account
If you set up your Heap application in OneLogin prior to February 2022 you will need to delete your existing OneLogin configuration and then create a new application using the instructions above in order to enable SCIM in your account.
Note that once SCIM provisioning is enabled, you will be unable to add or remove teammates in Heap and can only add or remove them via OneLogin.
To set up SCIM provisioning via OneLogin, complete these steps:
1. Navigate to the Applications > Applications section of your OneLogin administrator dashboard
2. Click the Heap application
3. In the Configuration tab, click Enable API
4. In Heap, go to Account > Manage > Account settings
5. Click Enable SCIM Provisioning in the Single Sign-On section
6. Select the role you would like new users to be given by default. This can be edited later and individual users can be given different roles after they have been added to Heap.
7. Copy the Bearer Token
8. In OneLogin, paste the Bearer Token into the SCIM Bearer Token field
9. Switch to the Provisioning tab and click Enable provisioning
10. (Optional, but recommended) Change When users are deleted in OneLogin… to Delete to deprovision users in Heap when they are removed in OneLogin
11. Click Save
SCIM provisioning has now been enabled. Assigning new users to Heap in OneLogin will automatically create their account and revoking access will automatically delete their account.
Managing user roles from OneLogin
By default all users will be assigned to the default role you selected when setting up SCIM provisioning. However, you can also assign roles to users using the Heap Role parameter in the Parameters tab in OneLogin.
If a user has a value for this parameter then their account will be given that role in Heap. If they do not have a value for this parameter or this parameter is disabled then they will be given the default role.
The Heap Role should exactly match the name of the role in Heap that you want to assign to the user. If this value is updated in OneLogin, the user’s role will also be updated in Heap. However, the user’s role may also be changed in the Heap UI and this will not be reflected in the OneLogin parameter.