OneLogin SCIM Integration

Purpose

In this article, I am going to walk through setting up SCIM provisioning between OneLogin and Workspace ONE Access. Once this SCIM integration is done, you can integrate Access and UEM via traditional means to facilitate logins, onboarding and offboarding, to UEM as well. This way, users are not JIT-provisioned from the prevailing directory (OneLogin). This is loosely based on the OneLogin tutorial here, but aims to be slightly more complete to include integration with UEM and be more updated (as of May 2023). 

Tutorial

Prerequisites

• A workspace ONE tenant (both UEM and Access, shared SaaS used in this tutorial), admin access to both 

• OneLogin tenant (dev SaaS tenant used in this tutorial) 

• Postman application installed on a device to perform API calls 

1. Login to your Workspace ONE Access tenant admin console (if you see the black screen with apps, click the intitials in the top right corner and go to "Workspace ONE Access Console". Go to Settings - OAuth 2.0 Management. Change the Access type to be Service Client Token, set the scope to be admin, and give it a name and valid TTL values. See below for an example. 

2. Click save. Note the secret as you will not be able to view it again after this point. 

3. Next open up postman and create a new tab if you need to. Change the request type to be post, and enter the following url: https://(yourtenant)/SAAS/jersey/manager/api/connectormanagement/directoryconfigs

(note: the tenant may have a different domain, such as workspaceair.com, than what I will have in the screenshot, vidmpreview.com. That is okay)

4. Next, in postman, go to the authorization tab. Change the authorization type to be OAuth 2.0. Give the token a name (that will be stored in Postman, so something like WS1 Access or your tenant name). Your screen should now look something like this: 

4, continued. In the middle box (under configure new token), scroll down. The Access Token URL will be https://(yourtenant)/SAAS/auth/oauthtoken. The client ID will be the name of the token we created in Workspace ONE Access earlier (in this example, onelogin), and the secret generated from Access before. The scope should be admin. Once scrolled down, your screen should look something like this: 

5. At the bottom of the middle box, click "Get New Access Token". It will then present you with the bearer token. Write this token value down as we'll need it shortly. 

6. In the authorization tab, change the type to bearer token, and paste the bearer token copied from the window previously. 

7. Click into the "headers" tab. Unhide the autogenerated headers. Then create a new header, for name input "Content-Type" and for the Value enter application/vnd.vmware.horizon.manager.connector.management.directory.other+json. Your screen should look something like this: 

8. Click into the body tab. Change the type to be raw, and change the text type to be JSON. Then input the following as the body: 

{

"type":"OTHER_DIRECTORY",

"domains":["YourEmailDomain"],

"name":"OneLogin Directory"

}

The request should then look something like the below screenshot. If everything looks good, then click the "Send" button 

If successful, the output (at the bottom of the window) should look something like the below - 

Now let's log back into our Workspace ONE Access console, go to Integrations - Directories, and verify that the OneLogin directory is listed:

9. Next go to Resources - Web Apps, and click New 

10. Give it a name and click next. Skip the search (as there is no template for this), and all other fields on this page except for name are optional. 

11. On the next page, enter the following information: 

Authentication Type: OpenID Connect

Target URL: (Your OneLogin tenant) 

Redirect URL: https://admin.us.onelogin.com/provisioning/oauth_redirect_uri

Client ID: OneLoginSCIM (or something of the sort) 

Client Secret: Something you generate (using a generator, for example). Notate this as it will not be visible after you create the app 

Show in User Portal: (disable) 

12. Then click next and "Save and Assign" on the review screen 

13. Assign the admin user (admin@systemdomain should suffice). Leave the defaults and click save. 

14. Next login to your OneLogin administration console. Go to Applications - Applications. Click Add App. 

15. Search for Workspace ONE and select it 

16. Name it appropriately and click save. You can call it "Workspace ONE", but I am going to name it the tenant subdomain in this example. 

17. On the next page, go back to the configuration tab, and enter the following information:
SCIM Base URL: https://(your Workspace ONE Access Tenant URL)/SAAS/jersey/manager/api/scim
VMware Site: (your Workspace ONE Access Tenant URL) 
Client ID: OneLoginSCIM
Client Secret: (generated in a previous step) 

Note: For VMware Site, do not put a forward slash after the URL or SSO flow will break

18. On the parameters page, the only change that will need to be made will be "user domain". Click on this, and select the value to be "email domain part". Click save. Parameters should look something like this: 

19. On the provisioning page, enable provisioning. Make sure all of the desired actions are set appropriately.

20. Finally, go back to the configuration page, and at the bottom click "Authorize". You'll want to make sure you're signed in as an admin in access (if this is the same browser session, this should complete without issue). 

21. On the users page, you should see after a short while users start to provision (Note: I had to manually approve users to be provisioned via SCIM... but this is a setting to be changed in OneLogin specifically). This will also populate users in WS1 Access. On this page, go to More Actions, and download SAML metadata so we can setup SSO in Access. 

22. Back in Workspace ONE Access, go to Integrations - Identity Providers - Add - SAML IdP 

23. Give the IdP a name (such as OneLogin). Open the downloaded XML document in something such as notepad or textedit (to preserve all text) and copy and paste into Identity Provider Metadata box. Click "Process IdP metadata". 

24. Scroll down. Leave JIT provisioning of users off. For a user directory, select the OneLogin directory that we had created. Select All Network Ranges. For an authentication method, give it a name (ex. OneLoginAuth), and for the method select urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport. 

25. Next, scroll back up to the top and click Save.

26. Now to setup redirecting SP-initiated requests to direct to OneLogin, we need to setup an authentication policy. Navigate to resources - policies - Edit Default Policy. 

27. In this document I am not going to go through editing each platform to utilize OneLogin. You can (in a pinch, for testing, and not for production) set an Any rule to redirect to OneLogin for authentication. Ideally, you'd want to set this on a per-platform basis. You can drag the platforms up and down, as they will be evaluated from top to bottom. As I will be testing this on a MacOS laptop, I am going to add a OneLoginAuth rule to the web browser device type. 

28. Next click Save, next, and Save. Now, in an incognito window (so as to save our admin session and test out authenticating as a user to OneLogin), navigate to your WS1 Access tenant. If you have Password (local directory) as the first authentication method, it'll prompt you with a drop down to select OneLogin as a authentication method. If OneLogin is your top method in the rule, it'll redirect you automatically.

Locked out? You can login with your basic credentials, bypassing any authentication rules, by going to (your Workspace ONE Access Tenant URL)/SAAS/auth/0

If you just wanted to setup SCIM provisioning between OneLogin and Workspace ONE Access, then you're finished! If you want to leverage this for authentication in Workspace ONE UEM, continue reading - 

29. To integrate with Workspace ONE UEM for authentication, login to your Workspace ONE UEM console. Go to Groups and Settings - All Settings - Devices & Users - General - Enrollment. At the top, for current setting, select "Override". For "Authentication mode(s)", select both Basic and Directory. Then, for the "Source of Authentication for Intelligent Hub" setting, select "Workspace ONE Access". 

Note: As it stands here, enrollment for devices leveraging Workspace ONE Access as a directory should work. The Self-Service Portal for WS1 UEM may not work unless you have SAML setup between Workspace ONE Access and UEM. Details on this process can be found here (note: this link predates this site and is a page in a Notion notebook of mine. It was also created to supplement documentation on integrating Okta and Workspace ONE for SCIM provisioning, but the same core principal should apply for OneLogin SCIM provisioning).