Automating Identity & Access Management in One Model
1. Introduction
Managing user access manually is time-consuming and error prone. SCIM (System for Cross-domain Identity Management) solves this by automating the entire user lifecycle, from onboarding to offboarding, between your central identity directory and One Model.
Once configured, any changes you make in identity provider (idp), whether that’s creating a user, updating a name, or deactivating an account, are automatically reflected in One Model. No manual intervention required.
This guide walks you through connecting your identity provider to One Model using the SCIM 2.0 protocol. While most of the instructions are agnostic, there is a specific section for some of the commonly used identity providers at the end of the document.
2. Before You Begin
This feature is currently part of a controlled release, please talk to your customer adviser to turn this on in your One Model environment.
Make sure you have the following in place before starting:
- Identity provider administrator access with permission to configure integrations
- SCIM 2.0 support confirmed on your identity provider (idp)
- One Model permissions - your account will need:
- CanConfigureCompany
- CanProvisionUsersAsSCIM
- CanCreateAppPasswords
It is also strongly advised to create some back-ups of your current user configurations just in case you want revert any settings:
- Admin Reports Page: download a copy of the Users and Roles Admin report
- Company Page: make a copy of the Customer Supplied Role to Data Access Roles and Application Access Role mapping
3. Configuration Steps
Step 1: Create a Dedicated SCIM User in One Model
Start by creating a new user in One Model specifically for SCIM connections. This should be a service account and not tied to any individual person so that your integration keeps running smoothly even if team members change roles or leave.
In order to generate the credentials, you need to be able to log in to the service account, proxy will not suffice.
Step 2: Generate Your One Model API Credentials
One Model uses Basic Authentication to verify requests from the idp. Your Client ID serves as the username and your Client Secret serves as the password. Here's how to generate these credentials:
- Log in to your One Model instance.
- Navigate to Admin > Integrations > SCIM.
- Enter a descriptive name for your credentials in the input field.
- Click Generate
- Your Client ID and Client Secret will appear on the page.
⚠️ Important: Copy your Client Secret immediately and store it somewhere secure. Once you close this window, the secret cannot be retrieved, only revoked.
A few things to keep in mind about tokens:
- Client IDs and Client Secrets do not expire. They can only be revoked manually.
- If you need to generate new credentials, you'll need to revoke the existing ones first by clicking Revoke.
Step 3: Connect your idp to One Model
Enter your Client ID as the username and your Client Secret as the password into your identity provider’s connector configuration and verify the connection is working.
Step 4: Map your attributes
For users to sync correctly, your IdP needs to send the right attributes. Below are the required and optional mappings:
| One Model Attribute | SCIM Attribute | Description |
| Username | userName | Typically the user's work email address |
| emails[type eq "work"].value | Primary communication email | |
| First Name | name.givenName | User's first name |
| Family Name | name.familyName | User's last name |
| Active / Inactive | active | Boolean (true/false) to control access |
| Password | password | Manually created password |
| PersonID | personId | Optional — used for Role-Based/Contextual Security settings. This needs to be added via a custom attribute to SCIM. The external namespace is urn:ietf:params:scim:schemas:extension:custom:2.0:User |
Step 5. Enable Provisioning Features
For some identity providers, you might need to turn on the lifecycle actions that suit your needs:
| Feature | What It Does |
| Create Users | Automatically creates a One Model profile when a user is assigned in the idp |
| Update User Attributes | Syncs changes (e.g. a name update) from the idp to One Model in real time |
| Deactivate Users | Disables One Model access when a user is deactivated in the idp |
4. Supported operations and limitations
Supported operations
SCIM provisioning in One Model supports two resource types:
- Users — mapped to individual user accounts in One Model
- Groups — mapped to Customer Supplied Roles, which assign One Model's Data Access Roles and Application Access Roles
One Model's SCIM provider supports the following operations:
Users: Fetch Users, Fetch User, Create User, Update User, Patch User, Deactivate User
Groups: Fetch Groups, Fetch Group, Create Group (includes user assignment), Update Group (includes user assignment and removal), Patch Group (includes user assignment and removal), Delete Group
Additionally, discoverability functionality is supported, allowing the idp to interrogate One Model's SCIM capabilities automatically.
Known limitations
- Only basic filtering is supported on fetch endpoints at this time.
- Delete User does not perform a full deletion. It deactivates the user, which is the standard behaviour in One Model. If you are expecting hard deletion, be aware this is not currently supported.
5. Users, Roles and Group Sync
Users that are created via SCIM, automatically have the flags Allow log in via Single Sign On and On login automatically assign One Model roles from the mapping of Company Supplied Roles configured for SSO or File Based User Upload. It is a requirement to use Customer Supplied Roles for role assignment when using SCIM.
There are two ways users can be mapped to Customer Supplied Roles when SCIM is enabled:
- Assign One Model roles based on SAML attribute
- or map SCIM groups to Customer Supplied Roles.
|
Please note: It is not recommended to use bulk user upload along with SCIM. If you have been using bulk user upload before activating SCIM, you might find that the roles assigned via bulk user upload cannot be controlled via SCIM. This can vary by method and identity provider. If you have been using bulk user upload before enabling SCIM, we recommend to test role assignment thoroughly. If you find that the roles assigned via bulk user upload persist even after enabling SCIM assignment, you might need to consider to use bulk user upload one last time to clear all Customer Supplied Roles before managing roles via SCIM or SSO. |
6. Troubleshooting
- Sync errors: Check the Provisioning Logs in your idp for specific error codes that can point you to the root cause.
- Provisioning has suddenly stopped This is most often a revoked token. Head to Admin > Integrations > SCIM in One Model and confirm your token is still active.
- Users are syncing but missing names or emails: Double-check your Attribute Mapping configuration in your idp to ensure all required fields are correctly mapped to their SCIM equivalents. Some fields, such as personId might be case sensitive.
- Updates are not getting synced to One Model: make sure your attribute mapping includes pushing changes on user creation as well as for existing users.
- Proxy: You cannot proxy into the dedicated SCIM user account to make changes, such as revoke or generate tokens. To do this, you must be logged in to the service user account.
- Password policy does not match. Identity provider and One Model password policy must match in complexity.
- If you are still having trouble connecting your IdP to SCIM, please submit a BETA ticket here.
8. Identity Providers
OKTA
For detailed steps on the Okta side, refer to Okta’s documentation
Sailpoint
For detailed steps on the SailPoint side, refer to SailPoint's documentation
Comments
0 comments
Please sign in to leave a comment.