Automating Identity & Access Management in One Model
1. Introduction
Managing user access manually is time-consuming and error prone. SCIM (System for Cross-domain Identity Management) solves this by automating the entire user lifecycle, from onboarding to offboarding, between your central identity directory and One Model.
Once configured, any changes you make in SailPoint, whether that’s creating a user, updating a name, or deactivating an account, are automatically reflected in One Model. No manual intervention required.
This guide walks you through connecting SailPoint to One Model using the SCIM 2.0 protocol.
2. Before You Begin
Make sure you have the following in place before starting:
- SailPoint administrator access with permission to configure integrations
- SCIM 2.0 support confirmed on your Identity Provider (IdP)
- One Model permissions - your account will need:
- CanConfigureCompany
- CanProvisionUsersAsSCIM
- CanCreateAppPasswords
One Model team: Before proceeding, enable the feature flag under Companies > Enable SCIM Identity Management.
3. Configuration Steps
Step 1: Create a Dedicated SCIM User in One Model
Start by creating a new user in One Model specifically for SailPoint's SCIM connection. This should be a service account and not tied to any individual person so that your integration keeps running smoothly even if team members change roles or leave.
Step 2: Generate Your One Model API Credentials
One Model uses Basic Authentication to verify requests from SailPoint. Your Client ID serves as the username and your Client Secret serves as the password. Here's how to generate these credentials:
- Log in to your One Model instance.
- Navigate to Admin > Integrations > SCIM.
- Enter a descriptive name for your credentials in the input field.
- Click Generate
Your Client ID and Client Secret will appear on the page.
⚠️ Important: Copy your Client Secret immediately and store it somewhere secure. Once you close this window, the secret cannot be retrieved, only revoked.
A few things to keep in mind about tokens:
- Client IDs and Client Secrets do not expire. They can only be revoked manually.
- If you need to generate new credentials, you'll need to revoke the existing ones first by clicking Revoke.
4. Connect SailPoint to One Model
Enter your Client ID as the username and your Client Secret as the password into SailPoint's connector configuration. For detailed steps on the SailPoint side, refer to SailPoint's documentation.
Once the credentials are saved, SailPoint will verify the connection to One Model.
5. Enable Provisioning Features
With the connection confirmed, turn on the lifecycle actions that suit your needs:
| Feature | What It Does |
| Create Users | Automatically creates a One Model profile when a user is assigned in SailPoint |
| Update User Attributes | Syncs changes (e.g. a name update) from SailPoint to One Model in real time |
| Deactivate Users | Disables One Model access when a user is deactivated in SailPoint |
6. Groups and Roles
SCIM provisioning in One Model supports two resource types:
- Users - mapped to individual user accounts in One Model
- Groups - mapped to Customer Roles, which connect external role concepts to One Model's Data Access Roles and Application Access Roles
SCIM groups correspond to Customer Supplied Roles in One Model.
7. Role Mapping
SCIM works alongside either your SAML settings for SSO or user uploads, known as the ‘Customer Supplied Roles’, to assign the application access roles and data access roles to your users.
If you are using SSO, you can configure your IdP to create a user on login or have the user already created under your SCIM. Note that both systems, SSO and SCIM, will typically use the same IdP so the user mapping should match. To learn more, click here
If you are using username and password as your user login, the account creation in One Model will send an email to your users letting them know that a One Model account has been created for them and inviting them to login. Your IdP may also send an email, depending on your settings.
Under either the SSO or User Uploads, you can assign roles to your users once your SCIM connection and SSO have been implemented. To learn more, click here. We strongly recommend working with your Customer Success Advisor to set this up.
8. Attribute Mapping
For users to sync correctly, your IdP needs to send the right attributes. Below are the required and optional mappings:
| One Model Attribute | SCIM Attribute | Description |
| Username | userName | Typically the user's work email address |
| emails[type eq "work"].value | Primary communication email | |
| First Name | name.givenName | User's first name |
| Family Name | name.familyName | User's last name |
| Active / Inactive | active | Boolean (true/false) to control access |
| Password | password | Manually created password |
| PersonID | PersonID | Optional — used for Role-Based/Contextual Security settings |
9. Troubleshooting
- Sync errors: Check the Provisioning Logs in SailPoint for specific error codes that can point you to the root cause.
- Provisioning has suddenly stopped This is most often a revoked token. Head to Admin > Integrations > SCIM in One Model and confirm your token is still active.
- Users are syncing but missing names or emails Double-check your Attribute Mapping configuration in SailPoint to ensure all required fields are correctly mapped to their SCIM equivalents.
- Proxy: You cannot proxy into the dedicated SCIM user account to make changes, such as revoke or generate tokens. To do this, you must be logged in to the service user account.
Comments
0 comments
Please sign in to leave a comment.