Automating Identity & Access Management in One Model
1. Introduction
Managing user access manually is time-consuming and error prone. SCIM (System for Cross-domain Identity Management) solves this by automating the entire user lifecycle, from onboarding to offboarding, between your central identity directory and One Model.
Once configured, any changes you make in SailPoint, whether that’s creating a user, updating a name, or deactivating an account, are automatically reflected in One Model. No manual intervention required.
This guide walks you through connecting SailPoint to One Model using the SCIM 2.0 protocol.
2. Before You Begin
Make sure you have the following in place before starting:
One Model's SCIM provider is built to the SCIM 2.0 specification and is designed to be compatible with SailPoint's IdentityNow and IdentityIQ default connector. In most cases this works out of the box, but small adjustments to the connector configuration may be needed.
- SailPoint administrator access with permission to configure integrations
- SCIM 2.0 support confirmed on your Identity Provider (IdP)
- One Model permissions - your account will need:
- CanConfigureCompany
- CanProvisionUsersAsSCIM
- CanCreateAppPasswords
One Model team: Before proceeding, enable the feature flag under Companies > Enable SCIM Identity Management.
3. Configuration Steps
Step 1: Create a Dedicated SCIM User in One Model
Start by creating a new user in One Model specifically for SailPoint's SCIM connection. This should be a service account and not tied to any individual person so that your integration keeps running smoothly even if team members change roles or leave.
Step 2: Generate Your One Model API Credentials
One Model uses Basic Authentication to verify requests from SailPoint. Your Client ID serves as the username and your Client Secret serves as the password. Here's how to generate these credentials:
- Log in to your One Model instance.
- Navigate to Admin > Integrations > SCIM.
- Enter a descriptive name for your credentials in the input field.
- Click Generate
- Your Client ID and Client Secret will appear on the page.
⚠️ Important: Copy your Client Secret immediately and store it somewhere secure. Once you close this window, the secret cannot be retrieved, only revoked.
A few things to keep in mind about tokens:
- Client IDs and Client Secrets do not expire. They can only be revoked manually.
- If you need to generate new credentials, you'll need to revoke the existing ones first by clicking Revoke.
Step 3: Connect SailPoint to One Model
Enter your Client ID as the username and your Client Secret as the password into SailPoint's connector configuration. For detailed steps on the SailPoint side, refer to SailPoint's documentation.
Once the credentials are saved, SailPoint will verify the connection to One Model.
Step 4: Map your attributes
For users to sync correctly, your IdP needs to send the right attributes. Below are the required and optional mappings:
| One Model Attribute | SCIM Attribute | Description |
| Username | userName | Typically the user's work email address |
| emails[type eq "work"].value | Primary communication email | |
| First Name | name.givenName | User's first name |
| Family Name | name.familyName | User's last name |
| Active / Inactive | active | Boolean (true/false) to control access |
| Password | password | Manually created password |
| PersonID | PersonID | Optional — used for Role-Based/Contextual Security settings |
Step 5. Enable Provisioning Features
With the connection confirmed and attributes mapped, turn on the lifecycle actions that suit your needs:
| Feature | What It Does |
| Create Users | Automatically creates a One Model profile when a user is assigned in SailPoint |
| Update User Attributes | Syncs changes (e.g. a name update) from SailPoint to One Model in real time |
| Deactivate Users | Disables One Model access when a user is deactivated in SailPoint |
4. Supported operations and limitations
Supported operations
One Model's SCIM provider supports the following operations:
Users: Fetch Users, Fetch User, Create User, Update User, Patch User, Deactivate User
Groups: Fetch Groups, Fetch Group, Create Group (includes user assignment), Update Group (includes user assignment and removal), Patch Group (includes user assignment and removal), Delete Group
Additionally, discoverability functionality is supported, allowing SailPoint to interrogate One Model's SCIM capabilities automatically.
Known limitations
- Only basic filtering is supported on fetch endpoints at this time.
- Delete User does not perform a full deletion. It deactivates the user, which is the standard behaviour in One Model. If you are expecting hard deletion, be aware this is not currently supported.
5. Groups, Roles and Group Sync
SCIM provisioning in One Model supports two resource types:
- Users — mapped to individual user accounts in One Model
- Groups — mapped to Customer Roles, which connect external role concepts to One Model's Data Access Roles and Application Access Roles
SCIM groups correspond to Customer Supplied Roles in One Model.
Syncing groups from SailPoint
One Model allows you to manage permissions at scale by syncing IdP groups to One Model roles:
- In SailPoint, select the groups you wish to push to One Model (e.g. "HRBP_Global" or "Finance_Analyst").
- Within One Model, map these incoming SCIM groups to the appropriate Data Access Roles to ensure users only see the workforce data relevant to their position.
6. Role Assignment and Contextual Security
SCIM works alongside either your SAML settings for SSO or user uploads, known as the ‘Customer Supplied Roles’, to assign the application access roles and data access roles to your users.
If you are using SSO: you can configure your IdP to create a user on login or have the user already created under your SCIM. Note that both systems, SSO and SCIM, will typically use the same IdP so the user mapping should match. To learn more, click here
If you are using username and password: the account creation in One Model will send an email to your users letting them know that a One Model account has been created for them and inviting them to login. Your IdP may also send an email, depending on your settings.
Under either the SSO or User Uploads, you can assign roles to your users once your SCIM connection and SSO have been implemented. To learn more, click here. We strongly recommend working with your Customer Success Advisor to set this up correctly.
7. Troubleshooting
- Sync errors: Check the Provisioning Logs in SailPoint for specific error codes that can point you to the root cause.
- Provisioning has suddenly stopped This is most often a revoked token. Head to Admin > Integrations > SCIM in One Model and confirm your token is still active.
- Users are syncing but missing names or emails Double-check your Attribute Mapping configuration in SailPoint to ensure all required fields are correctly mapped to their SCIM equivalents.
- Proxy: You cannot proxy into the dedicated SCIM user account to make changes, such as revoke or generate tokens. To do this, you must be logged in to the service user account.
- If you are still having trouble connecting your SailPoint IdP to SCIM, please submit a BETA ticket here.
8. Other Identity Providers
If your Organisation uses another IdP such as Okta, Entra ID, or Google Workspaces and you are interested in using SCIM, please submit a BETA ticket here.
Comments
0 comments
Please sign in to leave a comment.