This guide walks you through configuring OneLogin to automatically provision users and Access Groups in Pinpoint.
Before you get started, please note:
Each user can only belong to one Access Group at a time.
Visibility settings must still be managed manually inside Pinpoint — either directly on a user, or at the Access Group level.
Steps to Configure OneLogin SCIM inside Pinpoint
Click on Integrations, under settings in the left hand navigation bar - then in the Apps tab search for SCIM
Add the SCIM integration. If this company instance is already in use, make sure to open the advanced configuration and select ‘Disable automatic SCIM sync’.
Then in your One Login account, you can see we have some users set up.
But over in Pinpoint, we only have one user & 3 access groups
Please follow the directions over in the OneLogin configuration guide - once those instructions have been followed, you should be able to refresh this page and see groups that exist in your IdP.
Select the groups from the IdP that you want synced to Access Groups.
If automatic sync is enabled, users and groups should now have copied across.
You can see that the users have been assigned the access group from the IdP.
You can customise the roles and visibilities of the access groups manually.
You are also likely to want to configure SAML - follow the SAML guide to set this up.
Setting Up SCIM in OneLogin
This guide walks you through the OneLogin configuration needed to get SCIM provisioning working with Pinpoint.
Please note: Every organisation configures OneLogin differently, so some steps may look slightly different in your environment. Your company's OneLogin administrator will be best placed to account for any differences. Many of these steps can be completed in any order, but working through them all should result in a fully working SCIM integration.
To enable synchronisation of Access Groups in Pinpoint, we can use the ‘Roles’ feature of OneLogin. If you already have a method of organising access with OneLogin, you may want to use different steps to the example we have given here.
Select or Create roles that will want represented as Access Groups within Pinpoint.
You can then begin adding the Pinpoint application.
We select ‘SCIM Provisioner with SAML (SCIM v2 Enterprise)’ as the application.
Configure the Icons and display names for Pinpoint.
In the configuration tab, we paste the SCIM Base URL and the SCIM Token that we were given inside the Pinpoint SCIM integration page.
Press the ‘Enable’ button to confirm that the connection is successful.
Go to the ‘Provisioning’ tab, and check the box that says ‘Enable provisioning’
Add a rule that maps our Roles to SCIM ‘Groups’ (which will then map to Access Groups inside Pinpoint)
Select action ‘Set Groups in Pinpoint’ , and configure the ‘For each’ instruction. Your configuration may differ depending on how you use OneLogin.
Over in the ‘Access’ tab, give access to the roles that have been created.
In the Roles area, assign users the role of Pinpoint Interviewer. You will assign the roles to your specific users that require access to Pinpoint.
**important step - over in the Application configuration, under the Parameters tab, edit the ‘Groups’ configuration.
Check the box that says ‘Include in User Provisioning’ and save the field.
You users should now show as ‘Provisioned’ - if they say Pending, the users need approval before the provisioning occurs.
To enable login with SAML, create a SAML integration inside Pinpoint and enter the SAML Audience and SAML consumer URL here.
Enter the SAML metadata back into Pinpoint - you can find this metadata under the More Actions button in the top right, then ‘SAML Metadata’. DOwnload the file and then copy and paste the contents into Pinpoint.
You should now see Pinpoint inside your application portal, and your users should be automatically provisioned.
