System for Cross-domain Identity Management (a.k.a. SCIM) is a protocol for user management across multiple applications. It allows an IT or Operations team to easily provision (add), deprovision (deactivate), and update user data across multiple applications at once. 

To set up SCIM provisioning in OneLogin you will need to have the involvement of both the monday.com admin and the manager of your OneLogin account. 

 

SCIM capabilities supported in monday.com

• Provisioning of Users
• Deprovisioning of Users
• Provisioning of Teams
• Deprovisioning of Teams
• Team Renaming
• Updating User Details
• Assigning Users to Teams
• Unassigning Users from Teams

 

Configuration

Step 1 - Add monday.com to OneLogin

Go to your OneLogin Administration page and click Applications > Applications:

Then click add App, and search for monday.com in the app store:

 Give the app a Display Name and click Save on the right-hand side of the page.

 

Step 2 - Go to Configuration

Go to the "Configuration" tab, enter the following:

• Monday Domain Name:
  e.g. if your monday.com's subdomain is https://teamdomain.monday.com, enter teamdomain
• SCIM Base URL:
  This should be taken from your monday.com account (see instructions below)
• SCIM Bearer Token:
  This should be taken from your monday.com account (see instructions below)

Go to monday.com Admin section to retrieve the provisioning token

• Open up your monday.com account
• Click on your avatar > Admin
• Go to the Security section
• Click on SCIM

Here you can generate and copy the provisioning URL and token and then copy and paste into OneLogin.

 

Click the Enable button and then click Save on the right-hand side of the page:

 

Step 3 - Go to Provisioning

Go to the Provisioning page and check the "Enable provisioning" checkbox.

If you want to require admin approval before a user is created, deleted or updated - check the corresponding checkboxes, otherwise remove them:

 Click the Save on the right-hand side of the page.

 

Additional configurations are required on the monday.com application in order to allow team provisioning:

Step 4 - Go to Parameters

Go to the Parameters tab, click on the Groups under the Monday Field:

Check the "Include in User Provisioning" checkbox and click Save on the bottom right of the page:

 

Step 5 - Go to Rules

Go to the Rules tab and click on the Add rule button. Give the rule a name and add an action by clicking the plus icon (+) under the Actions section:

• Select the "Set Groups in monday.com" action from the list
• Keep "Map from OneLogin" selection
• Select "role" from the list it should apply to
• Set the pattern that the role should match to (the example in the screenshot matches it to all roles)
• Click on the Save button

 

 

Set Up User Provisioning

Go to OneLogin's Users > Users tab:

Select a user from the list by clicking on its row.

On the user's page, click the Applications tab and then click on the plus icon on the right-hand side to assign the user to monday.com:

 

Select the monday.com application from the list and click Continue:

 

Click the Save button on the bottom right in the Edit user window:

  

User Attributes

These fields are supported for mapping user attributes:

• Name (can’t contain special characters)
• Email (must be lowercase)
• Active (whether or not a user is enabled or disabled)

 

Set-Up Team Provisioning

You can provision Roles from OneLogin to monday.com by assigning monday.com application to the Role. Doing this will create a new Team in your monday.com account with all the users that are assigned to that role in OneLogin.

 

 

1. Go to the roles page by clicking Users > Roles

 

2. Select the role you would like to be created in monday.com

3. On the Applications tab, select the monday.com app by clicking it:

Click Save on the right-hand side of the page.

4. To assign users to the role, go to the Users tab and search for a user in the "Check existing or add new users to this role" box. When the user is displayed, click on the Check button:

Click the Add to Role link on the user that was just checked:

Click Save on the right-hand side of the page.

 

Error Handling

Please find the below table that contains error codes and their possible reason. Check out the third column for resolution suggestions:

 

FAQs

• What happens if the admin who set up the initial SCIM token is no longer admin (their user type changed or they were deactivated)?

If the original admin who created the SCIM provisioning token on your account was deactivated or changed to a different user type (member, guest, or viewer), SCIM will no longer work on your account. In order to reactivate SCIM, the current admin of the account can generate a new token and enter it into the identity provider.

• How can an admin generate a new SCIM token?

  • To generate a new SCIM token, open up the admin section of your account. From there, press on the "Security" tab, open up the SCIM section, click on the "Generate" button and copy the generated token.

    

    After entering this token into your identity provider, you should be all set!

 

• What happens if I change my personal attributes in my monday.com account? 

The sync with OneLogin is a one-way sync, and any changes made to a user profile in the monday.com profile or teams page will be overwritten the next time OneLogin syncs with your account. 

What does this mean? 

• To change any attributes of the user profile you will need to update them in OneLogin
• In order to add users to teams or remove users from teams created by OneLogin (see: push groups), you will need to make these changes in OneLogin
• If you create a Team in monday.com that is not a group in OneLogin it will not be affected by the groups in OneLogin. 

 

• What happens if I add users to a team in my monday.com account? 

If that team is provisioned by OneLogin, these users will eventually be kicked out of the team and replaced by users that are provisioned to the matching OneLogin Group, otherwise when you add users to a team in your monday.com account, they will remain in that team.

 

 

 

If you have any questions, please reach out to our team right here. We’re available 24/7 and happy to help.