monday.com logo
monday logo
Learning Resources by monday.com
Help Center
Tutorials and how-to guides for using monday.com
Academy
Interactive courses and webinars that will make you an expert
What’s new
Latest feature releases, improvements, and updates
Video Tutorials
Manage and collaborate on
team projects and tasks from
one place
API Documentation
Technical documentation that gives you the control
Get expert help
Hire a monday.com expert to optimize your workflows
Community
Become part of our community
Community forum
Learn with fellow monday.com enthusiasts
Local facebook communities
Join this community to find monday.com members near you
Global facebook communities
Join one of your most active social communities - the global monday group
Developer community
Share thoughts and questions with like-minded professionals who speak your language
Non Profit community
Give back to the community by working with a NGO or non-profit. Join our exclusive program
Support
Contact sales
Get started
What can we help you with?
  1. Support
  2. Profile and Admin
  3. The Admin Section
SCIM Provisioning of Users and Teams with OneLogin
    Was this article helpful?

    SCIM Provisioning of Users and Teams with OneLogin

    6 min read
    Feature

     

    System for Cross-domain Identity Management (a.k.a. SCIM) is a protocol for user management across multiple applications. It allows an IT or Operations team to easily provision (add), deprovision (deactivate), and update user data across multiple applications at once. 

    To set up SCIM provisioning in OneLogin you will need to have the involvement of both the monday.com admin and the manager of your OneLogin account. 

     

    SCIM capabilities supported in monday.com

    • Provisioning of Users
    • Deprovisioning of Users
    • Provisioning of Teams
    • Deprovisioning of Teams
    • Team Renaming
    • Updating User Details
    • Assigning Users to Teams
    • Unassigning Users from Teams
    Note: OneLogin does not support monday.com's User Type attributes, and therefore it is unable to provision the user's level of access (i.e. Member, Viewer, or Guest). SCIM will still work to provision and de-provision users, but it will not be able to control their user type. 

     

    Configuration

    Step 1 - Add monday.com to OneLogin

    Go to your OneLogin Administration page and click Applications > Applications:

    mceclip0__1__1.png

    Then click add App, and search for monday.com in the app store:

    Group_2__6_.png

     Give the app a Display Name and click Save on the right-hand side of the page.

     

    Step 2 - Go to Configuration

    Go to the "Configuration" tab, enter the following:

    • Monday Domain Name:
      e.g. if your monday.com's subdomain is https://teamdomain.monday.com, enter teamdomain
    • SCIM Base URL:
      This should be taken from your monday.com account (see instructions below)
    • SCIM Bearer Token:
      This should be taken from your monday.com account (see instructions below)

    Go to monday.com Admin section to retrieve the provisioning token

    • Open up your monday.com account
    • Click on your avatar > Admin
    • Go to the Security section
    • Click on SCIM

    Group_2__8_.png

    Here you can generate and copy the provisioning URL and token and then copy and paste into OneLogin.

     

    Click the Enable button and then click Save on the right-hand side of the page:

    Group_2__9_.png

     

    Step 3 - Go to Provisioning

    Go to the Provisioning page and check the "Enable provisioning" checkbox.

    If you want to require admin approval before a user is created, deleted or updated - check the corresponding checkboxes, otherwise remove them:

    Group_2__10_.png

     Click the Save on the right-hand side of the page.

     

    Additional configurations are required on the monday.com application in order to allow team provisioning:

    Step 4 - Go to Parameters

    Go to the Parameters tab, click on the Groups under the Monday Field:

    Group_2__11_.png

    Check the "Include in User Provisioning" checkbox and click Save on the bottom right of the page:

    Group_2__12_.png

     

    Step 5 - Go to Rules

    Go to the Rules tab and click on the Add rule button. Give the rule a name and add an action by clicking the plus icon (+) under the Actions section:

    • Select the "Set Groups in monday.com" action from the list
    • Keep "Map from OneLogin" selection
    • Select "role" from the list it should apply to
    • Set the pattern that the role should match to (the example in the screenshot matches it to all roles)
    • Click on the Save button

    Group_2__13_.png

     

     

    Set Up User Provisioning

    Go to OneLogin's Users > Users tab:

    mceclip0__4__1.png

    Select a user from the list by clicking on its row.

    On the user's page, click the Applications tab and then click on the plus icon on the right-hand side to assign the user to monday.com:

    Group_2__14_.png

     

    Select the monday.com application from the list and click Continue:

    Group_2__15_.png

     

    Click the Save button on the bottom right in the Edit user window:

    mceclip5_1__1_.png

    Note: If you deprovision a user from the monday.com app, the user will exist in monday.com as an inactive user and will not be counted towards your monday.com user count.

      

    User Attributes

    These fields are supported for mapping user attributes:

    • Name (can’t contain special characters)
    • Email (must be lowercase)
    • Active (whether or not a user is enabled or disabled)
    Note: The username should always be the user’s email address.

     

    Set-Up Team Provisioning

    You can provision Roles from OneLogin to monday.com by assigning monday.com application to the Role. Doing this will create a new Team in your monday.com account with all the users that are assigned to that role in OneLogin.

     

    Important Note: If you assign a Role to monday.com app within OneLogin, and there is a monday.com team with the same name, then the OneLogin group will replace it.
    For privacy measures, we recommend coordinating the team provisioning with the monday.com admin, in order to avoid users losing access to their data or users gaining access non-intendedly.

     

    1. Go to the roles page by clicking Users > Roles

    Group_2__16_.png

     

    2. Select the role you would like to be created in monday.com

    3. On the Applications tab, select the monday.com app by clicking it:

    mceclip6_1.png

    Click Save on the right-hand side of the page.

    4. To assign users to the role, go to the Users tab and search for a user in the "Check existing or add new users to this role" box. When the user is displayed, click on the Check button:

    Group_2__17_.png

    Click the Add to Role link on the user that was just checked:

    Group_2__18_.pngClick Save on the right-hand side of the page.

    Note:  A team will be created in monday.com only when the role is assigned with users that have access to monday.com

     

    Error Handling

    Please find the below table that contains error codes and their possible reason. Check out the third column for resolution suggestions:

    image 1 - 2023-08-23T151258.141.png

     

    FAQs

    We've outlined a list of SCIM-related frequently asked questions for you. Click on this link here to check them out!

     

     

     

    If you have any questions, please reach out to our team right here. We’re available 24/7 and happy to help.

    Yael - Quality check

    Comments