OneLogin SCIM Integration

This guide covers the practical OneLogin setup for provisioning identities into AxonFlow Enterprise.

Before You Configure OneLogin

You need:

OneLogin admin access
a SCIM token created from the AxonFlow customer portal
the correct enterprise hostname for the target environment

Use this base URL pattern:

https://YOUR_PORTAL_OR_ENTERPRISE_DOMAIN/scim/v2

Step 1: Add the OneLogin SCIM Application

open the OneLogin admin portal
add the SCIM Provisioner application appropriate for your environment
name it clearly for the tenant or environment it manages

Avoid ambiguous names if your organization uses more than one AxonFlow environment.

Step 2: Configure the SCIM Connection

In the OneLogin app configuration:

Field	Value
SCIM Base URL	`https://YOUR_PORTAL_OR_ENTERPRISE_DOMAIN/scim/v2`
SCIM Bearer Token	your AxonFlow SCIM token

OneLogin commonly handles the bearer scheme for you, so start with the raw token value unless your OneLogin template expects the full header value.

Step 3: Validate the Connection

Enable or test the API connection in OneLogin before assigning broad scope.

If the connection fails:

confirm the hostname and path are correct
confirm the token is current
confirm the environment is reachable from OneLogin

Step 4: Enable Provisioning Actions

Enable the lifecycle actions you want OneLogin to control:

create users
update users
suspend or deactivate users

The right configuration depends on your organization's identity lifecycle model, but the important thing is to validate the end-to-end behavior with a pilot user before expanding.

Step 5: Review Attribute Mapping

The core mapping goals remain the same:

OneLogin source	AxonFlow SCIM target
email or login attribute	`userName`
email	`emails`
first name	`name.givenName`
last name	`name.familyName`
unique OneLogin identifier	`externalId`

Do not assume the default mapping is right for your tenant. Validate it with a real pilot user.

Step 6: Assign a Pilot User or Role

Start with a small assignment set:

one user, or
one role/group if your rollout depends on group-based provisioning

Then verify:

the user lands in the expected tenant
the profile shape is correct
lifecycle changes are reflected correctly

Step 7: Add Group Sync Deliberately

If you want group-based access alignment in AxonFlow:

get user provisioning stable first
enable group-related provisioning behavior in OneLogin
test one pilot group
review the access outcome before broad rollout

Common OneLogin Issues

API connection will not enable

Check:

the base URL is correct
the token is current
OneLogin is using the token format expected by the template

Users are assigned but do not appear

Check:

provisioning is enabled
the user really has the app assignment
the mapping produces valid userName and email values

Group or role behavior is unclear

Treat this as a rollout-design issue, not just a technical issue. Validate user sync first, then add group-based access carefully.

Recommended Rollout Pattern

configure the connection
validate it with a pilot user
verify updates and deactivation
add one pilot group if needed
expand only after the lifecycle path is predictable

Before You Configure OneLogin​

Step 1: Add the OneLogin SCIM Application​

Step 2: Configure the SCIM Connection​

Step 3: Validate the Connection​

Step 4: Enable Provisioning Actions​

Step 5: Review Attribute Mapping​

Step 6: Assign a Pilot User or Role​

Step 7: Add Group Sync Deliberately​

Common OneLogin Issues​

API connection will not enable​

Users are assigned but do not appear​

Group or role behavior is unclear​

Recommended Rollout Pattern​

Related Docs​