Provision Users and Groups with OneLogin (SCIM)
You can use OneLogin to provision users and groups in Harness.
Harness' SCIM integration enables OneLogin to serve as a single identity manager for adding and removing users. This is especially efficient for managing large numbers of users.
This topic describes how to set up OneLogin provisioning for Harness Users and User Groups.
Before you begin
- This topic assumes you understand the System for Cross-domain Identity Management (SCIM). For an overview, see the article Introduction to System for Cross-domain Identity Management (SCIM).
- Learn Harness' Key Concepts
- Access Management (RBAC) Overview
- Make sure you are an Administrator in your OneLogin account and have the Account Admin permissions in Harness.
- Make sure you have a Harness API Key and a valid Token under it. The API Key must have all permissions on the Users and User Groups.
This integration does not support updating a provisioned user's Email in OneLogin. Once the user is provisioned in Harness, the user's email address must remain the same. If you change the email address in OneLogin and then try to remove the user from Harness, the removal will fail.
Once a user is provisioned in Harness, you cannot delete the user in the Harness Manager. You must delete the user in OneLogin.
The provisioned user cannot use the Harness OneLogin app to log into Harness unless OneLogin is also set up for OneLogin SAML authentication in Harness. They must use their email address and password.
Step 1: Add Harness app to OneLogin
The first step is adding the Harness app to your OneLogin Applications.
- In Applications, click Add App.
- Search for Harness. The Harness Application appears.
- Click the Harness app to open its Configuration page and click Save.
When you are done, the Harness OneLogin app appears.
For more information on adding apps, see OneLogin's documentation: Introduction to App Management.
Step 2: SCIM base URL
Next, add a special Harness account URL to the OneLogin app's SCIM Base URL.
Log into your Harness account.
Copy the Harness account ID from the Account Overview of your Harness account.
Add your account ID to the end of the following URL:
For Harness On-Prem, the URL will use your custom domain name and
gateway is omitted. For example, if your On-Prem domain name is harness.mycompany.com:
- Copy the full URL.
- In OneLogin, open the Harness OneLogin app.
- Click Configuration.
- In SCIM Base URL, paste the Harness URL you copied.
Next, we will use a Harness API access key for the SCIM Bearer Token setting in your Harness OneLogin app.
Step 3: SCIM bearer token
The SCIM Bearer Token value is used to authenticate requests and responses sent between the OneLogin SCIM provisioning service and Harness.
- In Harness Manager, create an API token by following the instructions in Add and Manage API Keys.
- Copy the new API token.
- In OneLogin, paste the API token in the SCIM Bearer Token setting in your Harness OneLogin app.
- Ensure that the API Status is enabled and click Save.
Step 4: Set up Harness OneLogin app provisioning
Next, you will set the required provisioning settings for the Harness OneLogin app.
Ensure these settings are set up exactly as shown below.
- In the Harness OneLogin app, click Provisioning.
- In Workflow, ensure the following are selected:
- Enable provisioning
- Create user
- Delete user
- Update user
- When users are deleted in OneLogin, or the user's app access is removed, perform the below action: Delete.
- When user accounts are suspended in OneLogin, perform the following action: Suspend.
When you are done, it will look like this:
- Click Save.
Option: Provision OneLogin users to Harness
Next, we will add users to the Harness OneLogin app. Once OneLogin SSO is enabled in Harness, these users will be provisioned in Harness automatically.
- In OneLogin, click Users.
- Click a user.
- In User Info, ensure that the user has First name, Last name, and Email completed.
Only First name, Last name, and Email are permitted for Harness OneLogin SCIM provisioning. Do not use any additional User Info settings.
- Click Applications.
- In the Applications table, click the add button (+).
- In the Assign new login settings, select the Harness OneLogin App and click Continue.
- In NameID, enter the email address for the user. This is the same email address in the NameID setting.
- Click Save. The status in the Applications table is now Pending.
- Click Pending. The Create User in Application settings appear.
- Click Approve. The Provisioning status will turn to Provisioned.
Enable the feature flag UPDATE_EMAILS_VIA_SCIM to reflect changes to the email address in the SCIM provider.
If provisioning fails, you might see something like the following error:
The most common reason is incorrect SCIM Base URL or SCIM Bearer Token settings in the OneLogin app.
If an error prevents adding, deleting, or updating an individual user to Harness, you must retry provisioning the user in OneLogin later, after resolving the issues. For more information, see Review and Approve Provisioning Tasks for Your SCIM Test App in Test Your SCIM Implementation.
Verify provisioning in Harness
Now that you have provisioning confirmation from OneLogin, let's verify that the provisioned user is in Harness.
- In Harness, click Account Settings, and then select Access Control.
- Click Users.
- Locate the provisioned user.
The provisioned users will receive an email invite from Harness to sign up and log in.
Option: Provision OneLogin roles to Harness groups
You can create, populate, and delete Harness User Groups using OneLogin.
Due to OneLogin currently not supporting group deletion via SCIM, you must remove User Groups using OneLogin. If you try to delete OneLogin-provisioned User Groups within Harness, you will get the error message,
Cannot Delete Group Imported From SCIM. Once the group is removed from OneLogin, contact Harness Support to have it removed from Harness.To perform Harness User Group provisioning using OneLogin, you assign the Harness OneLogin app and OneLogin users to a OneLogin role.
Next, you create a rule in the Harness OneLogin app that creates groups in Harness using the role.
The OneLogin roles become User Groups in Harness.
You cannot provision OneLogin users to Harness User Groups if they are already provisioned in Harness. Simply remove them from Harness and then provision them using the step below.
Add user provisioning to the Harness OneLogin app
- Ensure the Harness OneLogin app is added and configured as described in steps 1 through 5 in this topic.
- In OneLogin, open the Harness OneLogin app.
- In Parameters, in Optional Parameters, click on Groups.
- In Edit Field Groups, select Include in User Provisioning and click Save.
- Click Save to save the Harness OneLogin app.
Next, we'll create the OneLogin role that will be used as your Harness User Group.
Create OneLogin role
- In OneLogin, click Users and select Roles.
- Click New Role.
- Enter a name for the new role and click Save.
- In Roles, open the new role.
- Click Users.
- In Check existing or add new users to this role, enter the name(s) of the users to add.
- When you have located each user name, click Check.
- For each user, click Add to Role. When you are done, the user(s) are listed in Users Add Manually.
- Click Save. You are returned to the Roles page.
- Open the role.
- In the role, click Applications.
- Click the Add Apps button.
- In Select Apps to Add, click the Harness OneLogin app.
- Click Save.
Now that the role has users and the Harness OneLogin app, we can add the Harness OneLogin app to each OneLogin user.
Add Harness OneLogin app to users
For each of the OneLogin users you have added to the role, you will now add the Harness OneLogin app.
- In OneLogin, click Users, and then select each user you want to add.
- On the user's page, click Applications.
- Click the Add App button.
- In Assign new login, select the Harness OneLogin app, and click Continue.
- In the Edit settings, in Groups, select the role you created and click Add.
- Click Save.
Now that each user is associated with the Harness OneLogin app and role, you will learn /add a rule to the Harness OneLogin app. The rule will set groups in the Harness OneLogin app using the role you created.
Add rule to Harness OneLogin app
Next, you create a rule in the Harness OneLogin app to create groups using the role you created.
- Click Application, and then select the Harness OneLogin app.
- In the app, click Rules.
- Click Add Rule.
- Name the rule.
- In Actions, select Set Groups in [Application name].
- Select Map from OneLogin.
- In For each, select role.
- In with value that matches, enter the name of the role you create or enter the regex
- Click Save.
- Click Save to save the app.
If you have created users prior to adding the mapping rule, select Reapply Mappings in the User settings section of your Harness application.
Now that the app has a rule to set groups in Harness using the role you created, you can begin provisioning users using the app.
Provision users in application
Each of the OneLogin users that you added the Harness OneLogin app to can now be provisioned.
- In the Harness OneLogin app, click Users. The users are listed as Pending.
- Click each user and then click Approve.
The Provisioning State for each user is changed to Provisioned.
See the provisioned user group in Harness
Now that you have provisioned users using the Harness OneLogin app, you can see the new group and users in Harness.
- In Harness, click Access Management.
- Click User Groups.
- Locate the name of the User Group. It is named after the role you created. Click the User Group.
You can see the User Group and Users that are provisioned.
Repeat the steps in this process for additional users.
When provisioning user groups through SCIM, Harness replaces any
-, or a space in your role name and uses it as the group identifier. For example, if your role name is
example-groupin your SCIM provider, its identifier in Harness would be
What if I already have app integration for Harness FirstGen?
If you currently have a Harness FirstGen App Integration setup in your IDP and are now trying to set up one for Harness NextGen, make sure the user information is also included in the FirstGen App Integration before attempting to log into Harness NG through SSO.
Harness authenticates users using either the FirstGen App Integration or the NextGen App Integration. If you have set up both, Harness continues to use your existing App Integration in FirstGen to authenticate users that attempt to log in using SSO.
Let us look at the following example:
- An App Integration is already set up for FirstGen with 2 users as members:
- Now you set up a separate App Integration for Harness NextGen and add
[email protected]as the members.
- You provision these users to Harness NextGen through SCIM.
[email protected]try to log in to Harness NextGen through SSO.
- The FirstGen App Integration is used for user authentication.
[email protected]is a member of the FirstGen App Integration and hence is authenticated and successfully logged in to Harness NextGen.
[email protected]is not a member of the FirstGen App Integration, hence the authentication fails and the user cannot log in to Harness NextGen.
Assign permissions post-provisioning
Permissions can be assigned manually or via the Harness API: