OneLogin is one of the many supported SSO security authentication services that can be used with Teamable. This guide provides the steps required to configure Provisioning for Teamable.
The following provisioning features are supported:
- Push New Users
New users created through Onelogin will also be created in the third party application.
- Push Profile Updates
Updates made to the user's profile through Onelogin will be pushed to the third party application.
- Push User Deactivation
Deactivating the user or disabling the user's access to the application through Onelogin will deactivate the user at the third party application.
Note: Teamable does not support group provisioning. Users which already in Teamable will not recreating.
To enable SSO and provisioning you need to have admin permission at Teamable.
Configure your Provisioning settings for Teamable as follows:
- Log in to your Onelogin account then go to Administration>Apps>Add Apps, then search and add a Teamable app to your applications.
2. Click "Save" to continue.
3. Go to "Configuration" tab. Add "Teamable Subdomain". For example, if your Teamable URL is https://friends.teamable.com, then "Teamable Subdomain" must be friends.teamable.com.
4. Open SSO settings and copy Issuer URL.
5. Go to your Teamable account-> Admin Panel>SSO Configuration and select Onelogin SSO.
Only Admins at Teamable can generate token and set up SSO.
6. Paste the copied URL in "Onelogin Issuer URL" field.
7. Don't forget to save your SSO settings.
- In order to configure provisioning, you must have your SSO configuration already set up.
- To enable provisioning and generate Teamable's bearer token, go to the Teamable "SSO Configuration" tab and (1) click the "Generate Key" button, (2) Click the copy button and (3) Click "Save".
- Go to OneLogin→Teamable application's "Configuration" tab and fill the necessary fields as follows:
(1). SCIM Base URL: Should be "https://" + Teamable Subdomain + "/api/v2/scim". For example, if your Teamable Subdomain is friends.teamable.com , then SCIM Base URL will be https://friends.teamable.com/api/v2/scim.
(2). Paste the copied bearer token in "SCIM Bearer Token" field.
(3). Click "Enable" button.
! Make sure that API status is "Enabled".
4. Go to the "Provisioning" tab and click on the checkbox "Enable Provisioning for Teamable".
5. To configure "Deprovisioning Users" in Teamable, select the "Delete" action from "Delete" drop down.
6. Save all changes.
Assigning users to Teamable application
After configuring your SSO and Provisioning, you should assign Teamable to Roles from "Access" tab or manually add the application to users and manage users provisioning from the "Users" section of the Teamable application of Onelogin.
Users will be able to sign in to Teamable only after they have been assigned to an application.
All users must have at least First Name, Last Name and Email fields(email field must be filled by email addresses, not numbers or IDs).
There are two ways to assign the application to a user:
- Assigning to a single user.
Go to your Onelogin >Users >All Users. Find a specific user.
- Go to the "Applications" tab and assign a Teamable application to that user.
If provisioning is not enabled, you will not see the provision button.
Otherwise, you will see it for all users.
Note: The user can sign in to Teamable even if they are not provisioned yet.
2. Assigning to a group of users
First, make sure your users in OneLogin are assigned to the roles for the Teamable application. If you want to assign the application to a group of users, you have either to edit the existing role or create a new role.
- Go to Users>Roles.
- To add a new role, click on "New Role" button. Give a name to the role and save.
- Edit the role: Click on the role from the list.
- The Teamable application is already assigned to the Teamable role in this screenshot. To assign another application click on "plus" icon.
- Choose the application that must be assigned to the role and save it.
- After saving, the application will be added to the role, as you see in the picture below.
- Now to add users to that role, open it again and go to "Users" settings. Check existing user and click "Add to Role".
- After this action, all users of the role must be visible in the application users list ( go to Apps>Company Apps>select "Teamable" application> "Users" tab).
If provisioning is not enabled, the user list will look like this.
- If provisioning is enabled, you will see the Provisioning State as follows:
!You can also manage role access from the application's "Access" field.
The user can sign in even if they are not provisioned yet.
After assigning all users to the Teamable application and enabling provisioning, you must complete the following steps to provision those users.
OneLogin provisions newly assigned users piece by piece periodically, but it is possible to send all pending users' requests to Teamable. All users who have been newly added to the application, have been updated or deleted, but not provisioned yet, have the "Pending" status .
- Create user
- To create new assigned single users in Teamable(to provision) click on pending button on each user. A pop-up window will appear. Click on the "APPROVE" button.
- It takes a few seconds to provision a single user.
- If the user was successfully provisioned, it will have "provisioned" status, otherwise, it will show as "failed".
- To see the error, click on "failed" status button.
- Once the issue is fixed, you can click on the "Retry" button.
- We provision the following fields: First name, Last name, Email, and Department ("Title" and "Location" will be provisioned in the future). Users who are provisioned but haven't logged in to Teamable are marked as "New", otherwise they will be marked as "Active". You can see a user's status by going to Teamable>Admin Panel>Current Users page.
- If a user's department doesn't exist in Teamable, the department will be created in Teamable. If a user doesn't have a department at OneLogin, in Teamable, they will be assigned to "Other" department.
2. Update user
If any of the user's fields are updated, their status will change to "Pending". Again, users will be updated piece by piece periodically, but it is possible to update a single user or send all pending users requests to Teamable the same way as the creating requests.
2.1 Send all pending requests
- Filter all pending requests
- Apply "Approve" to all users with pending status
2.2 Filter users with failed status
- Filter all failed requests.
- Apply "Retry" to all users with failed status.
Users can be de-provisioned in Teamable in 3 ways in OneLogin:
- disabling the user's access to the Teamable application in Onelogin
- deactivating a user
- directly deleting a user.
1. Disabling user's access to Teamable application in OneLogin
There are two ways to disable users access to the application.
Disabling a single user's access to the application.
- (1) Click on the user that you want to disable from the application user list (Apps>Company Apps>select an application>click on "Users" tab) or (2) click on the application from the user's applications list ("Users">"All Users">select a user>go to "Applications" tab>choose Application.
- Then click on "Delete".
- If the application was assigned to a user only through the role, then you need to (1) remove that user from that role and (2) save role.
Approve pending requests as described above in the "Provisioning" section or wait for OneLogin to process that.
Disabling role access to the application.
- (1) Go to Access settings of application -"Apps>"Company Apps">Select an Application>go to "Access" tab or (2) go to Application settings of the role- "Users">"Roles"> "Applications" and remove corresponding role or application respectively.
- Approve with the "Save" action.
Approve pending requests as described above in "Provisioning" section or wait for OneLogin to process that.
Users who were deprovisioned can't be added to the application using the same role. Only after removing from the role and adding that user again to that role, will it be possible to re-assign that user. Or you can add them manually.
2.Deactivating a user
Find a specific user, make inactive and save. The user will not be unassigned from the application if deactivated.
3 User directly deleted
- If you directly delete the user, they will be deleted from all applications. Approve pending requests as described above in "Provisioning" section or wait for OneLogin to process that.
- Users without Email and First Name and Last Name in their OneLogin profiles cannot be imported to Teamable as new users.
- Users deactivated from OneLogin cannot be reactivated in Teamable.
Please contact firstname.lastname@example.org if you have any further questions.