Tags | SCIM | Provisioning | OneLogin |
ADMIN PRIVILEGES REQUIRED
Enterprise users can access their documentation here. Find your plan.
Overview
SCIM is an open API for securely sharing user information between online systems. In Stack Overflow for Teams Basic and Business, SCIM 2.0 support allows an Identity Provider (IdP) to automatically update Stack Overflow with the user's activation status and/or role. This article details how to integrate Stack Overflow for Teams and the OneLogin IdP.
NOTE: Stack Overflow does not directly support SCIM integrations with OneLogin. The instructions below may be out-of-date.
THIS ARTICLE APPLIES TO STACK OVERFLOW FOR TEAMS BASIC AND BUSINESS ONLY.
Stack Overflow for Teams Enterprise users should read this article instead. Find your plan.
Create a SCIM 2.0 application in OneLogin
OneLogin has an article on creating a SCIM 2.0 application which we recommend reviewing before proceeding.
Using the Administration panel, navigate to Apps -> Add Apps.
Search for SCIM apps that support SCIM 2.0 and OAuth bearer tokens (such as SCIM Provisioner with SAML (SCIM v2)) and add that application. This will take you to an application creation wizard.
Configuration Set the Display Name with a descriptive name (such as "SCIM 2.0 - Stack Overflow Business"). Other settings may be left at their defaults or changed depending upon your requirements. Click Save.
Set SCIM 2.0 base URL to https://stackoverflowteams.com/c/[your_site]/auth/scim/v2
Assign users to the SCIM 2.0 application
Users may be added either directly or by roles, both under the Users menu. Select a target User or Role, and click through to the Applications tab. Add applications with the + icon.
Set up user deactivation and reactivation
To access the SCIM integration page, click Admin Settings in the Stack Overflow for Teams left-hand menu, then SCIM integration under the "ACCESS MANAGEMENT" heading. Click Enable SCIM, then click Generate token.
NOTE: This token will only be visible when you generate it. If you lose it, you'll need to generate a new token and reconfigure your OneLogin application.
If you plan to use SCIM 2.0 for administrator/moderator role promotion and demotion, check Allow SCIM to manage user roles.
Navigate to your SCIM 2.0 application in OneLogin and select the Configuration tab.
Check Enable API Integration and set the following parameters:
{ "userName": "{$parameters.scimusername}", "name": { "familyName": "{$user.lastname}", "givenName": "{$user.firstname}", "formatted": "{$user.display_name}" }, "emails": [ { "value": "{$user.email}", "type": "work", "primary": true } ], "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ] }
Click Enable. You should see a green dot with the word "Enabled".
Click Save.
On the Provisioning tab, check Enable provisioning.
When users are deactivated or reactivated in OneLogin and are assigned to the appropriate SCIM 2.0 app, their status should be changed in Stack Overflow Business as well.
Set up administrator/moderator promotion and demotion (optional)
You can use SCIM 2.0 to promote/demote users between administrator, moderator, and regular user roles. This requires enabling Allow SCIM to manage user roles on the SCIM Integration settings page on Stack Overflow for Teams.
User role is determined by the userType
field in the SCIM 2.0 payload. This field can have the value of "Registered", "Moderator", or "Admin".
To set up for SCIM 2.0 control over user role:
In OneLogin, add a custom user field by selecting Users -> Custom User Fields from the top navigation menu. Click CREATE NEW USER FIELD. The Shortname must be userType. We recommend setting the Name as userType as well for consistency. The case must match the SCIM JSON template (for example: $user.custom_fields.userType) as seen in the next step.
Modify the SCIM JSON template by clicking the Configuration tab. You'll need to add the
userType
field to the payload. Click Save once the template is updated.
Here is a sample template with the userType
field:
``` { "userName": "{$parameters.scimusername}", "name": { "familyName": "{$user.lastname}", "givenName": "{$user.firstname}", "formatted": "{$user.display_name}" }, "emails": [ { "value": "{$user.email}", "type": "work", "primary": true } ], "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], "userType": "{$user.custom_fields.userType}" } ```
Add the
userType
parameter in the application by selecting the Parameters tab, then clicking Add parameter. Create a parameter with Name userType and Value userType (Custom). Enable both Include in SAML assertion and Include in User Provisioning. Click Save to update the application.Set the
userType
value in OneLogin with one of the following methods:By custom field on the individual user profile at Users -> All Users. You can edit a user and set the
userType
field under the Custom Fields section of the User Info tab. You may need to click Show Custom Fields to expand the options. You'll have to do this for every user you want to promote to moderator or administrator.By Application mapping under Users -> Mappings. You can configure field mappings for each application based on certain conditions. For example, you could define a mapping for admin or moderator permissions based on Role membership. See OneLogin documentation for more information.
NOTE: Enabling SCIM 2.0 support does not disable user management options within Stack Overflow for Teams. This means a user may have an active status in the IdP, yet be deactivated in Stack Overflow for Teams through the admin user management settings. We recommend standardizing on a single provisioning workflow within your organization to avoid confusion.
Need help? Submit an issue or question through our support portal.