All Collections
Haystack Intranet
Single Sign-On (SSO) & User Provisioning (SCIM)
OneLogin SCIM Set Up for User Provisioning and User Profile Data Mapping
OneLogin SCIM Set Up for User Provisioning and User Profile Data Mapping

If your team uses OneLogin, configure your integration to handle provisioning, deprovisioning, and user profile data mapping.

Alison Morris avatar
Written by Alison Morris
Updated over a week ago

Before enabling your user provisioning, please ensure you've configured your workspace notification preferences appropriately. Provisioned users receive notifications even if they've not yet signed into their account. You can configure your workspace notification preference on your Admin Console's Security Settings Page.

Create an OneLogin application (SCIM v2 Enterprise, full SAML)

Skip this step if you already have a SAML application for Haystack in OneLogin. Please see the instructions in this document for creating a SAML application for Haystack in OneLogin.

Enable SCIM in Haystack and generate an auth token

Enable SCIM based user provision in “Admin console” -> “User Provision & Login”. Generate an auth token and copy it (to be used in the next step in OneLogin “API connection” configuration).

Config SCIM Provisioning in the OneLogin SAML application

Enable the API connection; fill the SCIM Base URL, SCIM JSON Templates and SCIM Bearer Token.

  1. Replace “dev” in the SCIM connector base URL with your haystack domain;

  2. Copy the auth token from the Haystack “User Provision & Login” in the admin console, paste it into “SCIM Bearer Token”.

  3. Leave “Custom Headers” empty

Add “managerUsername” custom parameter

  1. Navigate to the "Parameters" tab, click the "+" icon in the upper right.

  2. Enter name “managerUsername”, toggle the checkbox “include User Provisioning”, then click "Save."

  3. Select “Manager Username” as the value

Example SCIM JSON Template


"schemas": [





"userName": "{$}",

"name": {

"familyName": "{$user.lastname}",

"givenName": "{$user.firstname}",

"formatted": "{$user.display_name}"


"emails": [


"value": "{$}",

"type": "work",

"primary": true



"phoneNumbers": [


"value": "{$parameters.phoneNumber}",

"type": "work"



"title": "{$parameters.title}",

"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {

"department": "{$parameters.department}",

"manager": {

"value": "{$parameters.managerUsername}"




Add the following custom fields and mappings if your OneLogin has them in user profiles.

The same way as you added the custom field of “managerUserName”, add the following custom fields if your OneLogin user profile has them.

"urn:ietf:params:scim:schemas:extension:haystack:1.0:User": {

"photoUrl": "{$parameters.photoUrl}",

"joinDate": "{$parameters.joinDate}",

"locality": "{$parameters.locality}",

"region": "{$parameters.region}",

"countryCode": "{$parameters.countryCode}",


Did this answer your question?