Scrydon
PlatformIdentity & Provisioning

Set up SCIM with OneLogin

Step-by-step guide to connect OneLogin to Scrydon via SCIM 2.0 for automated user and group provisioning.

This guide walks you through connecting OneLogin to Scrydon so that users and groups in OneLogin are automatically provisioned into your Scrydon organization.

Prerequisites

  • Scrydon org admin role.
  • OneLogin account with Super User or Account Owner privileges.
  • SSO already configured between OneLogin and Scrydon. Finish SSO setup from Settings → Platform → Identity → Single Sign-On before continuing.

OneLogin doesn't have a dedicated Scrydon app in its catalog. We use the generic SCIM Provisioner with SAML (SCIM v2 Core) connector, which supports any RFC 7644-compliant SCIM target — Scrydon included.

Part 1 — Generate a Scrydon SCIM token

Open the Identity settings page

Sign in to Scrydon as an org admin and navigate to Settings → Platform → Identity.

Switch to the Provisioning tab

Click the Provisioning (SCIM) tab next to Single Sign-On.

Copy the SCIM endpoint URL

Under SCIM Endpoint, copy the Tenant URL. It looks like:

https://auth.YOUR-TENANT.scrydon.com/api/auth/scim/v2

Generate a provisioning token

Click Generate Token. Enter a label such as onelogin-prod and click Generate.

The raw token is shown exactly once. Copy it immediately. Scrydon cannot display it again.

Part 2 — Add the SCIM provisioner app in OneLogin

Open the OneLogin admin portal

Sign in to OneLogin as Super User or Account Owner. Go to Applications → Applications and click Add App.

Search for the SCIM connector

In the search box, enter SCIM Provisioner with SAML (SCIM v2 Core). Select it from the results.

Save the initial app

Give the connector a clear name like Scrydon (SCIM) and click Save. OneLogin creates the app and reveals its configuration tabs.

Part 3 — Configure the SCIM connection

Open the Configuration tab

Click the Configuration tab in the new SCIM app.

Paste the Scrydon SCIM URL

Find the field labeled SCIM Base URL (OneLogin sometimes labels this as Subdomain depending on the connector version). Paste the Tenant URL from Scrydon:

https://auth.YOUR-TENANT.scrydon.com/api/auth/scim/v2

Paste the Scrydon provisioning token

Find the SCIM Bearer Token field and paste the raw token you generated in Part 1.

Enable the API connection

Under API Connection, click Enable. OneLogin tests the connection by calling Scrydon's /scim/v2/ServiceProviderConfig endpoint with the bearer token.

On success, the status indicator turns green.

If authentication fails: verify the SCIM Base URL ends in /scim/v2 (no trailing slash), the bearer token has no whitespace, and the token has not been revoked in Scrydon.

Save the configuration

Click Save at the top of the page.

Part 4 — Enable provisioning

Open the Provisioning tab

Click the Provisioning tab on the Scrydon SCIM app.

Turn on provisioning

Under Workflow, check Enable provisioning.

Set admin approval requirements

Configure whether OneLogin admins must approve Create, Delete, and Update operations before they are pushed to Scrydon.

Scrydon recommends enabling approval during the initial rollout so you can catch any unexpected provisioning actions before they hit production. Turn off approval once you're confident the sync is behaving correctly.

Set user deletion behavior

Under When users are deleted in OneLogin, perform the following in the app:

Select Delete.

Even though this setting says "Delete", Scrydon performs a soft delete: the user is deactivated (banned + sessions revoked + org membership removed) but the user record is preserved in Scrydon for audit purposes. This is the safest option and matches how OneLogin's "Delete" semantic behaves with most enterprise SCIM targets.

Under When user accounts are suspended in OneLogin, select Suspend — this also maps to Scrydon's soft-delete behavior.

Save and continue

Click Save.

Part 5 — Configure group provisioning

Refresh the entitlements

Still on the Provisioning tab, scroll to the Entitlements section and click Refresh. OneLogin queries Scrydon for the list of available groups via GET /scim/v2/Groups.

Open the Parameters tab

Click the Parameters tab.

Enable the Groups parameter

Under Optional Parameters, click Groups. In the dialog, check Include in User Provisioning and click Save.

Create a rule for automatic group assignment

Click the Rules tab, then click New Rule.

Example rule that syncs OneLogin users from the Engineering role into the Scrydon engineering team:

FieldValue
Rule nameEngineering → Scrydon team
ConditionRoles → include → Engineering
ActionSet Groups in Scrydon to → engineering

Save the rule. OneLogin will automatically assign matching users to the specified Scrydon team during sync.

Part 6 — Assign users and run the first sync

Assign users to the Scrydon app

Navigate to Users → Users in OneLogin. Select a user, scroll to the Applications section, and click +. Add the Scrydon SCIM app.

Repeat for each user you want to provision, or use a OneLogin role-based mapping to bulk-assign.

Trigger the initial sync

From the Scrydon SCIM app page, click More Actions → Sync logins. OneLogin pushes all assigned users to Scrydon.

Verify in Scrydon

In Scrydon, check Settings → Organization → Members for the provisioned users and Settings → Organization → Teams for the synced groups.

Check Settings → Platform → Audit Logs filtered on scim.* events to see the provisioning activity.

Managing the integration

Removing a user

Either:

  • Unassign the user from the Scrydon app in OneLogin (go to the user's Applications section and click the trash icon next to Scrydon), or
  • Suspend / delete the user in OneLogin — the app's deletion behavior kicks in (see Part 4, Step 5).

Both paths result in Scrydon performing a soft delete: the user is deactivated but the record is preserved.

If the same user is later re-added in OneLogin, Scrydon automatically reactivates the existing record — audit history and owned resources are restored. No manual Scrydon-side action required.

Rotating the token

  1. In Scrydon, go to Settings → Platform → Identity → Provisioning (SCIM) and generate a new token with a new label (e.g. onelogin-rotated-2026-04-08).
  2. In OneLogin, go to the Scrydon SCIM app → Configuration → paste the new token into SCIM Bearer TokenSave.
  3. Click More Actions → Sync logins to verify the new token works.
  4. Once confirmed, go back to Scrydon and revoke the old token.

Troubleshooting

Common error messages

ErrorMeaningFix
401 UnauthorizedToken invalid or revokedRegenerate token in Scrydon, update OneLogin configuration
400 mutability: email is immutable via SCIMTried to change an existing user's emailDelete and re-create the user instead
400 mutability: userName is immutable via SCIMTried to change userNameSame as above
507 Insufficient StorageScale cap reachedContact support
409 uniquenessDuplicate externalId or two OneLogin identities mapping to the same Scrydon emailResolve the conflict in OneLogin
429 Too Many RequestsRate limit exceededOneLogin retries automatically

"Groups list is empty" in OneLogin entitlements

This means OneLogin can reach Scrydon's /scim/v2/Groups endpoint but no groups exist yet. Create at least one team in Scrydon (or push a group from OneLogin first), then click Refresh on the entitlements section again.

User deleted in Scrydon directly

Do not delete users directly in Scrydon while they are still managed by OneLogin. OneLogin's next sync will fail with 404 Not Found on that user. Always deprovision via OneLogin so state stays consistent.

If this happens accidentally, re-assign the user in OneLogin and run Sync logins — OneLogin will recreate the user via SCIM.

Unsupported operations

OperationBehavior
Changing a user's email via OneLoginRejected with 400
Changing a user's userName via OneLoginRejected with 400
Renaming a synced group in OneLoginOneLogin PATCH accepted, Scrydon Team name not updated
Nested OneLogin roles → single Scrydon teamOneLogin rules match users with the role directly assigned. Users who inherit the role via a parent/child relationship are not synced unless the parent role is also targeted by a rule. For truly nested group hierarchies, Scrydon supports up to 3 levels of SCIM group nesting — structure your rules in OneLogin accordingly.
Nested group depth beyond 3Rejected by Scrydon with 400 invalidValue ("nested group depth exceeds 3")
Service principals / machine accountsNot synced
On this page

On this page

PrerequisitesPart 1 — Generate a Scrydon SCIM tokenOpen the Identity settings pageSwitch to the Provisioning tabCopy the SCIM endpoint URLGenerate a provisioning tokenPart 2 — Add the SCIM provisioner app in OneLoginOpen the OneLogin admin portalSearch for the SCIM connectorSave the initial appPart 3 — Configure the SCIM connectionOpen the Configuration tabPaste the Scrydon SCIM URLPaste the Scrydon provisioning tokenEnable the API connectionSave the configurationPart 4 — Enable provisioningOpen the Provisioning tabTurn on provisioningSet admin approval requirementsSet user deletion behaviorSave and continuePart 5 — Configure group provisioningRefresh the entitlementsOpen the Parameters tabEnable the Groups parameterCreate a rule for automatic group assignmentPart 6 — Assign users and run the first syncAssign users to the Scrydon appTrigger the initial syncVerify in ScrydonManaging the integrationRemoving a userRotating the tokenTroubleshootingCommon error messages"Groups list is empty" in OneLogin entitlementsUser deleted in Scrydon directlyUnsupported operations
Edit on GitHubCreate documentation issue