Provision with OneLogin

This article describes how to provision users in Sumo Logic with OneLogin.

Prerequisites

Create an access key

Create an access key. (We recommend using a service account to create the access key.) This access key will provide authorization to provision users from OneLogin into Sumo Logic.

When you create the access key, copy its access ID and access key values. You will enter these when you use Base64 encoding to Base64 encode <access ID>:<access key> to generate a token.

Configure provisioning with OneLogin

Step 1: Create the app

1. Log in to your OneLogin account as an administrator.
2. Select Applications > Applications.
3. Click Add App.
   
4. Select SCIM Provisioner with SAML (SCIM v2 Enterprise).
5. Change the Display Name to the name you want to use for your app.
6. Click Save.
   

Step 2: Set up single sign-on

Follow the directions in Configure a SAML app in OneLogin beginning with the step where you configure the SSO tab.

When you follow these instructions, on the Configuration tab you'll add the SAML Audience URL and SAML Consumer URL. Obtain these values from the assertion consumer URL and entity ID on the SAML configuration of the Sumo Logic tenant where you will provision users.

note

Also on the Configuration tab, for SCIM Base URL enter the API endpoint for your deployment for the SCIM User Management APIs using the format <api-endpoint>/v1/scim/. For example, https://api.sumologic.com/api/v1/scim/. You will perform additional configuration of the app later.

Step 3: Set up roles

1. Add a custom role field:
   1. From the main menu, select Users > Custom User Fields.
   2. Click New User Field.
   3. For Name enter roles.
   4. For Short name enter roles.
   5. Click Save.
      
2. Navigate to Applications > Applications.
3. Select the application you created in Step 1.
   
4. Select Parameters.
   
5. Add the role parameter:
   1. Click +.
   2. In Name enter roles.
   3. Select Include in SAML Assertion.
   4. Click Save.
   5. In Value select roles (Custom).
   6. Click Save.
      
6. Add the rest of the parameters as shown. When you add the custom parameters, select Include in SAML assertion.
   

Step 4: Set up provisioning

1. In the app, select Configuration.
2. Configure the app:
   1. Enter the SAML Audience URL (entity ID) and SAML Consumer URL (assertion consumer URL) for your Sumo Logic instance:
      
      Obtain the assertion consumer URL and entity ID from the SAML configuration of the Sumo Logic tenant where you will provision users. You set up this SAML configuration in Step 2.
      
   2. For API Status, click Enable.
   3. For SCIM Base URL, ensure that you have entered the API endpoint for your deployment for the SCIM User Management APIs using the format <api-endpoint>/v1/scim/. For example, https://api.sumologic.com/api/v1/scim/.
   4. For SCIM JSON Template, enter the following:

      {
        "schemas": [
          "urn:ietf:params:scim:schemas:core:2.0:User"
        ],
        "userName": "{$parameters.scimusername}",
        "name": {
          "familyName": "{$user.lastname}",
          "givenName": "{$user.firstname}"
        },
        "emails": [{
          "value": "{$user.email}",
          "type": "work",
          "primary": true
        }],
       "roles": [{
            "value": "{$user.custom_fields.roles}",
            "primary": true
          }]
      }
   5. For Custom Headers, enter:

      Accept: application/scim+json
      Content-Type: application/scim+json
   6. For SCIM Bearer Token, use Base64 encoding to encode <access ID>:<access key> (see Prerequisites). Enter the resulting value into the SCIM Bearer Token field.
   7. Click Save.
3. Enable provisioning:
   1. In the app, select Provisioning.
   2. Select Enable Provisioning.
   3. Click Save.
      

Step 5: Assign users to the app

1. Create a new user:
   1. From the main menu, select Users > Users.
   2. Click New User.
   3. Enter First Name, Last Name, and Email.
   4. Under Custom Fields, for roles enter Administrator.
   5. Click Save User.
      
2. Assign the app to the user:
   1. While viewing the user, click Applications.
   2. Click +.
   3. Select the app you created in Step 1.
   4. Click Continue.
   5. Click Save.
      
3. Approve the user for provisioning:
   1. From the main menu, select Applications > Applications.
   2. Select the application you created in Step 1.
   3. Select Users.
   4. Click Pending on the user you want to approve for provisioning.
      
   5. Click Approve.
      
   6. The user is provisioned to Sumo Logic.

Step 6: Verify provisioning

Users assigned to the app are provisioned into Sumo Logic.

1. Verify in OneLogin:
   1. In the main menu, select Provisioning and then select the Monitoring tab.
   2. The events for provisioned users should appear. Click an event for details.
2. Verify in Sumo Logic:
   1. Log in to the Sumo Logic instance that you linked to the provisioning app in Step 2 when you provided the Assertion Consumer URL and entity ID.
   2. Classic UI. In the main Sumo Logic menu, select Administration > Users and Roles > Users.
      New UI. In the top menu select Administration, and then under Users and Roles select Users. You can also click the Go To... menu at the top of the screen and select Users.
   3. Search for the users provisioned from OneLogin.
   4. You should see the users listed, and with the role given to when you assigned them to the app in OneLogin.

Syncing between OneLogin and Sumo Logic

When you modify the name, email, or role of a user assigned the app in OneLogin, the changes will be synced to the corresponding user in Sumo Logic.

If you unassign a user from the app in OneLogin, the corresponding user is deactivated in Sumo Logic. (If you later try to reassign that same user to the app, it will result in an error in Sumo Logic. You must delete the old user from Sumo Logic first so that the user can be provisioned once again from OneLogin.)