How does OneLogin work with Envoy?
If your team uses OneLogin for employee provisioning, you can use this app to automatically keep your Envoy employee directory up to date. The SCIM push-based system treats the OneLogin directory as your source of truth. When changes are made in OneLogin, they push immediately to Envoy, so you don’t have to worry about the Envoy employee directory being out of sync with OneLogin.
Note: You can manually create new employees or add employees from other locations while maintaining your directory sync. This feature is helpful for contractors, temps or other people who may host visitors/receive deliveries but are not core team members. Learn more about manually adding employees.
To learn more about single sign-on, read our SAML guide.
The SCIM standard enables advanced provisioning in order to automate user lifecycle management for an application, including account creation, profile updates, authorization settings, and account deactivation.
If you’re using this new option from OneLogin and would like to update your Envoy + OneLogin application, please contact us and read on.
Employee provisioning
Setup OneLogin account
First, make sure you have a OneLogin account and your employees are setup. You’ll need to have OneLogin admin privileges to complete the following steps. Either become an admin or ask your admin for help before completing these steps.
Enable OneLogin in Envoy
After you've setup your OneLogin account and added your employees, complete the next steps to install and setup the app in Envoy.
Navigate to Apps > All Apps.
Click on Directory and SSO > Directory Settings.
Click Install under OneLogin.
Choose from one of the two following options for syncing employees to your directory and click Save:
Sync all users: This is good for companies with one location, or if you prefer to have the same master Envoy employee directory at all locations within your company.
Sync specific users per location: Choose this option if you’d like to sync certain OneLogin users to certain locations (i.e., creating different Envoy employee directories per location).
You can filter employees by location in Envoy based on available filters like “City”. If your OneLogin account does not currently have City as a field, you will need to add it by navigating to the Users tab and clicking on Add Custom Field. Then you’ll need to manually map all users to the City field.
To sync users per location, you’ll have to select “Sync specific users per location” in your Envoy dashboard. Copy the new Bearer Token and paste it into the Bearer Token field in your OneLogin account.
To add a new location after the initial mapping, you’ll need to disconnect the app in your Envoy dashboard, add the new location, and then reconnect the app to OneLogin. Before doing so, ensure that your new location’s employees are mapped in your OneLogin directory.
Take note of your OAuth Bearer Token. You will need to add this to OneLogin in the next step. You can always Regenerate a new token if needed.
App install/OAuth Bearer Token
After you've setup your OneLogin app in Envoy, navigate back to OneLogin to install the Envoy app and input the OAuth Bearer Token you copied earlier.
In your OneLogin account, navigate to your OneLogin dashboard.
Click on Apps and then Add Apps.
Find Envoy (SAML2.0, provisioning) in your app directory and add the app.
Click on the Envoy (SAML2.0, provisioning) icon and click Save.
Now on the Envoy app configuration tab, copy the OAuth Bearer Token from Envoy and paste it in the API Token field in OneLogin.
Navigate to the Provisioning tab.
Make sure that “Create Users,” “Update User Attributes,” and “Deactivate Users” are all set to disable (box not checked).
Select “Delete User” on the dropdown field.
Click on “Enable provisioning for Envoy”.
Click Save.
Under the “More Options” button, click on “Reapply entitlement mappings”.
Navigate back to the Envoy Employee directory > All employees and refresh the page. Your employees should have imported automatically. (This can take up to a few hours.)
Optional fields:
Add Department field
If you would like to sync your employee's department to Envoy, you may need to enable the field in the Envoy application
Go to Applications > Applications
Select the Envoy app
Go to Parameters > Optional Parameters
Click on Department
Check the box "Include in User Provisioning"
Add Manager field
OneLogin has a default field for Manager. Navigate to User Info, use the Manager dropdown to search for the desired user, and click to confirm.
Mapping for the manager field is already configured within Envoy. To check this, use the following steps:
Go to Applications > Applications and select the Envoy app.
Go to Parameters > Required Parameters, the manager field should be pre-configured as follows:
Field = Manager ID
Value = User Manager
Type = manager
FAQ & Troubleshooting Employee Provisioning
When updating or adding employees, Envoy will match based on the primary email address listed for the OneLogin user. If the primary email address is not found in Envoy, a new employee will be added to the Envoy employee directory.
The primary email address and phone number listed in OneLogin will be the email address and phone number listed in the Envoy employee directory. If a OneLogin user does not have a primary email address, they will not be synced to the Envoy employee directory.
If you plan to assign assistants manually within the web dashboard, please reach out to Envoy Support prior to setting up SCIM syncing to configure this on your account.
What do I do if my Manager field is not updating?
Re-provision the directory by executing the steps below – make sure your users were previously assigned to your Envoy app:
Log in to OneLogin
Go to Applications > Applications and select the Envoy app
Go to Users > you should view a list with all the users that you have assigned to your Envoy app with provisioning state = Pending
Click on the user you want to SCIM sync, and click Approve. This should cause the provisioning state to change to Provisioned.
Admin Provisioning
Envoy makes it easy for our customers on Visitors Enterprise and Workplace Premium Plus to automatically provision their admin users from OneLogin using SCIM groups.
Groups and user settings
To sync your admins using SCIM, you will need to create groups in OneLogin. Please complete the following steps in order to create your groups and ensure they are setup correctly.
Add user group provisioning to the Envoy OneLogin app:
Ensure that the Envoy OneLogin app is added and configured in OneLogin. Refer to our help article for more information.
In the Envoy OneLogin app's Parameters, under Optional Parameters, select Groups and check the box for "Include in User Provisioning".
Click Save.
Add a rule to the Envoy OneLogin app to map OneLogin roles to Envoy groups:
In the Envoy OneLogin app, go to Rules and click on "Add Rule."
Name the rule and select "Set Groups in [Envoy app name]" under Actions.
Select "Map from OneLogin" under "For each" and enter the name of the role you created or enter the regex ".*" to match any roles. Then, click Save.
Create a OneLogin role to be used as your Envoy Employee Group:
In OneLogin, go to Users > Roles and click on "New Role."
Enter a name for the new role and click Save.
Open the new role and click on "Applications."
Click the "Add Apps" button and select the Envoy OneLogin app. Click Save.
Click on "Users."
Add the users to the role by searching for each user, clicking Check, and then clicking "Add To Role" for each user
Click Save.
It may take a few minutes for the group and its members to be pushed to the Envoy app.
Here’s additional information on how to create groups from OneLogin.
Sync your directory
If you have not done so already please follow the above instructions, to sync your directory.
Assign Admin Roles
After you've created your employees groups in OneLogin and have synced your directory, you can grant admin roles to those groups in Envoy.
Navigate to your Employee directory > Admin roles.
Click on Sync Settings at the top of the page.
Under Sync admins, select the group you want to assign roles to.
Select an Envoy role and one or more location from the dropdown menu for each group. (The list of group names is pulled from OneLogin.)
Click Add > Done.
FAQ -
Custom Fields:
Remote Status and Primary Location are not currently available for OneLogin. We hope to implement this in the future, but there is not a timeline for when this will be available.
Admin Provisioning
Admins can only have one location role and one company role using SCIM.
Location roles:
Location admin
Front desk admin
Deliveries
Security admin
Company roles:
Global admin
Billing admin
Envoy will give admins the higher role assigned. For example, If a user is in multiple groups in OneLogin and each group is mapped to two different location roles (Front Desk Admin and Location Admin), then the admin will be assigned the Location Admin role.
Non-custom roles will always take priority over custom roles. Employees should only be assigned one admin role per location. If multiple admin roles are assigned to one employee, the non-custom role will take priority.
For example, if an employee is assigned a Front Desk admin role, but then also assigned a custom role with more permissions than a Front Desk Admin, the employee will retain only the original Front Desk Admin permissions.
If you already have manual entries in the directory and sync with a SCIM, this will take over and delete the manual entries.
Synced roles will take priority over manual only if the synced role has higher priority permissions. If you have a front desk admin role (manual) and you are SCIM mapped to the security admin role, you will still have a manual front desk admin role for that location.
If you disconnect OneLogin, your roles will turn into manual roles and will stop syncing. Your mappings won't be saved and you will start from scratch the next time you sync with a SCIM.
You cannot manually delete synced roles. You must remove that person from the OneLogin group first.
If you are not seeing the roles you are looking for, be sure to check the filters at the top of the page.
