Enabling SCIM disables Forest user editing. All user management must be done through OneLogin.
Supported Features
The OneLogin SCIM integration enables:
- User provisioning from OneLogin to Forest
- Updating user role, permission level, and tags
- Deleting users when removed from the Forest app in OneLogin
- SCIM Groups for team assignment
Configuration Steps
1. Adding the Forest App
Navigate to OneLogin’s Application tab, select “Add App,” then search for and select “SCIM Provisioner with SAML (SCIM v2 Core).“
2. Authentication Setup
Name your app, then enable User provisioning in Forest project settings. This generates a token to paste into OneLogin.
3. SCIM Base URL
Add this endpoint: https://api.forestadmin.com/scim
4. JSON Template Configuration
The SCIM template includes user schemas with custom Forest parameters for permissionLevel, role, tags, and teams.
5. Custom Parameters
- permissionLevel: Must match existing Forest permission level exactly
- role: Must match existing project role exactly
- teams: Comma-separated team names (e.g., “Operators,Support”)
- tags: Key/value pairs separated by semicolons (e.g., “regions:France,Italie;job:developer”)
6. Mapping Rules
Create rules to automatically provide mandatory parameters (role, permissionLevel) and optional tags.
7. Custom User Attributes
Add custom fields in the Users tab under “Custom User Fields” to base mapping rules on.
8. SCIM Groups Management
Refresh entitlements to fetch OneLogin roles, then create mapping rules between OneLogin roles and Forest teams.
