Help Desk

Submit a ticket My Tickets
Welcome
Login

Automated User Provisioning

In addition to users being able to login to OneCloud via SSO, OneCloud also supports the ability to automatically provision users on-the-fly when the identity provider sends a response.

In order to get started with automated user provisioning, ensure that your organization has properly configured OneCloud's SAML with your organization's identity provider. Once this is configured, and your company’s SAML token is available, configure your identity provider to send a POST request to the following URL: 

https://app.onecloud.io/saml/consume/<YOUR_SAML_TOKEN>

Required Attributes for Provisioning

Audience URI (SP Entity ID): https://app.onecloud.io/saml/metadata.xml

OneCloud enforces user uniqueness via the user’s email address, so the name ID of the SAML request must contain an email address. Make sure the request uses the following name ID formats:

Name ID Formats
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress (preferred)
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified (supported)

Within the SAML response, make sure to have the following attributes in order to correctly identify the user: 

AttributeDescription
first_nameThe user's first name
last_nameThe user's last name

Optional Attributes for Provisioning

If there is a need to synchronize the tenant ID, Workspaces, and User Groups to an external system, optional attributes can be provided in the SAML request. Using these attributes provides the power to create Workspaces and User Groups on-the-fly: 

AttributeDescription
user_nameThe username associated with this user in an external system. This attribute will be stored as metadata with the OneCloud user associated with the request to tie them to an external system.
organization_idAn external ID that will be stored on your OneCloud company tenant. This can be used to associate a construct similar to how a OneCloud company tenant is structured from an external system.
roleThe role of the newly provisioned user in OneCloud. The following options are available:
  • workspace_admin: Administrative access to the Workspace in which the user is provisioned (see workspace_id / workspace_name descriptions below).
  • super_admin: Ability to manage child companies through the partner portal. This role is only available to OneCloud companies that are registered as partners.
  • company_admin: Administrative access to the entire OneCloud Company.
workspace_idAn identifier for the equivalent of a OneCloud Workspace in an external system. When specifying this value, a OneCloud Workspace will be created if it does not exist in the system. If a Workspace already exists with this external identifier, the user will simply be granted access to this Workspace, based on the role specified.
workspace_nameThe name of the OneCloud Workspace to be created. If the Workspace already exists, the name will be overwritten.

What's Next?

Configure SSO for:

B
Brian is the author of this solution article.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.