Skip to main content

Privacera Documentation

Preview: OneLogin UserSync

Currently as a Preview functionality, OneLogin can be configured to sync identities with Privacera UserSync


  • OneLogin Administrator account access with user provisioning enabled.

Privacera UserSync Configuration

Privacera Platform

These Privacera Manager variables need to be set in ~/privacera/custom-vars/vars.privacera-usersync.scimserver.yml:

  • Add :


  • Update:

    SCIM_SERVER_ATTRIBUTE_EMAIL: "emails[type-work].value"


  • In Configure Connector > Authentication Type, select Bearer and click Generate Token and Copy, making sure to save the token value for later.

  • In the Base User Attributes section, update the Email Address value to emails[type-work].value

OneLogin Configuration

Privacera App Configuration
  1. Access OneLogin and go to Apps -> Add Apps. Search and select "Privacera".

    Configuration values
    • SCIM BASE URL: Provide the Privacera Usersync SCIM Server URL, this varies slightly for PrivaceraCloud and Privacera Platform:

      PrivaceraCloud: (Can be copied from UserSync configuration UI){API_KEY}/usersync/{CONNECTOR_NAME}Platform:


    • SCIM Bearer Token: Provide the configured bearer token for SCIM Server connector.

    • SCIM JSON Template: Modify JSON Template for any custom attribute mappings required. (No changes required for default mapping.)  Note that the user field that is mapped to userName and must have a value for the integration .

  2. In the Privacera App, select the Parameters tab, then Groups. Scroll down and select the "Include in User Provisioning" option.

  3. Select the Rules tab to create groups in Privacera for each Role that a user belongs to in OneLogin, click Add Rule.


    Since Roles are created as part of a rule, some features do not perform as expected:

    • Role delete- If a role is deleted, users in Privacera will not be removed from the group and the group will not be made inactive. To account for this, remove all users from the Role prior to deleting the Role in OneLogin, then delete the matching group in Privacera.

    • Role rename- Renaming a Role in OneLogin will create a new group in Privacera.  Users will be removed from the group having the previous name and correctly associated with the new group.  The group with the old Role name can be manually deleted from Privacera Portal.

    Rule Mapping
    • Name: Provide desired name of rule. (Role to Group mapping)

    • Conditions: No changes.

    • Actions:

      1. Select Set Groups in {APP_NAME}.

      2. Select Map from OneLogin.

      3. For each “role” with value that matches “.*” set {APP_NAME} Groups name after roles.

  4. Under the Access tab, select any Roles containing users you require to be provisioned.

  5. Under the Provisioning tab:

    1. Check Enable Provisioning.

    2. Select actions that require approval before being provisioned: (For automatic provisioning unselect all actions.)

      • Create user

      • Delete user

      • Update user

    3. In the "When users are deleted in OneLogin…" dropdown, select Delete.

    4. In the "When user accounts are suspended in OneLogin..." dropdown, select Suspend.

  6. Click the Users tab to view a list of “assigned” users and current provisioning state.

  7. No changes are required in the Privileges tab.


    For more details of steps see the OneLogin documentation.