In order to get started with automated user provisioning, ensure that your organization has properly configured OneCloud's SAML with your organization's identity provider. Once this is configured, and your company’s SAML token is available, configure your identity provider to send a POST request to the following


Required Attributes for Provisioning

Audience URI (SP Entity ID):

OneCloud enforces user uniqueness via the user’s email address, so the name ID of the SAML request must contain an email address. Make sure the request uses the following name ID formats:

Name ID Formats

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress (preferred) urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified (supported)

Within the SAML response, make sure to have the following attributes in order to correctly identify the user:




The user's first name


The user's last name

Optional Attributes for Provisioning

If there is a need to synchronize the tenant ID, Workspaces, and User Groups to an external system, optional attributes can be provided in the SAML request. Using these attributes provides the power to create Workspaces and User Groups on-the-fly:




The username associated with this user in an external system.

This attribute will be stored as metadata with the OneCloud user associated with the request to tie them to an external system.


An external ID that will be stored on your OneCloud company tenant.

This can be used to associate a construct similar to how a OneCloud company tenant is structured from an external system.


The role of the newly provisioned user in OneCloud.

The following options are available:

  • workspace_admin: Administrative access to the Workspace in which the user is provisioned (see workspace_id / workspace_name descriptions below).

  • super_admin: Ability to manage child companies through the partner portal. This role is only available to OneCloud companies that are registered as partners.

  • company_admin: Administrative access to the entire OneCloud Company.


An identifier for the equivalent of a OneCloud Workspace in an external system.

When specifying this value, a OneCloud Workspace will be created if it does not exist in the system. If a Workspace already exists with this external identifier, the user will simply be granted access to this Workspace, based on the role specified.


The name of the OneCloud Workspace to be created.

If the Workspace already exists, the name will be overwritten.

Did this answer your question?