In order to get started with automated user provisioning, ensure that your organization has properly configured OneCloud's SAML with your organization's identity provider. Once this is configured, and your company’s SAML token is available, configure your identity provider to send a POST request to the following

URL:

https://app.onecloud.io/saml/consume/<YOUR_SAML_TOKEN>

Required Attributes for Provisioning

Audience URI (SP Entity ID): https://app.onecloud.io/saml/metadata.xml

OneCloud enforces user uniqueness via the user’s email address, so the name ID of the SAML request must contain an email address. Make sure the request uses the following name ID formats:

Name ID Formats

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress (preferred) urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified (supported)

Within the SAML response, make sure to have the following attributes in order to correctly identify the user:

Attribute

Description

first_name

The user's first name

last_name

The user's last name

Optional Attributes for Provisioning

If there is a need to synchronize the tenant ID, Workspaces, and User Groups to an external system, optional attributes can be provided in the SAML request. Using these attributes provides the power to create Workspaces and User Groups on-the-fly:

Attribute

Description

user_name

The username associated with this user in an external system.

This attribute will be stored as metadata with the OneCloud user associated with the request to tie them to an external system.

organization_id

An external ID that will be stored on your OneCloud company tenant.

This can be used to associate a construct similar to how a OneCloud company tenant is structured from an external system.

role

The role of the newly provisioned user in OneCloud.

The following options are available:

  • workspace_admin: Administrative access to the Workspace in which the user is provisioned (see workspace_id / workspace_name descriptions below).

  • super_admin: Ability to manage child companies through the partner portal. This role is only available to OneCloud companies that are registered as partners.

  • company_admin: Administrative access to the entire OneCloud Company.

workspace_id

An identifier for the equivalent of a OneCloud Workspace in an external system.

When specifying this value, a OneCloud Workspace will be created if it does not exist in the system. If a Workspace already exists with this external identifier, the user will simply be granted access to this Workspace, based on the role specified.

workspace_name

The name of the OneCloud Workspace to be created.

If the Workspace already exists, the name will be overwritten.


Did this answer your question?