Note
In OneTrust's Legacy SCIM Integration, only provisioning of users was supported. As of OneTrust 6.29, OneTrust encourages updating to the enhanced SCIM Integration. In addition to existing User Provisioning functionality available with the Legacy SCIM Integration, the enhanced SCIM Integration offers Site Admins the ability to utilize Group Provisioning to provision user groups in the OneTrust application. Group Provisioning also allows Site Admins to manage access for users by provisioning them to one or more user groups. Legacy SCIM Integration users can update their integration to use the enhanced SCIM Integration with Group Provisioning feature by completing the To enable the enhanced SCIM Integration with Group Provisioning procedure below.
OneTrust supports cross-domain identity management through the SCIM 2.0 specification. System for Cross-Domain Identity Management (SCIM) is an open specification to help facilitate the automated management of user identities and groups in cloud applications using RESTful APIs. This allows organizations to manage and update user information across domains and applications.
OneTrust's Legacy SCIM Integration leverages the Organization and Role attributes to describe subsets of users. Each OneTrust user will fall into a group that is a combination of both an organization and an assigned role.
Note
OneTrust offers technical documentation about API integrations and calls through its Developer Portal. For more information, see Developer Portal Access.
To enable the enhanced SCIM Integration with Group Provisioning
Existing accounts that enabled Legacy SCIM User Provisioning prior to OneTrust 6.29 can enable the enhanced SCIM Integration with Group Provisioning by clicking the Enable button on the banner that appears on the User Provisioning screen.
If you'd like to enable the enhanced SCIM Integration with Group Provisioning, please complete following procedure. Then proceed with referencing SCIM User & Group Provisioning for documentation on the enhanced SCIM Integration. Otherwise, skip this procedure and proceed to To configure SCIM in OneTrust using the Legacy SCIM Integration.
Caution
The enhanced SCIM Integration utilizes SCIM V3 APIs. Once you enable the enhanced SCIM Integration, SCIM V2 APIs will no longer return the same responses. Please keep this mind if you have custom integrations that rely on SCIM V2 APIs.
Click the gear icon
in the upper right-hand corner to access Global Settings.
-
On the menu, select . The User Provisioning screen appears with a banner at the top of the screen.
-
Click the Enable button on the banner. The Enable Enhanced SCIM Integration modal appears.
Note
By enabling the enhanced SCIM Integration, the SCIM Base URL will be updated to V3. While it is not necessary to update the SCIM Base URL in your IdP, OneTrust recommends updating the SCIM Base URL to avoid any confusion in the future. However, SCIM Integration will continue to function regardless of whether this update is made.
Click the Confirm button.
To configure SCIM in OneTrust using the Legacy SCIM Integration
Click the gear icon
in the upper right-hand corner to access Global Settings.
-
On the menu, select . The User Provisioning screen appears.
-
In the SCIM Base URL field, click the Copy URL button to copy the SCIM Base URL to your computer's clipboard.
Note
You will need to provide the SCIM Base URL during the IdP configuration process. For more information, see IdP Configuration.
In the Organization field, select the default organizational group to which users should be assigned on creation through SCIM.
-
In the Role field, select the default role to which users should be assigned on creation through SCIM.
Note
External roles, such as Data Subject and Invited, cannot be selected in this field.
Click the Save button.
To test connection in IdP
In order to test the connection in your IdP, you will need to either generate OAuth 2.0 client credentials or API keys with the SCIM scope using the Client Credentials screen or API Keys screen, respectively. For more information, see Managing OAuth 2.0 Client Credentials or Managing OAuth 2.0 API Keys.
Client Credentials Method
-
Copy and paste the SCIM Base URL, Client ID, and Client Secret into your IdP.
Note
Some IdPs may require that the access token be entered directly instead of the Client ID and Client Secret. For more information on generating an access token, see the To generate a token procedure in Managing OAuth 2.0 Client Credentials.
Test the connection in your IdP.
API Keys Method
-
Copy and paste the SCIM Base URL and API key into your IdP.
Test the connection in your IdP.
In order to use SCIM in OneTrust, you must configure your IdP and SCIM client to accept and use SCIM. For more information about how to configure your IdP to utilize SCIM, see the following links:
User and Group Attribute Mapping
OneTrust's implementation of SCIM utilizes a combination of standard and custom attributes to describe Users and Groups. The following tables describe the mapping of the attributes to the OneTrust access management properties.
User Attribute Mapping
Group Attribute Mapping