Set Groups rule.
Prerequisites
- Single sign-on between TrueFoundry and OneLogin is already configured. Follow SAML with OneLogin first.
- You have Admin access in both TrueFoundry and OneLogin.
- You’re on TrueFoundry v0.143 or higher. (On earlier versions, SCIM is configured directly inside the SSO form.)
OneLogin’s SCIM provisioner is a separate app from the SAML SSO app — you don’t reuse the SAML Custom Connector you created for sign-in. Both apps coexist in the same OneLogin account and reference the same set of users and roles.
Step 1 — Generate the SCIM credentials in TrueFoundry
Enable SCIM provisioning
In TrueFoundry, go to Settings → Security & Access → Provisioning and turn on the SCIM toggle.
Step 2 — Create the SCIM app in OneLogin
Open Applications
In the OneLogin admin console, click Applications → Applications, then click Add App in the top right.
Find the SCIM Provisioner app
In the Find Applications search bar, type
SCIM. From the list, choose SCIM Provisioner with SAML (SCIM v2 Enterprise).Even though you’ll only use the SCIM half of this connector, OneLogin ships the SAML and SCIM components together. You can leave the SAML side of this app untouched — the actual sign-in flow is still handled by the SAML Custom Connector you set up in the SAML guide.
Step 3 — Connect OneLogin to TrueFoundry’s SCIM endpoint
Paste the SCIM credentials
Enter the values you copied from TrueFoundry in Step 1:
| OneLogin field | Paste this value from TrueFoundry |
|---|---|
| SCIM Base URL | TrueFoundry SCIM URL (from View Config) |
| SCIM Bearer Token | TrueFoundry Token (from View Config) |
Step 4 — Turn on provisioning
(Optional) Skip manual approvals
Under Require admin approval before this action is performed, uncheck the boxes for any of:
- Create user
- Delete user
- Update user
Step 5 — Include groups in user provisioning
By default, OneLogin doesn’t send a user’s group memberships to SCIM apps. Flip that on so TrueFoundry can create teams.Step 6 — Assign users to the SCIM app
Open Users
In the OneLogin top navigation, click Users → Users and select the user you want to provision into TrueFoundry.
Assign the SCIM app
From the user page, click the Applications tab on the left and click the + icon. Pick the SCIM app you created in Step 2 from the dropdown and click Continue, then Save.
Step 7 — Push groups (roles) to TrueFoundry
OneLogin doesn’t have a native concept of “groups” — instead, you use Roles plus a Rule that translates the user’s roles into agroups attribute that the SCIM app sends to TrueFoundry.
Create a Role
In OneLogin’s top navigation, click Users → Roles and click New Role. Give the role a meaningful name (e.g.
truefoundry-admins), select the SCIM app you created in Step 2, and click Save.Add users to the Role
On the role’s detail page, open the Users tab. Search for the users you want in this team, click Add To Role for each, and click Save.
Add a Set Groups rule on the SCIM app
Go back to your SCIM app and click the Rules tab on the left. Click Add Rule and:
- Name — something like
Set Groups from Roles. - Actions — choose Set Groups in
<your SCIM app name>from the dropdown. - Configure the action as for each role with values that match
<your SCIM app name>.
Approve any pending provisions
Return to the SCIM app’s Users tab. If you see Pending provisions, click that text and Approve the changes. OneLogin pushes the new group memberships to TrueFoundry on the next sync.
Verify in TrueFoundry
In TrueFoundry, go to Access → Users to confirm the assigned users appear, and check Access → Teams to see the roles materialised as teams. See Provision teams via SCIM for how group names map to TrueFoundry team names.
How SCIM behaves with OneLogin
- Event-driven sync — OneLogin pushes changes (create, update, delete, role/group changes) as they happen rather than on a polling schedule.
- Deactivation vs deletion — When you unassign a user from the SCIM app, OneLogin sends a SCIM delete or
active=falsepatch. TrueFoundry deactivates the user instead of hard-deleting them. - Role → group naming — A OneLogin Role assigned to the SCIM app surfaces as a
groupsvalue on each user; TrueFoundry uses that to populate team memberships.
Troubleshooting
A user was assigned but never appeared in TrueFoundry
A user was assigned but never appeared in TrueFoundry
- Check the SCIM app’s Users tab — the row may say Pending if admin approval is required. Click Pending and Approve to push the change.
- Confirm Enable provisioning is on under the Provisioning tab.
- Confirm the user has an email address in OneLogin — TrueFoundry rejects SCIM users without an email.
Group memberships aren't appearing in TrueFoundry
Group memberships aren't appearing in TrueFoundry
- Open the SCIM app’s Parameters tab, click the Groups row, and confirm Include in User Provisioning is checked.
- Open the SCIM app’s Rules tab and confirm the Set Groups rule from Step 7 exists and references the SCIM app’s name (not the SAML app’s name).
- The user must belong to a OneLogin Role that is itself assigned to the SCIM app, otherwise no
groupsvalue is sent.
Deleting a group in OneLogin doesn't deprovision the team in TrueFoundry
Deleting a group in OneLogin doesn't deprovision the team in TrueFoundry
This is a known limitation of OneLogin’s SCIM client: OneLogin doesn’t dispatch a
group.deleted or group.user_removed event when a group (role) is deleted directly. To safely remove a team:- First remove the users from the OneLogin role — OneLogin emits user-level events that TrueFoundry honours.
- Then delete the role itself in OneLogin.
- If a stale team remains in TrueFoundry, an admin can delete it manually under Access → Teams.
Provisioning Status shows pending forever
Provisioning Status shows pending forever
Admin approval is still required for one or more of Create user, Update user, or Delete user. Either approve each event manually under the SCIM app’s Users tab, or uncheck those approval boxes in Provisioning → Require admin approval before this action is performed (Step 4) for a fully automated flow.

