OneLogin draft

Author: jpipkin1

docs/manage/security/scim/about-scim-provisioning.md

@@ -20,7 +20,7 @@ See the following articles for directions to configure specific provisioning pro
 
 ### Create an access key
 
-Before configuring a provisioning provider, you must create an [access key](/docs/manage/security/access-keys/) using a service account. This access key will provide authorization to provision users from the provider into Sumo Logic.
+Before configuring a provisioning provider, create an [access key](/docs/manage/security/access-keys/) using a service account. This access key will provide authorization to provision users from the provider into Sumo Logic.
 
 When you create the access key, copy its access ID and access key values. Depending on the provider you configure, you will enter these when you set up provisioning to use one of the following authorization methods:
 * Basic authentication

docs/manage/security/scim/provision-from-microsoft-entra-id.md

@@ -7,7 +7,7 @@ description: Learn how to provision users into Sumo Logic from Microsoft Entra I
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This article describes how to provision users into Sumo Logic from Microsoft Entra ID (formerly Azure Active Directory).
+This article describes how to provision users into Sumo Logic with Microsoft Entra ID (formerly Azure Active Directory).
 
 ## Prerequisites
 
@@ -17,11 +17,11 @@ Create an [access key](/docs/manage/security/access-keys/) using a service accou
 
 When you create the access key, copy its access ID and access key values. You will enter these when you use [Base64 encoding](https://www.base64encode.org/) to Base64 encode `<access ID>:<access key>` to generate a token.
 
-## Configure provisioning from Microsoft Entra ID
+## Configure provisioning with Microsoft Entra ID
 
 ### Step 1: Create the app
 
-1. Log in to Microsoft Azure.
+1. Log in to [Microsoft Azure](http://portal.azure.com/) as an administrator.
 1. Navigate to Microsoft Entra ID. (You can use the search bar to locate it.)
 1. Navigate to **Manage > Enterprise Applications**.
 1. Click **New application**.<br/><img src={useBaseUrl('img/security/provision-azure-new-app.png')} alt="Create new application" style={{border: '1px solid gray'}} width="800" />

docs/manage/security/scim/provision-from-okta.md

@@ -7,7 +7,7 @@ description: Learn how to provision users into Sumo Logic from Okta.
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This article describes how to provision users into Sumo Logic from Okta.
+This article describes how to provision users into Sumo Logic with Okta.
 
 ## Prerequisites
 
@@ -27,7 +27,7 @@ If it is not already set up, [set up SAML for single sign-on with Okta](/docs/ma
 
 <img src={useBaseUrl('img/security/provision-sumo-logic-saml-settings.png')} alt="ACS and entity ID from Sumo Logic" style={{border: '1px solid gray'}} width="800" />
 
-## Configure provisioning from Okta
+## Configure provisioning with Okta
 
 ### Step 1: Create the app
 
@@ -38,7 +38,7 @@ If it is not already set up, [set up SAML for single sign-on with Okta](/docs/ma
 1. Enter the **Single sign-on URL** and **Audience URI (SP Entity ID)** for your Sumo Logic instance:<br/><img src={useBaseUrl('img/security/provision-okta-configure-saml.png')} alt="Configure SAML for the app" style={{border: '1px solid gray'}} width="600" /><br/>Obtain the single sign-on URL (Assertion Consumer URL) and entity ID from the SAML configuration of the Sumo Logic tenant where you will provision users (see [Prerequisites](#prerequisites)).<br/><img src={useBaseUrl('img/security/provision-sumo-logic-saml-settings.png')} alt="ACS and entity ID from Sumo Logic" style={{border: '1px solid gray'}} width="800" />
 1. Click **Next** and click **Finish**. The app displays in Okta.<br/><img src={useBaseUrl('img/security/provision-okta-new-app.png')} alt="New app in Okta" style={{border: '1px solid gray'}} width="800" />
 
-### Step 2: Configure provisioning
+### Step 2: Set up provisioning
 
 1. Configure the general settings for the app:
    1. Click the **General** tab.
@@ -106,7 +106,7 @@ If it is not already set up, [set up SAML for single sign-on with Okta](/docs/ma
       1. **Attribute type**. Select **Group**.
       1. Click **Save**.<br/><img src={useBaseUrl('img/security/provision-okta-add-role-attribute-to-provisioning-user.png')} alt="Add roles attribute to provisioning app user" style={{border: '1px solid gray'}} width="500" />
 
-### Step 4: Configure attribute mappings
+### Step 4: Set up attribute mappings
 
 1. Navigate to **Applications > Applications** and select the app you created in Step 1.<br/><img src={useBaseUrl('img/security/provision-okta-new-app.png')} alt="New app in Okta" style={{border: '1px solid gray'}} width="800" />
 1. Edit the attributes pushed from Okta to the provisioning app.

docs/manage/security/scim/provision-from-onelogin.md

@@ -7,4 +7,120 @@ description: Learn how to provision users into Sumo Logic from OneLogin.
 
 import useBaseUrl from '@docusaurus/useBaseUrl';
 
-This article describes how to provision users into Sumo Logic from OneLogin.
+This article describes how to provision users into Sumo Logic with OneLogin.
+
+## Prerequisites
+
+### Create an access key
+
+Create an [access key](/docs/manage/security/access-keys/) using a service account. This access key will provide authorization to provision users from OneLogin into Sumo Logic.
+
+When you create the access key, copy its access ID and access key values. You will enter these when you use [Base64 encoding](https://www.base64encode.org/) to Base64 encode `<access ID>:<access key>` to generate a token.
+
+## Configure provisioning with OneLogin
+
+### Step 1: Create the app
+
+1. Log in to your [OneLogin](https://www.onelogin.com/) account as an administrator.
+1. Select **Applications > Applications**.
+1. Click **Add App**.<br/><img src={useBaseUrl('img/security/provision-onelogin-add-app.png')} alt="Add app button" style={{border: '1px solid gray'}} width="700" />
+1. Select **SCIM Provisioner with SAML (SCIM v2 Enterprise)**.
+1. Change the **Display Name**.
+1. Click **Save**.<br/><img src={useBaseUrl('img/security/provision-onelogin-rename-app.png')} alt="Display name of the app" style={{border: '1px solid gray'}} width="700" />
+
+### Step 2: Set up single sign-on
+
+Follow the directions in [Configure a SAML app in OneLogin](/docs/manage/security/saml/integrate-onelogin/#configure-a-saml-app-in-onelogin) beginning with the step where you configure the **SSO** tab.<br/><img src={useBaseUrl('img/security/provision-onelogin-sso-tab.png')} alt="SSO tab" style={{border: '1px solid gray'}} width="700" />
+
+:::note
+On the **Configuration** tab, for **SCIM Base URL** enter the [API endpoint for your deployment](/docs/api/getting-started/#sumo-logic-endpoints-by-deployment-and-firewall-security) for the SCIM API using the format `<api-endpoint>/v1/scim/`. For example, `https://api.sumologic.com/api/v1/scim`. You will perform additional configuration of the app later.
+:::
+
+### Step 3: Set up roles
+
+1. Add a custom role field:
+   1. From the main menu, select **Users > Custom User Fields**.
+   1. Click **New User Field**.
+   1. For **Name** enter `roles`.
+   1. For **Short name** enter `roles`.
+   1. Click **Save**.<br/><img src={useBaseUrl('img/security/provision-onelogin-role-field.png')} alt="New role field" style={{border: '1px solid gray'}} width="400" />
+1. Navigate to **Applications > Applications**.
+1. Select the application you created in Step 1.<br/><img src={useBaseUrl('img/security/provision-onelogin-app.png')} alt="New app" style={{border: '1px solid gray'}} width="700" />
+1. Select **Parameters**.<br/><img src={useBaseUrl('img/security/provision-onelogin-parameters.png')} alt="Parameters" style={{border: '1px solid gray'}} width="700" />
+1. Add the `role` parameter:
+   1. Click **+**.
+   1. In **Name** enter `roles`.
+   1. Select **Include in SAML Assertion**.
+   1. Click **Save**.
+   1. In **Value** select **roles (Custom)**.
+   1. Click **Save**.<br/><img src={useBaseUrl('img/security/provision-onelogin-role-parameter.png')} alt="Role parameter field" style={{border: '1px solid gray'}} width="400" />
+1. Add the rest of the parameters as shown:<br/><img src={useBaseUrl('img/security/provision-onelogin-all-parameters.png')} alt="All parameters" style={{border: '1px solid gray'}} width="700" />
+
+### Step 4: Set up provisioning
+
+1. In the app, select **Configuration**.
+1. Configure the app:
+   1. Enter the **SAML Audience URL** (entity ID) and **SAML Consumer URL** (assertion consumer URL) for your Sumo Logic instance:<br/><img src={useBaseUrl('img/security/provision-onelogin-configuration.png')} alt="Configuration for the app" style={{border: '1px solid gray'}} width="700" /><br/>Obtain the assertion consumer URL and entity ID from the SAML configuration of the Sumo Logic tenant where you will provision users. You set up this [SAML configuration](/docs/manage/security/saml/integrate-onelogin/#configure-saml-in-sumo) in Step 2.<br/><img src={useBaseUrl('img/security/provision-onelogin-sumologic-saml-settings.png')} alt="ACS and entity ID from Sumo Logic" style={{border: '1px solid gray'}} width="800" />
+   1. For **API Status**, click **Enable**.
+   1. For **SCIM Base URL**, ensure that you have entered the [API endpoint for your deployment](/docs/api/getting-started/#sumo-logic-endpoints-by-deployment-and-firewall-security) for the SCIM API using the format `<api-endpoint>/v1/scim/`. For example, `https://api.sumologic.com/api/v1/scim`.
+   1. For **SCIM JSON Template**, enter the following:
+      ```json
+      {
+        "schemas": [
+          "urn:ietf:params:scim:schemas:core:2.0:User"
+        ],
+        "userName": "{$parameters.scimusername}",
+        "name": {
+          "familyName": "{$user.lastname}",
+          "givenName": "{$user.firstname}"
+        },
+        "emails": [{
+          "value": "{$user.email}",
+          "type": "work",
+          "primary": true
+        }],
+       "roles": [{
+            "value": "{$user.custom_fields.roles}",
+            "primary": true
+          }]
+      }
+      ```
+   1. For **Custom Headers**, enter:
+      ```
+      Accept: application/scim+json
+      Content-Type: application/scim+json
+      ```
+   1. For **SCIM Bearer Token**, use [Base64 encoding](https://www.base64encode.org/) to encode `<access ID>:<access key>` (see [Prerequisites](#prerequisites)). Enter the resulting value into the **SCIM Bearer Token** field.
+   1. Click **Save**. 
+1. Enable provisioning:
+   1. In the app, select **Provisioning**.
+   1. Select **Enable Provisioning**.
+   1. Click **Save**.<br/><img src={useBaseUrl('img/security/provision-onelogin-enable-provisioning.png')} alt="Enable provisioning" style={{border: '1px solid gray'}} width="800" />
+
+### Step 5: Assign users to the app
+
+1. Create a new user:
+   1. From the main menu, select **Users > Users**.
+   1. Click **New User**.
+   1. Enter **First Name**, **Last Name**, and **Email**.
+   1. Under **Custom Fields**, for **roles** enter `Administrator`.
+   1. Click **Save User**.<br/><img src={useBaseUrl('img/security/provision-onelogin-new-user.png')} alt="New user" style={{border: '1px solid gray'}} width="800" />
+1. Assign the app to the user:
+   1. While viewing the user, click **Applications**. 
+   1. Click **+**.
+   1. Select the app you created in Step 1.
+   1. Click **Continue**.
+   1. Click **Save**.<br/><img src={useBaseUrl('img/security/provision-one-login-add-user-to-app.png')} alt="Add app to user" style={{border: '1px solid gray'}} width="800" />
+1. Approve the user for provisioning:
+   1. From the main menu, select **Applications > Applications**.
+   1. Select the application you created in Step 1.
+   1. Select **Users**.
+   1. Click **Pending** on the user you want to approve for provisioning.<br/><img src={useBaseUrl('img/security/provision-onelogin-approve-user.png')} alt="Pending user" style={{border: '1px solid gray'}} width="800" />
+   1. Click **Approve**.<br/><img src={useBaseUrl('img/security/provision-onelogin-approve-dialog.png')} alt="Approve dialog" style={{border: '1px solid gray'}} width="400" />
+   1. The user is provisioned to Sumo Logic.
+
+## Syncing between OneLogin and Sumo Logic
+
+When you modify the name, email, or role of a user assigned the app in OneLogin, the changes will be synced to the corresponding user in Sumo Logic.
+
+If you unassign a user from the app in OneLogin, the corresponding user is deactivated in Sumo Logic. (If you later try to reassign that same user to the app, it will result in an error in Sumo Logic. You must delete the old user from Sumo Logic first so that the user can be provisioned once again from OneLogin.)