# Set up user provisioning using SCIM

With Cerby, you can configure automatic provisioning with OneLogin using the System for Cross-domain Identity Management (SCIM) specification to manage the creation and synchronization of user accounts based on user assignments.

When you enable user provisioning in a OneLogin application, you can automate multiple critical tasks for downstream user management, ensuring that configuration is performed once and propagated throughout the Cerby platform.

This article describes how to enable OneLogin user provisioning for the Cerby platform with SCIM.

***

## Supported features

The following are the supported features of automatic user provisioning with OneLogin:

* **Push users:** Users assigned to the Cerby application in OneLogin are automatically able to access the Cerby clients (web app, mobile app, and browser extension); they are available to other users in Cerby for account sharing purposes.
* **Update user attributes:** The user attributes are automatically synchronized between Cerby and OneLogin.
* **Suspend or delete users:** Suspended or deleted users in OneLogin are automatically detected in Cerby, and their associated access grants in Cerby are removed. In some cases, additional follow-up actions, like password rotation, may occur in Cerby for privileged identities to which the deprovisioned user had access grants.

***

## Requirements

The following are the requirements to enable OneLogin user provisioning with SCIM:

* A user account in Cerby with the workspace **Owner** role
* The Cerby SAML-based app integration must be set up and deployed. You must have already deployed the integration as part of the article [Configure SSO between Cerby and OneLogin with SAML](/setup-and-admin/workspace-identity-federation/onelogin/configure-sso-between-cerby-and-onelogin-with-saml.md).
* Users from your directory already assigned to the Cerby application in OneLogin. You must have done the assignments as part of the article [Configure SSO between Cerby and OneLogin with SAML](/setup-and-admin/workspace-identity-federation/onelogin/configure-sso-between-cerby-and-onelogin-with-saml.md).
* A SCIM API authentication token. Follow the instructions in the article [Retrieve the SCIM API authentication token from Cerby](/setup-and-admin/workspace-identity-federation/retrieve-the-scim-api-authentication-token-from-cerby.md) to copy the token. ​**NOTE:** If you need to regenerate the SCIM API authentication token, read the article[ Regenerate the SCIM API authentication token](/setup-and-admin/workspace-identity-federation/regenerate-the-scim-api-authentication-token.md)

***

## Configure automatic provisioning with OneLogin

To configure automatic user provisioning with OneLogin, you must complete the following steps:

1. Log in to[ OneLogin](https://cerby-test.onelogin.com/admin2) as an administrator.
2. Select the **Applications** options that appear when hovering over the **Applications** tab. The **Applications** page is displayed, as shown in **Figure 1.**

   <figure><img src="/files/bYR0vwj6atJppdWI8bC8" alt=""><figcaption><p>Figure 1. Applications page in OneLogin</p></figcaption></figure>
3. Search and select your SCIM Provisioner with SAML (SCIM v2 Core) app. You created this application by following the instructions in the article [Configure SSO between Cerby and OneLogin with SAML](/setup-and-admin/workspace-identity-federation/onelogin/configure-sso-between-cerby-and-onelogin-with-saml.md).
4. Select the **Configuration** option from the left menu. The configuration details page is displayed, as shown in **Figure 2.**

   <figure><img src="/files/LAbXHBjS89YIGLWmN7lk" alt=""><figcaption><p>Figure 2. Configuration details page in OneLogin</p></figcaption></figure>
5. Paste the SCIM API authentication token in the **SCIM Bearer Token** field. You copied this token previously from the Cerby web app by following the instructions in the article[ Retrieve the SCIM API authentication token from Cerby](/setup-and-admin/workspace-identity-federation/retrieve-the-scim-api-authentication-token-from-cerby.md).
6. Click the **Enable** button in **API Status** label. The status changes to **Enabled.**
7. Select the **Provisioning** option from the left menu. The provisioning details page is displayed, as shown in **Figure 3.**

   <figure><img src="/files/QIHlQ8nOkpwnAOIijFsh" alt=""><figcaption><p>Figure 3. Provisioning details page in OneLogin</p></figcaption></figure>
8. Select the **Enable** **provisioning** option in the **Workflow** section. ​**NOTE:** When the\*\*\*\* options in the **Require admin approval before this action is performed** section are selected, OneLogin will create provisioning tasks that will require admin approval. If you’d rather approve all tasks automatically, you can deselect those options.
9. Click the **Save** button. A success message is displayed, and the **Info** details page activates.

Now you are done.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.cerby.com/setup-and-admin/workspace-identity-federation/onelogin/configure-automatic-user-provisioning-with-onelogin-via-scim.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.