Yes, Jaapi integrates with OneLogin for both single sign-on and automated user provisioning. Employees sign in to the swag store with their existing OneLogin credentials, and SCIM 2.0 keeps the store’s user list in sync — accounts are created on hire and deactivated on departure, with no manual invites. Setup is self-serve for your OneLogin administrator.
How does the OneLogin integration work?
The integration has two halves that work independently or together. SSO lets employees authenticate with their OneLogin identity instead of a separate password, via SAML 2.0. SCIM provisioning lets OneLogin push user lifecycle events to the store, so the user list stays current automatically.
OneLogin ships a connector built for exactly this pairing: the SCIM Provisioner with SAML (SCIM v2 Core) app handles sign-on and provisioning from a single app entry. OneLogin acts as the identity provider; Jaapi is the downstream application that receives sign-ins and provisioning events.
What syncs from OneLogin to Jaapi?
SCIM provisioning keeps your store’s roster aligned with the users assigned to the Jaapi app in OneLogin:
- Onboarding. Assigning a user to the app creates their store account.
- Profile updates. Name and email changes flow through automatically.
- Offboarding. Unassigning or deactivating a user deactivates their store account, and unspent credit is reclaimed to an admin wallet.
- Rehires. Reassigned users have their original account reactivated, history intact.
- Identity mapping. The OneLogin user ID is stored as the user’s
externalIdfor stable cross-system matching.
OneLogin can also require admin approval before each provisioning action — useful during rollout, and easy to switch off once you trust the sync.
How do I set up OneLogin SSO and provisioning?
Everything is configured by your OneLogin administrator plus a token from your store settings — no Jaapi engineering involvement.
- In your Jaapi store, go to Settings and generate a SCIM API token.
- In the OneLogin admin portal, add the SCIM Provisioner with SAML (SCIM v2 Core) app and configure SAML with your store’s Entity ID and ACS URL from the store’s SSO setup guide.
- In the app’s Configuration tab, enable the API, set the SCIM Base URL to your store’s SCIM endpoint, and paste the Bearer token from step 1.
- Enable Provisioning and assign users or roles to the app. Start with two or three test users, confirm they appear in the store, then roll out to everyone.
What about groups and roles?
Jaapi uses a flat access model — store user or admin — so SCIM provisioning operates at the user level rather than syncing OneLogin roles into store roles. Admin access is granted within Jaapi, and admin accounts are protected from deletion via SCIM. If you need HR-driven segmentation or per-team credit budgets, pair SSO with an HRIS sync, which can carry department, location, and budget fields that SCIM does not.
Is the OneLogin integration secure?
Yes. SSO removes store-specific passwords entirely, SCIM requests are authenticated with a store-scoped Bearer token over HTTPS, and new accounts are validated against your allowed email domain. Every provisioning action is audit-logged. Jaapi is ISO 27001:2022 certified with EU-hosted data.