Black Friday offer! Buy your Burp Suite certified exam for just $9, pass before 15 Dec, and we'll refund your $9.  –   Find out more

ENTERPRISE

Integrating SCIM using OneLogin

  • Last updated: November 11, 2021

  • Read time: 4 Minutes

In this section, we'll guide you through the process of integrating SCIM with Burp Suite Enterprise Edition using OneLogin as your identity provider (IdP).

Prerequisites

  • You already have your users set up in OneLogin.
  • If you want to use SCIM in conjunction with SAML, you have already created a SCIM Provisioner with SAML (SCIM v2 Core) application in OneLogin and have completed the SAML configuration.

Set a port for the SCIM URL and generate an API token

The first part of the integration process is to set a dedicated port for the SCIM URL that OneLogin will use to communicate with Burp Suite Enterprise Edition. The base URL takes the following format:

https://<host>:<port>/scim/v2

The host is usually the same domain name or IP address as in the Burp Suite Enterprise Edition web server URL, but this may differ depending on your network infrastructure.

  1. Log in to Burp Suite Enterprise Edition as an administrator.
  2. From the settings menu, select SCIM.
  3. Under Configure SCIM, enter the port that you want to use for the SCIM URL. You should use a different port than the web server URL so that you can configure separate firewall rules for this connection.
  4. Click Save & generate API token.
  5. When prompted, copy and save the new API token somewhere secure. OneLogin will need to use this to authenticate itself to Burp Suite Enterprise Edition when sending requests to the SCIM URL.

If you're just configuring a proof of concept, you can already use the URL to configure a connection over HTTP. However, we do not recommend this for production use as this means sensitive user data will be sent unencrypted over the public internet.

If you lose your API token, you can generate a new one by clicking Regenerate API token in the upper-right corner of the SCIM settings page.

Upload a TLS certificate

For production use, we strongly recommend enabling TLS on the connection by uploading a PKCS#12 certificate. Note that this must have the .p12 file extension - certificates in .psx format are not supported.

  1. Log in to Burp Suite Enterprise Edition as an administrator.
  2. From the settings menu, select SCIM.
  3. Under Configure SCIM, activate the Enable TLS toggle.
  4. When prompted, upload your certificate and enter the certificate password.
  5. Click Save.

Configure the connection in OneLogin

Once you've set a SCIM URL and generated an API token in Burp Suite Enterprise Edition, you can use this information to configure the connection from OneLogin.

Enter the connection details

  1. In OneLogin, select the application that you created for Burp Suite Enterprise Edition.
  2. From the left-hand navigation menu, select Configuration and scroll down to the API Connection section.
  3. In the SCIM Base URL field, enter your SCIM URL in the following format:

    https://<host>:<port>/scim/v2

    The host is usually the same domain name or IP address as in the Burp Suite Enterprise Edition web server URL, but this may differ depending on your network infrastructure. The port is the one that you configured manually in the Burp Suite Enterprise Edition SCIM settings

  4. In the Custom Headers field, add the following header:

    Content-Type: application/scim+json

  5. In the SCIM Bearer Token field, enter the API token that you copied from Burp Suite Enterprise Edition.
  6. In the SCIM JSON Template field, paste the following template:

    {
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "userName": "{$parameters.scimusername}",
      "name": {
        "givenName": "{$user.firstname}",
        "familyName": "{$user.lastname}"
      },
      "emails": [
        {
          "primary": true,
          "value": "{$user.email}",
          "type": "work"
        }
      ],
      "displayName": "{$user.display_name}"
    }

  7. At the top of the API Connection section, under API Status, click the button to enable the connection.
  8. Save your changes.

Configure the parameters

  1. In OneLogin, select the application that you created for Burp Suite Enterprise Edition.
  2. From the left-hand navigation menu, select Parameters.
  3. Click the entry for the NameID parameter.
  4. In the dialog that opens, change the value of this parameter to Username.
  5. Save your changes.

Enable SCIM provisioning

Once you've successfully configured the SCIM connection between OneLogin and Burp Suite Enterprise Edition, you can enable SCIM provisioning so that you can sync your users and groups.

  1. In OneLogin, select the application that you created for Burp Suite Enterprise Edition.
  2. From the left-hand navigation menu, select Provisioning.
  3. Under Workflow, select the Enable provisioning checkbox.
  4. Configure the rest of the settings on this page however you like. We recommend choosing the option to delete users when they are deleted in OneLogin or their app access is removed. Otherwise, redundant users will still be visible in Burp Suite Enterprise Edition.
  5. Save your changes.

Push your OneLogin users to Burp Suite Enterprise Edition

Once you have successfully configured the OneLogin integration, you can push your users so that they are available in Burp Suite Enterprise Edition. To do this, just assign your users and roles to the application that you created in OneLogin.

After a while, these users will be available in Burp Suite Enterprise Edition. Any changes you make to these users in OneLogin will automatically be synced. However, note that users will not have access to any functionality unless they are assigned to a group with the relevant roles in Burp Suite Enterprise Edition.

Note

You can push users from OneLogin, but not groups. When using OneLogin as your IdP, you need to create and manage all of your group assignments directly in Burp Suite Enterprise Edition.

Troubleshooting provisioning issues in OneLogin

To check that all of your users were provisioned successfully:

  1. In OneLogin, select the application that you created for Burp Suite Enterprise Edition.
  2. From the left-hand navigation menu, select Users.
  3. In the Provisioning State column, check for any users with the status Failed.

If you find any users that were not provisioned successfully, click the name of the user and in the dialog that opens, click Reset Login. This will clear the user's current provisioning state and re-attempt to provision the user.