OneLogin - Provisioning Fails to Create App Multiple Groups When a OneLogin App Rule Sends MemberOf Instead of Roles (4383198)

When integrating OneLogin with a target application using SCIM-based provisioning, group creation and assignment may not work as expected.
Users are provisioned successfully, but only a single group is created or assigned in the target system, even when multiple roles or groups are configured in OneLogin.

Additionally, the target application may block manual group creation and require all group management to occur through the identity provider.

A OneLogin application rule might have been configured to send directory-based MemberOf attributes instead of OneLogin Roles in the provisioning payload.

In this configuration:

• The SCIM API connection receives group data in a format that the target application does not fully process.
• Only one group mapping is recognized, preventing multiple role/group assignments, causing authorization issues when the user opens the app.
• The application expects role-based values rather than raw directory memberships.

• Open the affected application in the OneLogin admin portal.
• Navigate to Rules
• Edit the rule responsible for sending group or role data.
• Update the rule action to send OneLogin roles instead of the MemberOf attribute.
• Save the rule.
• Reapply entitlement mappings to ensure changes are propagated.
• Verify that multiple groups are now created and assigned correctly in the target application.

If further assistance is required please contact Support