ºÚÁϺ£½Ç91Èë¿Ú

Get Started: SCIM Identity Management

Our Identity Management (IdM) Connectors manage application user accounts through the System for Cross-domain Identity Management (SCIM) protocol. These integrations allow you to automate, and centralize user and group management, depending on the application's group management support, through the full lifecycle from your ºÚÁϺ£½Ç91Èë¿Ú Administrator Portal.

After you integrate an application with ºÚÁϺ£½Ç91Èë¿Ú, depending on an application's IdM action support, you can provision, update, and deprovision users. 

Using SCIM IdM Connectors with ºÚÁϺ£½Ç91Èë¿Ú

1 – Select an App

Select an application you want to connect with ºÚÁϺ£½Ç91Èë¿Ú through SCIM. Ensure it has an Identity Management label in the Supported Functionality column - not all applications have both SSO/JIT and IdM functionality at this time. If you do not see your application listed, you may configure a custom SCIM integration or to have it added to the ºÚÁϺ£½Ç91Èë¿Ú Integration Catalog.

Note:

In the Identity Management tab, you may see some application connectors with a Beta flag. We're evaluating these connectors in various real-world environments so we can gather feedback to ensure and enhance their performance. 

2 – Configure Your App

You will need to enable SCIM for your Service Provider, obtain the Base URL (if needed) and generate a Token Key. Groups may also be supported.

3 – Import Users

If users have been created in the SP, but not in ºÚÁϺ£½Ç91Èë¿Ú, a manual import may be initiated after SCIM configuration.

IdM Actions

The following actions are supported with ºÚÁϺ£½Ç91Èë¿Ú IdM Connectors:

Note:

Not all applications support all three IdM actions.

Provisioning

Important:

SCIM Provisioning differs in both its implementation and output from another type of web app provisioning, Just-in-Time.

Application support for provisioning means that ºÚÁϺ£½Ç91Èë¿Ú can create user accounts in the connected application. This means that after you integrate an application with ºÚÁϺ£½Ç91Èë¿Ú, and bind a new user to the application in ºÚÁϺ£½Ç91Èë¿Ú, a new account is created for the user in the connected application with the following attributes:

SCIM Attribute Name ºÚÁϺ£½Ç91Èë¿Ú Attribute Name Notes
ExternalID id -
Username Username If a user with the specified username and email are found in the service provider application, ºÚÁϺ£½Ç91Èë¿Ú takes over the account. If no user is found in the service provider application with the specified username and email, a new user is provisioned in the application with these attributes.
Password Password Users are provisioned with a temporary password. When the user sets their password, it is pushed to the application. Subsequent password updates are also pushed to the application.
GivenName Firstname -
FamilyName Lastname -
MiddleName Middlename -
Displayname Displayname -
Emails Email - primary If a user with the specified username and email are found in the service provider application, ºÚÁϺ£½Ç91Èë¿Ú takes over the account. If no user is found in the service provider application with the specified username and email, a new user is provisioned in the application with these attributes.
Active not Suspended and not PasswordExpired -

Addresses

  • Type
  • StreetAdress
  • Locality
  • Region
  • PostalCode
  • Country

Addresses

  • Type
  • StreetAdress
  • Locality
  • Region
  • PostalCode
  • Country
-

Phones

  • Type
  • Value

Phones

  • Type
  • Number
-
EmployeeNumber EmployeeIdentifier -
Department Department -
Organization Company -
Title JobTitle -

Updating

Application support for updating means that ºÚÁϺ£½Ç91Èë¿Ú can update accounts on the connected application. This means that after you integrate an application with ºÚÁϺ£½Ç91Èë¿Ú and bind a new user to the application in ºÚÁϺ£½Ç91Èë¿Ú, anytime you update the user in ºÚÁϺ£½Ç91Èë¿Ú, the user is updated in the application.

Deprovisioning

Application support for deprovisioning means that ºÚÁϺ£½Ç91Èë¿Ú can remove user accounts from the connected application. This means that after you integrate an application with ºÚÁϺ£½Ç91Èë¿Ú and unbind a user from the application in ºÚÁϺ£½Ç91Èë¿Ú, the user is deactivated in the application; the account still exists in the application, but it is placed in an inactive state. 

For the most up-to-date list of supported IdM connectors, see ºÚÁϺ£½Ç91Èë¿Ú's Integration Catalog.

Connecting IdM Applications to ºÚÁϺ£½Ç91Èë¿Ú

Applications that you can integrate with ºÚÁϺ£½Ç91Èë¿Ú through an IdM Connector can be found on the Configure New Applications panel with the Identity Management badge displayed. 

  1. Log in to the .
  2. Navigate to USER AUTHENTICATION > SSO.
  3. To connect a new application, click + Add New Application. If the application already has SSO configured, select it from the Configured Applications list.
  4. Select the Identity Management tab.
  5. Choose attributes and enter the Base URL and Token Key, click save.

Managing Employee Access to Applications

Users are implicitly denied access to all ºÚÁϺ£½Ç91Èë¿Ú resources, including applications. ºÚÁϺ£½Ç91Èë¿Ú admins must explicitly grant access to SSO applications through the use of user groups.

To grant access to a user group:

  1. Log in to the .
  2. If you haven’t already created a user group, create a new group. See Get Started: User Groups.
  3. If the group exists, in the Admin Portal, go to User Authentication > SSO.
  4. Select the SSO application.
  5. On the Application panel, click the User Groups tab.
  6. Select the user group, then click save
Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case