SCIM Provisioning
Introduction
System for Cross-domain Identity Management (SCIM) allows for automatic people management in your 4me account. Once enabled, 4me person records are automatically synchronized with the user records in your provisioning client.
This article provides the starting point to setup the provisioning. In case additional assistance is required feel free to contact your 4me implementation partner.
Glossary
The following terms are used in the SCIM provisioning process.
- SCIM
- System for Cross-domain Identity Management is an open standard protocol for automating user management. For more information about the protocol, see SimpleCloud.
- Service Provider
- Service Provider refers to the 4me application. The service provider (4me) receives identity information from the provisioning client and maps that information to 4me person records.
- Provisioning Client
- Provisioning Client is the source of truth containing the user identities. The identity information may be shared with multiple service providers, like 4me. Examples of provisioning clients include Azure AD, Google SSO, Okta and OneLogin.
Benefits
Traditionally user management is performed using a local directory service that acts a (single) source of truth. Business applications running in the local area network (LAN) connect to the directory service for authentication and provisioning of user identities. With the arrival of cloud-based applications and services, like 4me, this setup is not suitable anymore as the cloud services do not have access to the LAN.
The SCIM specification is designed to make managing user identities in cloud-based applications and services easier. Instead of implementing custom integrations to provision each cloud service, the SCIM protocol makes it possible for the provisioning client (e.g. the local directory service) to send identity information directly to the service provider (4me) using a standardized communication protocol.
Requirements
To enable SCIM provisioning the following is required:
- a provisioning client that supports the SCIM v2 protocol
- a 4me account, preferably a 4me directory account
Also, these actions are required from the following specific people:
- an account administrator of the 4me account, to share the SCIM access token and endpoint URL to the administrator of the provisioning client.
- an account administrator of the provisioning client, to configure the SCIM access token and endpoint URL and optionally to define a mapping.
- an account administrator of the 4me account, to update the user mapping and optionally the group mappings in 4me.
Approach
Before connecting the provisioning client to 4me we recommend you to explore the mapping possibilities first.
Once the mapping is defined, it is time to connect the provisioning client to your QA account. Use this account to fine-tune the mapping for your SCIM integration.
Next step is to copy the mappings from your QA account to your production account.
Finally connect the provisioning client to your production account.
From this point onwards all updates to users and groups in your provisioning client will be sent to 4me.
Finally we advise your to rotate your SCIM token at least once a year.
Supported APIs
The following SCIM APIs are supported by 4me:
- SCIM - Users API
- SCIM - Groups API
- SCIM - Service Provider Config
- SCIM - Resource Types
- SCIM - Schemas
4me accepts both PUT
and PATCH
HTTP methods. When using PUT
4me will not automatically clear all fields that are not provided. To clear fields the caller must provide the fields with the appropriate empty value.