SCIM Provisioning

Introduction

System for Cross-domain Identity Management (SCIM) allows for automatic people management in your 4me account. Once enabled, 4me person records are automatically synchronized with the user records in your provisioning client.

This article provides the starting point to setup the provisioning. In case additional assistance is required feel free to contact your 4me implementation partner.

Glossary

The following terms are used in the SCIM provisioning process.

SCIM
System for Cross-domain Identity Management is an open standard protocol for automating user management. For more information about the protocol, see SimpleCloud.
Service Provider
Service Provider refers to the 4me application. The service provider (4me) receives identity information from the provisioning client and maps that information to 4me person records.
Provisioning Client
Provisioning Client is the source of truth containing the user identities. The identity information may be shared with multiple service providers, like 4me. Examples of provisioning clients include Azure AD, Google SSO, Okta and OneLogin.

Benefits

Traditionally user management is performed using a local directory service that acts a (single) source of truth. Business applications running in the local area network (LAN) connect to the directory service for authentication and provisioning of user identities. With the arrival of cloud-based applications and services, like 4me, this setup is not suitable anymore as the cloud services do not have access to the LAN.

The SCIM specification is designed to make managing user identities in cloud-based applications and services easier. Instead of implementing custom integrations to provision each cloud service, the SCIM protocol makes it possible for the provisioning client (e.g. the local directory service) to send identity information directly to the service provider (4me) using a standardized communication protocol.

Requirements

To enable SCIM provisioning the following is required:

Also, these actions are required from the following specific people:

Approach

Before connecting the provisioning client to 4me we recommend you to explore the mapping possibilities first.

Once the mapping is defined, it is time to connect the provisioning client to your QA account. Use this account to fine-tune the mapping for your SCIM integration.

Next step is to copy the mappings from your QA account to your production account.

Finally connect the provisioning client to your production account.

From this point onwards all updates to users and groups in your provisioning client will be sent to 4me.

Finally we advise your to rotate your SCIM token at least once a year.

Supported APIs

The following SCIM APIs are supported by 4me:

4me accepts both PUT and PATCH HTTP methods. When using PUT 4me will not automatically clear all fields that are not provided. To clear fields the caller must provide the fields with the appropriate empty value.