Skip to main content

Configure SCIM provisioning

  • Updated

Connect your company’s identity platform (idP) to our platform so that user accounts can be provisioned and deprovisioned automatically in to the platform. A member of your IT team should manage this process.

Who can use this feature?

  • Organization administrators
  • Customers with SSO

On this page: 

What is SCIM?

System for cross-domain identity management (SCIM) is a standard to manage user identities between your identity provider (IdP) and software products. SCIM automates the user provisioning process, and increases security. Once SCIM is configured, your IdP syncs with the platform every 40 minutes to update user provisioning. Connect the platform to your IdP for secure and automated user provisioning.

Note: A member of your IT team should manage this process.

Before you begin, note the following guidelines:

  • Single Sign-on must be configured.
  • We currently support SCIM with Okta and Microsoft Azure Entra ID.
  • If using Microsoft Azure Entra ID, we do not support user attribute groups.
  • You can't remove SCIM-provisioned users using the Level Access Platform dashboard. 

Note: Existing accounts, created manually, need to be managed manually, and can't be inherited by the SCIM process.

Configure SCIM provisioning in the platform

To configure SCIM provisioning in the Level Access Platform:

  1. Navigate to the organizational level. 
  2. Under Manage, select Tools & Integrations, and then SCIM.
  3. Toggle on Activate SCIM in our platform.
  4. Select Generate SCIM URL and API.
  5. Use the SCIM URL and API key to configure SCIM in your IdP.

Once SCIM is configured, an organization administrator must assign the new users to the appropriate user groups. Proceed to assign any new users to their user groups.

Configure SCIM with the Azure IdP

For your convenience, we've provided example  procedures that explain how to configure SCIM with the Azure IdP. For most recent documentation updates, refer to the manufacturer's documentation. 

Use the following procedures to configure SCIM for Microsoft Azure:

Add provisioning

  1. Go to Enterprise applications, then All applications, and then select your application.
  2. Select Provisioning.
  3. Select Provisioning again, and then fill out the form.
  4. Ensure that the Provisioning Mode is set to  Automatic.
  5. Fill out the Admin Credentials with this information:
  6. Test the connection and if successful, click Create to save the changes.

Assign your SCIM app to your user/group

  1. Go to your application and select Assign users and groups.
  2. Go to Add user/group.
  3. Assign the application to your user/group.

Enable provisioning, logging, and manual provisioning

After the initial setup is complete, Azure automatically provisions users every 40 minutes. However, you can also manually trigger provisioning, as well as review logs.

  1. Go back to the Enterprise App, and then Provisioning.
  2. Select Start provisioning. This starts the 40-min interval automatic provisioning.
  3. Alternatively, select  Provision on demand, to manually provision users/groups.

Paused provisioning (Quarantine)

You might get a message informing you that provisioning has been paused because it’s in quarantine. This occurs when provisioning is stuck on an error. This can happen if you set up Attribute Groups.

Automatic provisioning does not occur in quarantine. However, you can still use manual provisioning. 

Configure SCIM for the Okta IdP

For your convenience, we've provided example procedures that explain how to configure SCIM for Okta. For most recent documentation updates, refer to the manufacturer's documentation. 

Use the following procedures to configure SCIM for Okta IdP:

Prerequisites for configuring SCIM for Okta

Meet the following prerequisites: 

  • SCIM is only supported for SAML integrations.
  • Enable SCIM on the organization portal
  • Get the organization SCIM URL and SCIM token.

Setting up Okta provisioning

  1. Log in to the Okta administrator dashboard, and then navigate to Applications.
  2. Search for the SAML application integrated with the Level Access Platform. Select the SAML application to edit it.
  3. In the General tab, under App Settings, ensure that Provisioning is set to SCIM.
  4. Change to the Provisioning tab within the same SAML application.
  5. Under Settings > Integration, edit the configuration.
    • Set the SCIM connector base URL to the Level Access SCIM URL.
    • Set the Unique identifier field for users to userName.
    • Select all checkboxes, under Supported provisioning actions.
    • Set Authentication Mode to HTTP Header.
    • Set the HTTP Header > Authorization Token field to the SCIM token, retrieved from the Level Access Platform.
  6. Select Test Connector Configuration. If you see the Connector configured successfully dialog box, the configuration has been set correctly.
  7. Select Close.
  8. Select Save to save the SCIM settings.
  9. In the Provisioning tab, under Settings > To App > Provisioning to App, select the Edit button, and then the following options:
    • Create Users
    • Update User Attributes
    • Deactivate Users.
  10. Select Save to save the provisioning settings.

Assign users to their user groups in the platform

After you have set up the Okta provisioning settings, you must assign users to their appropriate user groups.
  1. In Okta, go to the Directory, and then People.
  2. Find a user account and assign it to the Level Access application for which you have enabled SCIM.  Select Assign, next to the application name.
  3. Open the platform and confirm that you can find the user. Go to Organization settings, and then Users, and then Unassigned users. The user name is added to the list.
  4. Proceed to assign any new users to the appropriate user groups in the platform.

Related articles

Comments

0 comments

Article is closed for comments.