SCIM Provisioning

Introduction

System for Cross-domain Identity Management (SCIM) allows for automatic people management in your R-Service account. Once enabled, R-Service person records are automatically synchronized with the user records in your provisioning client.

This article provides the starting point to setup the provisioning. In case additional assistance is required feel free to contact your R-Service implementation partner.

Glossary

The following terms are used in the SCIM provisioning process.

SCIM
System for Cross-domain Identity Management is an open standard protocol for automating user management. For more information about the protocol, see SimpleCloud.
Service Provider
Service Provider refers to the R-Service application. The service provider (R-Service) receives identity information from the provisioning client and maps that information to R-Service person records.
Provisioning Client
Provisioning Client is the source of truth containing the user identities. The identity information may be shared with multiple service providers, like R-Service. Examples of provisioning clients include Azure AD, Google SSO, Okta and OneLogin.

Benefits

Traditionally user management is performed using a local directory service that acts a (single) source of truth. Business applications running in the local area network (LAN) connect to the directory service for authentication and provisioning of user identities. With the arrival of cloud-based applications and services, like R-Service, this setup is not suitable anymore as the cloud services do not have access to the LAN.

The SCIM specification is designed to make managing user identities in cloud-based applications and services easier. Instead of implementing custom integrations to provision each cloud service, the SCIM protocol makes it possible for the provisioning client (e.g. the local directory service) to send identity information directly to the service provider (R-Service) using a standardized communication protocol.

Requirements

To enable SCIM provisioning the following is required:

Also, these actions are required from the following specific people:

Approach

Before connecting the provisioning client to R-Service we recommend you to explore the mapping possibilities first.

Once the mapping is defined, it is time to connect the provisioning client to your QA account. Use this account to fine-tune the mapping for your SCIM integration.

Next step is to copy the mappings from your QA account to your production account.

Finally connect the provisioning client to your production account.

From this point onwards all updates to users and groups in your provisioning client will be sent to R-Service.

Finally we advise your to rotate your SCIM token at least once a year.

Supported APIs

The following SCIM APIs are supported by R-Service:

R-Service accepts both PUT and PATCH HTTP methods. When using PUT R-Service will not automatically clear all fields that are not provided. To clear fields the caller must provide the fields with the appropriate empty value.