SCIM Provisioning
Introduction
System for Cross-domain Identity Management (SCIM) allows for automatic people management in your R-Service account. Once enabled, R-Service person records are automatically synchronized with the user records in your provisioning client.
This article provides the starting point to setup the provisioning. In case additional assistance is required feel free to contact your R-Service implementation partner.
Glossary
The following terms are used in the SCIM provisioning process.
- SCIM
- System for Cross-domain Identity Management is an open standard protocol for automating user management. For more information about the protocol, see SimpleCloud.
- Service Provider
- Service Provider refers to the R-Service application. The service provider (R-Service) receives identity information from the provisioning client and maps that information to R-Service person records.
- Provisioning Client
- Provisioning Client is the source of truth containing the user identities. The identity information may be shared with multiple service providers, like R-Service. Examples of provisioning clients include Azure AD, Google SSO, Okta and OneLogin.
Benefits
Traditionally user management is performed using a local directory service that acts a (single) source of truth. Business applications running in the local area network (LAN) connect to the directory service for authentication and provisioning of user identities. With the arrival of cloud-based applications and services, like R-Service, this setup is not suitable anymore as the cloud services do not have access to the LAN.
The SCIM specification is designed to make managing user identities in cloud-based applications and services easier. Instead of implementing custom integrations to provision each cloud service, the SCIM protocol makes it possible for the provisioning client (e.g. the local directory service) to send identity information directly to the service provider (R-Service) using a standardized communication protocol.
Requirements
To enable SCIM provisioning the following is required:
- a provisioning client that supports the SCIM v2 protocol
- a R-Service account, preferably a R-Service directory account
Also, these actions are required from the following specific people:
- an account administrator of the R-Service account, to share the SCIM access token and endpoint URL to the administrator of the provisioning client.
- an account administrator of the provisioning client, to configure the SCIM access token and endpoint URL and optionally to define a mapping.
- an account administrator of the R-Service account, to update the user mapping and optionally the group mappings in R-Service.
Approach
Before connecting the provisioning client to R-Service we recommend you to explore the mapping possibilities first.
Once the mapping is defined, it is time to connect the provisioning client to your QA account. Use this account to fine-tune the mapping for your SCIM integration.
Next step is to copy the mappings from your QA account to your production account.
Finally connect the provisioning client to your production account.
From this point onwards all updates to users and groups in your provisioning client will be sent to R-Service.
Finally we advise your to rotate your SCIM token at least once a year.
Supported APIs
The following SCIM APIs are supported by R-Service:
- SCIM - Users API
- SCIM - Groups API
- SCIM - Service Provider Config
- SCIM - Resource Types
- SCIM - Schemas
R-Service accepts both PUT
and PATCH
HTTP methods. When using PUT
R-Service will not automatically clear all fields that are not provided. To clear fields the caller must provide the fields with the appropriate empty value.