SCIM

Manage users and groups from your identify provider.

Last updated 3 months ago

Was this helpful?

SCIM

Manage users and groups from your identify provider.

Enterprise plan subscribers with SAML SSO enabled can opt to enable SCIM for their workspace. SCIM, or System for Cross-domain Identity Management, is an open standard that allows for the automation of user provisioning.

Overview

If you have SAML SSO enabled with a supported identity provider, you can contact us to get SCIM enabled for your workspace.

Configure

Upgrade to the Enterprise plan

Configuration

To configure SCIM, you'll need to add a Token and URL to your SCIM provider.

The SCIM token is the same as the in Secoda. As an Admin, you can self generate it by navigating to Settings page, and clicking on API under the Workspace heading. The SCIM URL is https://app.secoda.co/api/v1/auth/scim.

If you have a custom Secoda domain, the SCIM URL will be https://your-custom-domain.secoda.co/api/v1/auth/scim

Follow the directions below for your identity provider to setup the SCIM integration.

In the Okta admin pages, open the Secoda application you have for SAML 2.0
In the General tab, click Edit and choose SCIM in the Provisioning section and Save
In the Provisioning tab, enter the https://app.secoda.co/api/v1/auth/scim
For the Unique identifier field for users section enter email
For Supported provisioning actions you can enable "Import New Users and Profile Updates", "Push New Users" and "Push Profile Updates", "Push and Import for Groups".
For Authentication mode field, choose HTTP Header and enter your Bearer token generated from your API settings in Secoda. You can now test the configuration and save

In Azure portal, go to Azure Active Directory -> Enterprise Applications.
Select an existing application or create a new one by searching for the specific application in the gallery.
In the application management screen, choose Provisioning in the left panel.
Under Provisioning Mode, select Automatic.
In Admin Credentials, enter the Tenant URL (e.g., https://app.secoda.co/api/v1/auth/scim) and a Secret Token generated from your API settings in Secoda.
Expand Mappings and configure user attributes. Set mappings like userPrincipalName to userName, mail to emails[type eq "work"].value, etc.
Ensure Create, Update, and Delete actions are selected under Target Object actions.
Save the configuration

Group syncing

Secoda's SCIM integration also supports group syncing. From your side all you have to do is start pushing groups from your Identity provider to Secoda. These will then map one to one with Groups in Secoda.

When syncing groups, the following attributes are supported:

displayName: The name of the group in Secoda
members: Array of user references that belong to the group

{
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
    "displayName": "Data Scientists",
    "members": [
        {
            "value": "user-id-1",
            "display": "user1@company.com"
        },
        {
            "value": "user-id-2", 
            "display": "user2@company.com"
        }
    ]
}