Who can use this feature?
Only the Application Owner role can use this feature.
What is it?
SCIM enables you to centrally manage user identities with your Identity Provider (IdP) for cloud-based applications like ITONICS. Thereby, the IdP refers to a system entity that creates, manages, and maintains identity information and provides user authentication as a service.
How does it work?
The System for Cross-domain Identity Management (SCIM) is designed to synchronize user information between multiple applications with your IdP. In this way, SCIM allows for streamlining processes while reducing mistakes and data inconsistencies between identity ecosystems.
ITONICS only supported SAML Just in Time (JIT) user provisioning in the past. In this configuration, user accounts are created the first time they successfully log in to ITONICS via SAML assertions that pass the attributes required for account creation.
SCIM, on the other hand, allows admins to create, update and deactivate accounts from a central place using an API call. For example, if an organization uses SCIM, and one of their employees leaves the company, an admin can deprovision them using their IdP. That change will propagate to SCIM-enabled web applications (like ITONICS) and automatically delete the accounts there.
Integrate SCIM
Integrating SCIM is the more technical side of things and usually requires the involvement of both IT departments (ITONICS & Client). Please get in touch with your Customer Innovation Success Manager to initiate the integration.
For a smooth integration, make sure the following prerequisites are completed:
- SAML integration has been completed.
- SAML configuration document has been completed.
The following steps describe the high-level integration procedure:
- Your IT team configures SCIM in your IdP.
- ITONICS activates the SCIM module on your ITONICS Enterprise Application.
-
ITONICS conducts the SCIM configuration with your IT team:
- User Configuration (Update Username, Delete Users)
- Role Configuration (Create, Update, Delete, Manage Roles)
- Token Configuration (Expiration Time, Bearer Token)
The following ITONICS user attributes can be mapped out-of-the box with your IdP.
ITONICS Field |
Machine Name |
ITONICS Field Type |
Example |
|
|
Single Line Input Field |
jane.doe@itonics-innovation.com |
First Name |
first_name |
Single Line Input Field |
Jane |
Last Name |
last_name |
Single Line Input Field |
Doe |
Business Unit |
user_organizational_unit |
List Field |
IT |
Region |
user_region |
List Field |
Europe |
Additional fields from type Single Line Input Field and Dropdown Field can also be mapped, but need to be configured first via the User Configuration. The values of a dropdown field are pre-checked by the SCIM configuration. If the value does not yet exist, it will be added to the dropdown list (non-case-sensitive).
Identity Provider Configuration for Azure
Follow the below-mentioned steps to configure SCIM for MS Azure:
-
Create a new Enterprise Application in Azure Active Directory.
-
In the Enterprise Application, navigate to the Provisioning tab.
-
Configure Provisioning Mode, Tenant URL, and Secret Token (provided by the ITONICS application).
Note that the application domain in the following instructions should be replaced by your own application domain, e.g., <customer>.live.itonicsit.de. Do not prefix with HTTPS:// or HTTP:// and do not append any additional paths.
Property Name |
Value |
Application Domain |
Same as application domain (e.g., <client>.live.itonics.de) |
Provisioning Mode |
Automatic |
Tenant URL |
https://{application_domain}/scim/v2 |
Secret Token |
Random Generated Text (Provided from ITONICS App) |
- Now create the new groups and add them to the application portal.
- Send a list of created groups to the ITONICS team for mapping them with the roles on the application.
- Create claims and their associated customsSSO attributes on the IdP for the user’s data sync. The format of claims and customsSSO attributes of the claims should be for example as follows:
- Claims format: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department
- Customappsso for user attributes mapping: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User: department
- Provide a list of claims and their associated customsSSO attributes to the ITONICS team for adding them to the application.
- Once the ITONICS team confirms that the application is fully configured, please navigate to the provisioning page and begin the process of synchronizing the groups and users.