SCIM

Who can use this feature?

Only the Application Owner role can use this feature.

SCIM enables you to centrally manage user identities with your Identity Provider (IdP) for cloud-based applications like ITONICS Enterprise. Thereby, the IdP refers to a system entity that creates, manages, and maintains identity information and provides user authentication as a service.

How SCIM works

The System for Cross-domain Identity Management (SCIM) is designed to synchronize user information between multiple applications with your IdP. In this way, SCIM allows for streamlining processes while reducing mistakes and data inconsistencies between identity ecosystems.

ITONICS only supported SAML Just in Time (JIT) user provisioning in the past. In this configuration, user accounts are created the first time they successfully log in to ITONICS via SAML assertions that pass the attributes required for account creation.

SCIM, on the other hand, allows admins to create, update and deactivate accounts from a central place using an API call. For example, if an organization uses SCIM, and one of their employees leaves the company, an admin can deprovision them using their IdP. That change will propagate to SCIM-enabled web applications (like ITONICS) and automatically delete the accounts there.

Integrate SCIM 

Integrating SCIM is the more technical side of things and usually requires the involvement of both IT departments (ITONICS & Client). Please get in touch with your Customer Innovation Success Manager to initiate the integration.

For a smooth integration, make sure the following prerequisites are completed:

  • SAML integration has been completed.
  • SAML configuration document has been completed.

The following steps describe the high-level integration procedure: 

  • Your IT team configures SCIM in your IdP.
  • ITONICS activates the SCIM module on your ITONICS Enterprise Application.
  • ITONICS conducts the SCIM configuration with your IT team:
    • User Configuration (Update Username, Delete Users)
    • Role Configuration (Create, Update, Delete, Manage Roles) 
    • Token Configuration (Expiration Time, Bearer Token)

The following ITONICS user attributes can be mapped out-of-the box with your IdP.

ITONICS Field

Machine Name

ITONICS Field Type

Example

E-Mail

email

Single Line Input Field

jane.doe@itonics.de

First Name

first_name

Single Line Input Field

Jane

Last Name

last_name

Single Line Input Field

Doe

Business Unit

user_organizational_unit

List Field

IT

Region

user_region

List Field

Europe

Additional fields from type Single Line Input Field can also be mapped, but need to be configured first via the User Configuration.

Identity Provider Configuration for Azure

Follow the below-mentioned steps to configure SCIM for MS Azure:

  • Create a new Enterprise Application in Azure Active Directory.

  • In the Enterprise Application, navigate to the Provisioning tab.

  • Configure Provisioning Mode, Tenant URL, and Secret Token (provided by the ITONICS application).

Note that the application domain in the following instructions should be replaced by your own application domain, e.g., <customer>.live.itonicsit.de. Do not prefix with HTTPS:// or HTTP:// and do not append any additional paths.

Property Name

Value

Application Domain

Same as application domain (e.g., <client>.live.itonics.de)

Provisioning Mode

Automatic

Tenant URL

https://{application_domain}/scim/v2

Secret Token

Random Generated Text (Provided from ITONICS App)

  • Now create the new groups and add them to the application portal.
  • Send a list of created groups to the ITONICS team for mapping them with the roles on the application.
  • Create claims and their associated customsSSO attributes on the IdP for the user’s data sync. The format of claims and customsSSO attributes of the claims should be for example as follows: 
    • Claims format: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department
    • Customappsso for user attributes mapping: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User: department
  • Provide a list of claims and their associated customsSSO attributes to the ITONICS team for adding them to the application.
  • Once the ITONICS team confirms that the application is fully configured, please navigate to the provisioning page and begin the process of synchronizing the groups and users.

 

 

 

Was this article helpful?
0 out of 0 found this helpful