Provision users with SCIM

The System for Cross-domain Identity Management (SCIM) specification is an open API designed to make managing user identities in cloud-based applications and services easier and faster. ​Enterprise Threat Protector​ (ETP) supports SCIM provisioning with Azure Active Directory and with Okta. SCIM allows your organization to obtain user and group information quickly, sync between identity stores in near real-time, and apply enforcement policies.

It is possible to extend mapping between Azure Active Directory or Okta and ETP to other SCIM attributes as specified by RFC 7643.

📘

If a user existing in a SCIM directory does not belong to any group, the user is considered invalid for access authorization and receives a 403 forbidden error.

Provision users from Azure Active Directory using SCIM

You provision users with SCIM by configuring SCIM as a directory type and Microsoft Azure Active Directory as a SCIM source. This configuration supports the following mapping of SCIM attributes between the Azure Active Directory SCIM source and the SCIM directory:

  • userName
  • active
  • displayName
  • emails[type eq "work"].value
  • name.givenName
  • name.familyName
  • phoneNumbers[type eq "mobile"].value
  • externalid

These tasks are required to provision users from Azure AD with SCIM

  1. Create a new SCIM directory for Azure in Enterprise Center.

  2. Create an ETP enterprise app in Azure Active Directory

  3. Assign users and groups to the ETP enterprise app

  4. Configure SCIM provisioning in Azure Active Directory

  5. Map attributes and start provisioning

Create a new SCIM directory for Azure in Enterprise Center

Complete this procedure to configure a SCIM directory in Enterprise Center.

To create a SCIM directory for Azure:

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Directories.

  2. Click the plus sign icon to add a new directory.

  3. Enter a name and description for the directory.

  4. In the Service Type menu, select SCIM. The SCIM Schema menu appears.

  5. In the SCIM Schema menu, select Azure.

  6. Click Add New Directory.

  7. In the Settings tab, configure General settings:

    1. For the Login Preference, select either User principal name (default) or Email.

    2. Copy the SCIM base URL. You’ll need this information when you configure SCIM provisioning in Azure.

    3. Click Create Provisioning Key.

    4. Enter a name and description for the key, and click the checkmark icon. The provisioning key ID and provisioning key appears.

    5. Copy the provisioning key to a secure location. You need this information when configuring SCIM provisioning in Azure.

  8. Click Save. The new SCIM directory appears in the directories list.

Next step:

Create an ETP enterprise app in Azure Active Directory

Create an ETP enterprise app in Azure Active Directory

Configure an enterprise application in Azure Active Directory (AD) for ETP.

Before you begin:
Create an ETP enterprise app in Azure Active Directory

To create an ETP enterprise app in Azure:

  1. Log in to Microsoft Azure as an administrator.

  2. Go to your tenant in Azure Active Directory.

  3. Create users and groups. Make sure you add members to your groups. For more information, see Manage users and groups in Azure Active Directory.

  4. In the navigation menu, select Enterprise applications and then select All Applications. All enterprise applications created in your Azure AD tenant are displayed.

  5. Click New application (+). You are redirected to the Azure AD gallery that displays the available application templates.

  6. In the Browse Azure AD Gallery (Preview), click Create your own application (+).

  7. In the dialog, enter a unique name for your application (for example, demo-app) and select Integrate any other application you don't find in the gallery.

  8. Click Create.

Next step:

Assign users and groups to the ETP enterprise app

Assign users and groups to the ETP enterprise app

Before you begin:
Create an ETP enterprise app in Azure Active Directory

Add the users and groups to the new ETP enterprise application you created.

To assign users and group to the ETP enterprise app:

  1. In the Microsoft Azure portal, go to your tenant in Azure Active Directory.

  2. In the navigation menu, select Enterprise Applications and go to the application you created.

  3. In the navigation menu, select Users and groups.

  4. Click Add user/group (+). The Add Assignment pane appears.

  5. Under User and Groups, click None Selected.

  6. In the User and Groups pane, select the users and groups that you want to assign to the app you created. Selected users and groups appear in the Selected items list.

  7. Click Select. Users and groups belonging to an app are displayed in a list with the display name, object type, and assigned role.

Next step:
Configure SCIM provisioning in Azure Active Directory

Configure SCIM provisioning in Azure Active Directory

Before you begin
Assign users and groups to the ETP enterprise app.

Configure automatic provisioning of users and groups in Microsoft Azure Active Directory. This operation automatically imports all resources, including users and groups, and synchronizes with Azure Active Directory.

  1. In Microsoft Azure, go to your tenant in Azure Active Directory.

  2. In the navigation menu, select Enterprise Applications and go to the app you created in Create an ETP enterprise app in Azure Active Directory.

  3. Under Manage, select Provisioning.

  4. On the Provisioning page, select Automatic as the Provisioning Mode.

  5. Under the Admin Credentials section:

  6. Click Save.

Next step:

Map attributes and start provisioning

Map attributes and start provisioning

Before you begin:
Configure SCIM provisioning in Azure Active Directory

Map the SCIM attributes to the Azure attributes associated with the ETP enterprise application in Microsoft Azure Active Directory.

To map SCIM attributes to Azure attributes:

  1. In the Microsoft Azure portal, go to your tenant in Azure Active Directory.

  2. In the navigation menu, select Enterprise Applications and go to the app you created.

  3. Under Manage, select Provisioning.

  4. Expand Mappings and confirm that Provision Azure Active Directory Groups and Provision Azure Active Directory Users are enabled.

  5. Click Provision Azure Directory Users to map Azure attributes.

  6. In Attribute Mapping, map the customappsso attribute (same as SCIM attributes) to these Azure Active Directory attributes. To remove other attributes, click Delete and then Save.

    These default user attribute mappings are supported by ETP.

Azure Active Directory Attribute

customappsso Attribute

userPrincipalName

userName

Switch([IsSoftDeleted], , "False", "True", "True", "False")

active

displayName

displayName

mail

emails[type eq "work"].value

givenName

name.givenName

surname

name.familyName

mobile

phoneNumbers[type eq "mobile"].value

mailNickname

externalid

  1. No changes are needed for the Provision Azure Directory Groups setting unless you want to map additional SCIM attributes to Azure attributes. These default group attribute mappings are supported by ETP.

Azure Active Directory Attribute

customappsso Attribute

displayName

displayName

objectId

externalId

members

members

  1. Return to the Provisioning page. Click Start provisioning.
    Alternatively, you can click Provision on demand to push some users from Azure to ETP immediately. For more information, see On-demand provisioning in Azure Active Directory.

  2. In Enterprise Center, go to the SCIM directory you created in Create a new SCIM directory for Azure in Enterprise Center. Confirm that users and groups were imported from Azure Active Directory.

Provision users from Okta using SCIM

Use the SCIM protocol to import the user's digital identities from Okta (the source system) to ETP.

This integration supports endpoints compatible with the SCIM 2.0 specification.

The following tasks are required to provision users from Okta with SCIM:

  1. Create a new SCIM directory for Okta in Enterprise Center.

  2. Add user and group accounts in Okta

  3. Create a SCIM application in Okta

  4. Configure provisioning in Okta

  5. Assign groups to your SCIM application in Okta

Create a new SCIM directory for Okta in Enterprise Center

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Directories.

  2. Click the plus sign icon to add a new directory.

  3. Enter a name and description for the directory.

  4. In the Service Type menu, select SCIM. The SCIM Schema menu appears.

  5. In the SCIM Schema, select Okta.

  6. Click Add New Directory.

  7. In the Settings tab, configure General settings:

    1. In the Login preference menu, select either User principal name or Email as a preference for login.

    2. Copy the SCIM base URL. You’ll need this URL when you configure SCIM provisioning in Okta.

    3. Click Create Provisioning Key.

    4. Enter a name and description for the key, and click the checkmark icon. The provisioning key ID and provisioning key appears.

    5. Copy the provisioning key by clicking the clipboard icon. You’ll need this key when you configure SCIM provisioning in Okta.

    6. In the Attribute Mapping section, configure mappings as defined in this table.

EAA Attributes

SCIM Attributes

User Principal Name

userName

displayName

displayName

firstName

name.givenName

lastName

name.familyName

mail

work emails.value

phoneNumber

primary phoneNumbers.value

status

active

📘

You must also set these attributes in Okta when you complete Configure provisioning in Okta.

  1. Click Save. The newly created SCIM directory appears in the directories list.

Next step:

Add user and group accounts in Okta

Add user and group accounts in Okta

Before you begin:
Create a new SCIM directory for Okta in Enterprise Center

Complete this procedure to add users and groups in Okta.

To add users and groups:

  1. Sign in to your Okta account at https://<your_tenant_name>.okta.com. Click Admin to access the administrator console.

  2. To add an individual user account:

    1. In the Okta navigation menu, select Directory > People.

    2. Click Add Person and in the dialog, enter user data.

    3. Click Add Person.

  3. To add a group account:

    1. In the Okta navigation menu, select Directory > Groups.

    2. Click Add Group and in the dialog, enter the group data.

    3. Click Add Group.

Next step:

Create a SCIM application in Okta

Create a SCIM application in Okta

Before you begin
Add user and group accounts in Okta

Complete this procedure to create a SCIM application in Okta.

To create a SCIM application in Okta:

  1. Sign in to your Okta account at https://<your_tenant_name>.okta.com. Click Admin to access the administrator console.

  2. In the navigation menu, select Applications > Applications, and click Browse App Catalog.

  3. In the Browse App Integration Catalog, search for SCIM and in the search results, select SCIM 2.0 Test App (Header Auth).

  4. Click Add for SCIM 2.0 Test App (Header Auth).

  5. In the General Settings, enter the application name, accept the default settings, and click Next.

  6. Under the Sign On settings, you can define the way that users log in to your integration. Select Secure Web Authentication, and then select Done to accept default settings.

Next step:
Configure provisioning in Okta

Configure provisioning in Okta

Before you begin:
Create a SCIM application in Okta

Follow these steps to provide the authentication properties that enable communication between ETP and Okta.

To configure provisioning in Okta:

  1. In the Provisioning tab for SCIM 2.0 Test App (Header Auth), click Configure API Integration, and then select Enable API Integration.

  2. In the Base URL field, paste the SCIM base URL field that you copied in Create a new SCIM directory for Okta in Enterprise Center.

  3. In the API Token field, paste the provisioning key that you copied in Create a new SCIM directory for Okta in Enterprise Center.

  4. Click Test API Credentials to verify your credentials.

  5. When you receive a confirmation, click Save.

    ETP and Okta are now connected through the SCIM protocol. In the Provisioning tab, you can also configure these settings:

    • To App. Where you configure data that flows from Okta user profiles to ETP.
    • To Okta. Where you configure data that flows from ETP to Okta.
    • API Integration. Where you modify your API authentication credentials.
  6. In the To App settings, click Edit to enable operations for your group's endpoint.

  7. Enable the following:

    • Create Users
    • Update Users
    • Deactivate Users
  8. Click Save.

  9. Scroll down and configure attribute mappings so that the mappings are the same as ETP. For attribute mappings, see Create a new SCIM directory for Okta in Enterprise Center.

    Your provisioning settings for your SCIM application are now configured. You can optionally set up alias provisioning in the Okta Admin portal.

Next step:

Assign groups to your SCIM application in Okta

Assign groups to your SCIM application in Okta

Before you begin:
Configure provisioning in Okta

Follow these steps to assign users to your SCIM application.

To assign groups to your SCIM application:

  1. In the Assignments tab for SCIM 2.0 Test App (Header Auth), assign individual users or groups. To assign a group, click Assign and then select Assign to Groups.

  2. In the window that appears, search for a group you want to provision, and click Assign for the group that you want to assign.

  3. You can enter additional information for the selected group. To do so, click Save and Go Back. Otherwise, click Done.

    In the SCIM Assignment, you can see the newly assigned group or groups.

  4. Go to the Push Groups tab to push groups to ETP and enable group-based management.

  5. Click Push Groups, and select Find groups by name.

  6. In the provided field, enter the name of the group and select it.

  7. To add more groups, click Save & Add Another and repeat the previous step.

  8. To accept default settings and confirm your groups, select Save.

  9. For each of the selected groups, in the the Push Status column, click Active and select Push now to override the users and their privileges through immediate transfer from Okta.

📘

If you get the error BadRequest - invalidSyntax: 'password' is not a valid SCIM attribute or has no mapping configured, contact ​Akamai​ Support


Did this page help you?