Guide

Provision users from IDPs using SCIM

Suggest Edits

You can use the SCIM protocol to import user's digital identities from identity providers (IDPs) that support SCIM to your ​Akamai MFA​ SCIM application. With SCIM provisioning, you can automatically import user accounts, account privileges, and group memberships.

For existing user profiles, SCIM provisioning ensures the automatic synchronization between both systems when a change to the user data is detected in the source system.

You can also use the attribute mapping capability to customize and match user attributes exchanged during the provisioning process between the identity provider and your SCIM application.

📘

The automatic provisioning described in this section was implemented using a minimally viable subset of SCIM specifications. In particular, ​Akamai MFA​ doesn't support the full capabilities of the SCIM filtering parameter.

Before you begin

  • Ensure that your IDP supports SCIM.

  • If you want to send the enrollment email to users provisioned from an IDP directory, make sure that each user has a valid email address. Users who don't have the email attribute field populated in their user profile won't receive the enrollment email.

📘

This integration supports endpoints compatible with the SCIM 2.0 specification.

Add SCIM provisioning in ​Akamai MFA​

Follow this procedure to set up your SCIM service in ​Akamai MFA​ and obtain your authentication token and base URL. Your authentication credentials let you enable the import of user data from your IDP to ​Akamai MFA​ in the following steps of the provisioning process.

  1. In the Enterprise Center navigation menu, select Multi-factor Authentication > Identity & Users > User Provisioning.

  2. Click Add Provisioning (+).

  3. On the User Provisioning page, select the SCIM 2.0 provisioning type and enter its unique name.

  4. Click Save and Deploy.

    You've just generated your API Token and Base URL that you will use in the following configuration steps.

On the provisioning configuration page, you can also enable these settings:

  1. Send enrollment emails. Toggle on to send the enrollment emails to the new users whose accounts were synced up with ​Akamai MFA​. With this setting, new users receive an email with the enrollment link that lets them register their authentication device in the ​Akamai MFA​ service once their accounts have been imported from your IDP service.

  2. Include Manually Provisioned Users. Toggle on to update the source of provisioning for users already existing in ​​Akamai MFA​. With this setting enabled, writes to users and groups not associated with any provisioning method (manually provisioned) by the SCIM client will cause them to have their provisioning method point to that SCIM integration. This allows the SCIM integration to claim ownership of existing users without forcing users to re-enroll if they already have accounts.

📘

Please note that with Read All Users enabled, the sync operation doesn’t claim users unless it detects a change in their records (such as a different email address).

  1. Read All Users. Toggle on to let the SCIM integration read every user record in the system, including those created by other SCIM instances or by EAA.

📘

If you have existing users on ​Akamai MFA​ that you want your provisioning solution to take control of, we recommend that you first enable Include Manually Provisioned Users, verify that the users and groups were claimed, and only then enable Read All Users. Otherwise users present in both systems may not sync.
If you manage users via SailPoint, and want to allow it to read every user regardless of how they were provisioned, enable Read All Users.

  1. Click Save and Deploy.

    You've created a new SCIM service in ​Akamai MFA​ that you can now use to connect with your IDP's SCIM service.

Configure SCIM provisioning in your IDP

This procedure is a high level overview of the steps necessary to configure your IDP to act as the SCIM provider and export user data to ​Akamai MFA​. Consult your IDP documentation to learn more.

Follow these steps to enable communication between ​​Akamai MFA​​ and your IDP.

  1. Navigate to the SCIM configuration page within your IDP's admin console. Look for a setting that lets you add a SCIM or enterprise application and create one.
  2. Enable SCIM provisioning for the application you created.
  3. Locate the settings for configuring SCIM endpoints and provide the following information:
    1. Base URL. This is the URL you generated when setting up SCIM provisioning in Enterprise Center.
    2. API Token. This is the token you generated when setting up SCIM provisioning in Enterprise Center.
  4. Assign users and groups to your SCIM application.
  5. Push your users and groups to ​Akamai MFA​.

Updated over 1 year ago