About SCIM

Abstract

SAML Identity providers can use SCIM 2.0 to synchronize Users with CloudConnexa.

According to RFC 7644, SCIM's intent is to reduce the cost and complexity of user management operations by providing a common user schema, an extension model, and a service protocol to manage identities in multi-domain scenarios.

System for Cross-domain Identity Management (SCIM) enables the automatic provisioning, de-provisioning, and synchronization of user identities between CloudConexa and your organization's Identity Provider (IdP)

Once SCIM is configured and active, any users created, updated, or deleted in your SAML Identity Provider will be synced to CloudConnexa.

Note

SCIM only synchronizes Users, not User Groups. Any updates, deletions, or creations of User Groups in your SAML Identity Provider will NOT create, delete, or update CloudConnexa User Groups using SCIM.

SCIM Operation

According to RFC 7644, SCIM is a protocol based on HTTP. Along with HTTP headers and URIs, SCIM uses JSON payloads to convey SCIM resources and protocol-specific payload messages that convey request parameters and response information, such as errors.

A SCIM "resource" is a JSON object that may be created, maintained, and retrieved via HTTP request methods. CloudConnexa User is an example of a SCIM resource.

SCIM is a client-server protocol. CloudConnexa is the Server, and the SAML Identity Provider is the SCIM Client. For the Identity Provider (the Client) to send requests to CloudConnexa (the Server), it needs two things:

Base URI of CloudConnexa: The SCIM HTTP protocol is described in terms of a path relative to a Base URI.
Bearer Token: A token for authentication and authorization in the Authorization HTTP header.

In the CloudConnexa interface, the Base URI is called the SCIM URL, and the Bearer Token is called the Provisioning Token. The Identity Provider must be configured with these two pieces of information to make SCIM requests to CloudConnexa.

Activate SCIM and configure Identity Provider

To activate SCIM, follow the steps below:

Note

SAML must be configured as a User Authentication method for SCIM to be enabled.

Login to your WPC's Administration portal by entering your WPC's Cloud ID in the address bar of your web browser. For example, [company_name].openvpn.com.
Navigate to Settings > User Authentication.
You will see SCIM 2.0 as Inactive in the SAML Single Sign-On section.
Click Edit.
Click SCIM 2.0 in the SAML Single Sign-On section.
In the Generate Provisioning Token section, select an appropriate lifetime for the Provisioning Token.
Click Generate Token.
The subsequent screen will show you the Enable SCIM toggle set to ON and the following in the Provisioning Token section:
- The expiry date of the generated token.
  Note
  Regenerate the token before the expiry date. Refer to Regenerate SCIM token to extend lifetime.
- The SCIM URL is used to configure the Identity Provider.
- The Provisioning Token for configuration of the Identity Provider.
- Revoke Token button. Refer to Revoke the provisioning token and deactivate SCIM.
- Request New Token button to regenerate the token before the expiry date. Refer to Regenerate SCIM token to extend lifetime.
Copy and paste the SCIM URL and Provisioning Token in your Identity Provider's SCIM configuration settings. Refer to your Identity Provider's help documentation. Links to SCIM set up for a few common Identity Providers are provided below:
Click the User Authentication breadcrumb.
You will see SCIM 2.0 as Active in the SAML Single Sign-On section.

Tutorial showing how to activate SCIM

Deactivate SCIM

To temporarily deactivate SCIM without revoking the Provisioning Token, follow the steps below:

Login to your WPC's Administration portal by entering your WPC's Cloud ID in the address bar of your web browser. For example, [company_name].openvpn.com.
Navigate to Settings > User Authentication.
You will see SCIM 2.0 as Active in the SAML Single Sign-On section.
Click Edit.
Click SCIM 2.0 in the SAML Single Sign-On section.
Toggle the Enable SCIM switch to OFF.
Click the User Authentication breadcrumb.
You will see SCIM 2.0 as Inactive in the SAML Single Sign-On section.

Tutorial showing how to deactivate SCIM

Revoke the provisioning token and deactivate SCIM

Revoking the Provisioning Token automatically disables SCIM. To revoke the token and disable SCIM, follow the steps below:

Login to your WPC's Administration portal by entering your WPC's Cloud ID in the address bar of your web browser. For example, [company_name].openvpn.com.
Navigate to Settings > User Authentication.
You will see SCIM 2.0 as Active in the SAML Single Sign-On section.
Click Edit.
Click SCIM 2.0 in the SAML Single Sign-On section.
Click Revoke Token.
Click Revoke in the confirmation dialog box.
Click the Go Back.
You will see SCIM 2.0 as Inactive in the SAML Single Sign-On section.

Tutorial showing how to revoke the provisioning token

Regenerate SCIM token to extend lifetime

If the token in use is close to expiry or expired or you want to generate a new token, follow the steps below:

Login to your WPC's Administration portal by entering your WPC's Cloud ID in the address bar of your web browser. For example, [company_name].openvpn.com.
Navigate to Settings > User Authentication.
You will see SCIM 2.0 as Active in the SAML Single Sign-On section.
Click Edit.
Click SCIM 2.0 in the SAML Single Sign-On section.
Click Request New Token.
Select a token Lifetime value.
Click Generate.
A new token is created, and the displayed expiry date changes.
Note
The newly generated token must be configured in your Identity Provider.

Tutorial showing how to regenerate the provisioning token

In this section:

About SCIM

Note

SCIM Operation

Activate SCIM and configure Identity Provider

Note

Note

Deactivate SCIM

Revoke the provisioning token and deactivate SCIM

Regenerate SCIM token to extend lifetime

Note

Search results