Skip to main content

SCIM

The System for Cross-domain Identity Management (SCIM) is a protocol for provisioning and managing identity data on the web.

While Datafisher strongly recommends the Microsoft Graph-based solution where the LMS pulls the relevant data from Entra ID via the Datafisher Azure application, SCIM that uses a push-solution instead is also supported.

Prerequisites (provided by Datafisher):

  1. SCIM endpoint (Tenant URL)
  2. secret token

Results (to be provided to Datafisher):

  1. (none)
Notable SCIM implementation details
  1. Users are never deleted, but marked as blocked instead. Users will be deleted according to the data retention rules defined in the LMS.
  2. When users are updated individually (not part of a bulk update request), there may be a minor delay before all their assignments and group memberships are available.
  3. The LMS data validation rules are also applied to the imported users, for example:
    1. email addresses must be unique;
    2. either email address or employee ID (when used) must be provided;
    3. etc.
  4. The SCIM endpoint may be limited to a subset of users available in the LMS (e.g. only a certain division, only internal users).

SCIM setup

First, the Datafisher Azure application needs to be set up.

Next, in the Microsoft Entra admin center you need to navigate to Enterprise Applications and select Datafisher LMS:

img

Next, select Provisioning from the menu.

img

Next, get started.

img

Set up connection

Next, set Provisioning mode to Automatic and fill in the Tenant URL and Secret token.

img

Next, test the connection. You should see a success message at the top right of the page.

img

Next, save the configuration.

img

Next, you may need to re-navigate to the Provisioning page for the provisioning menu to become visible:

img

Update user mappings

Next, under Provisioning open the Mappings section and select Provision Microsoft Entra ID Users.

img

Next, under Attribute mappings find externalId and click Edit.

img

Next,

  1. change the Source attribute to objectId
  2. set Match objects using this attribute to Yes
  3. set Matching precedence to 2

and click Ok at the bottom of the page.

img

Next, in the Attribute Mappings list find userName and click Edit.

img

Next, set Match objects using this attribute to No and click Ok at the bottom of the page.

img

Next, in the Attribute Mappings list remove some unsupported attributes:

  1. name.formatted
  2. displayName
  3. all addresses*
  4. all phoneNumbers*

which should leave only:

  1. userName
  2. active
  3. title
  4. emails[type eq "work"].value
  5. preferredLanguage
  6. name.givenName
  7. name.familyName
  8. externalId
  9. urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber
  10. urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department
  11. urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager

Additionally, remove the following fields if they are not enabled in the LMS for your company:

  1. title (job title)
  2. urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber (employee ID)
  3. urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department (department name)

Next, save the changes.

img

Custom attributes

In case custom fields need to be added, you need to check Show advanced options and click Edit attribute list for customappsso.

img

At the bottom of the page fill in the Name and Type fields according to what Datafisher has provided. The Name could be urn:ietf:params:scim:schemas:extension:datafisher:2.0:User:source, for example.

img

Next, in the Attribute Mappings list click Add New Mapping and select the relevant Source attribute and Target attribute. You may need to refresh the page if you are unable to find the Target attribute you just added.

img

Next, save changes on the Attribute Mapping page and navigate back to the Provisioning page.

Update group mappings

Next, under Provisioning management open the Mappings section and select Provision Microsoft Entra ID Groups.

img

Next, in the Attribute mappings table find externalId and click Edit.

img

Next,

  1. make sure Source attribute is objectId
  2. set Match objects using this attribute to Yes
  3. set Matching precedence to 2

and click Ok at the bottom of the page.

img

Next, in the Attribute Mappings list find displayName and click Edit.

img

Next, set Match objects using this attribute to No and click Ok at the bottom of the page.

img

Next, save changes on the Attribute Mapping page and navigate back to the Provisioning page.

Assign users

It is possible to provision either all users or only a part of them.

In order to provision all users, navigate to the Provisioning management page, find the Settings section, and change Scope to Sync all users and groups.

img

Next, click Save at the top.

In order to provision all users, navigate to the Provisioning management page, find the Settings section, and change Scope to Sync only assigned users and groups.

img

Next, click Save at the top.

Next, navigate to the Users and groups management page and click Add user/group.

img

Next, click on None selected.

img

Next, select the relevant groups and click Select. Those groups will also be available in the LMS for assignment and reporting purposes.

You should at least select the group that contains all people i.e. excludes all noreply@, support@, etc addresses.

img

Warning

Note that when you assign a group, nested groups will not be included.

Next, click Assign at the bottom of the page.

Turn on provisioning

Next, navigate back to the Provisioning management page, turn on provisioning, and click Save.

img

Next, navigate to the provisioning Overview page where you should see that provisioning has been enabled, but the initial provisioning cycle has (likely) not yet run.

img

Finally, after a few minutes you should see the provisioning status. In case there are any errors, please contact Datafisher support.

img