SCIM Provisioning
Overview
Cisco Identity Intelligence can receive user and group data via the System for Cross-domain Identity Management (SCIM) protocol from various identity providers, including Microsoft Entra ID (formerly Azure AD), Okta, and PingFederate. This integration enables automated user and group lifecycle management, ensuring that Identity Intelligence has up-to-date identity context for enhanced security and analytics. These instructions will guide you through the process of configuring your Identity Provider to provision data to Identity Intelligence.
Before you begin...
Make sure you have the following:
A Cisco Identity Intelligence account with Full Admin permissions that can manage integrations.
An Identity Provider (Microsoft Entra ID, Okta, PingFederate, or another identity source that supports outbound SCIM provisioning) configured and ready to provision users/groups.
Necessary administrative privileges within your chosen Identity Provider to configure SCIM applications.
The CII SCIM Provisioning function does NOT support Bearer Token authentication at this time. Contact your Duo IAM representative if this presents a challenge.
Configuration Steps
The setup process involves two main phases: first, configuring Identity Intelligence to provide credentials for its SCIM endpoint, and second, configuring your Identity Provider to send data to that endpoint.
Phase 1: Configure Cisco Identity Intelligence for SCIM
Enable SCIM Provisioning in Identity Intelligence:
Navigate to the "Integrations" section within your Identity Intelligence tenant and click Add Integration in the top right corner.
Locate and click the "SCIM Provisioning" tile.
Within the form, provide the following:
display name, for use within the CII console
description (optional)
Source (optional, see above) - NOTE: if your SCIM source is not one of the three listed, choose None.
Click
Upon activation, Identity Intelligence will provide you with:
SCIM Base URL: This is the endpoint where your Identity Provider will send SCIM requests (e.g.,
https://<your_cii_deployment/scim/v2
). NOTE - the URL is specific to your CII deployment or region.Token URL
Client ID
Client Secret - Copy this token securely, as it will only be shown once.
Click Finish
Phase 2: Configure your Identity Provider for SCIM Provisioning
This phase involves configuring your specific Identity Provider to send user and group data to the Identity Intelligence SCIM endpoint. While the general principles are similar, the exact steps vary by provider.
General SCIM Configuration Principles
Add a SCIM Application: Within your Identity Provider's administration console, add a new application or integration that supports SCIM provisioning. This might be a pre-built gallery app or a custom SCIM 2.0 application.
Configure Provisioning Method: Select "Automatic Provisioning" or "SCIM" as the provisioning method.
Enter SCIM Endpoint Details:
Tenant URL / SCIM Connector Base URL: Enter the SCIM Base URL obtained above from Identity Intelligence (e.g.,
https://<your_cii_deployment>/scim/v2
).Enter Token URL and Client Credentials
Test Connection: Most Identity Providers offer a "Test Connection" button. Use this to verify that the Identity Provider can successfully authenticate and communicate with the Identity Intelligence SCIM endpoint.
Configure Attribute Mappings: Map the standard user and group attributes from your Identity Provider to the corresponding SCIM attributes expected by Identity Intelligence (e.g.,
userName
,displayName
,emails[type eq "work"].value
,active
,groups
). Ensure that mandatory attributes are mapped correctly.Define Scope: Specify which users and groups should be provisioned to Identity Intelligence. This might involve assigning users/groups to the application or configuring filters.
Enable Provisioning: Once all settings are configured and tested, enable the provisioning service. Users and groups will begin to synchronize with Identity Intelligence based on your defined scope and mapping.
Specific Notes for Identity Providers
PingFederate
Refer to PingFederate's official documentation for detailed steps on configuring SCIM outbound provisioning and OAuth clients. In the event of any conflicts between this document and the PingIdentity documents, use PingIdentity. https://docs.pingidentity.com/integrations/scim/pf_scim_connector.html
PingFederate acts as a SCIM client for outbound provisioning.
Create an OAuth Client (Recommended): For secure authentication, create an OAuth client in PingFederate under Applications > OAuth Clients. This client will be used by the SCIM Outbound Provisioner to obtain an access token for Identity Intelligence.
Configure Outbound Provisioning:
Navigate to Applications > Outbound Provisioning.
Add a new SCIM 2.0 Client instance.
Connection Settings:
Base URL: Enter the SCIM Base URL obtained from Identity Intelligence (e.g.,
https://<your_cii_tenant_url>/scim/v2
).Authentication: Select "OAuth" and configure it to use the OAuth client you created.
Attribute Mapping: Map the attributes from your PingFederate data store (e.g., LDAP directory) to the SCIM attributes required by Identity Intelligence. Ensure that unique identifiers like
userName
are correctly mapped.Provisioning Rules: Define the rules for which users and groups are provisioned (e.g., based on group membership or attribute values).
Activation: Enable the provisioning connection.
Okta
For detailed guidance, refer to the Okta documentation on SCIM provisioning: https://developer.okta.com/docs/guides/scim-provisioning-integration-connect/main/
In the Okta Admin Console, navigate to Applications > Applications.
Add a new application. For a custom SCIM integration, you might use a "SCIM 2.0 Test App"
Go to the Provisioning tab for the application.
Enable SCIM provisioning.
Under SCIM Connection:
SCIM Connector Base URL: Enter the SCIM Base URL obtained from Identity Intelligence (e.g.,
https://<your_cii_tenant_url>/scim/v2
).Unique identifier field for users: Typically
userName
.Authentication Mode: Select "OAuth"
Click Test Connector Configuration.
Configure To App provisioning settings, including attribute mappings and user/group assignments. Ensure that the Okta profile attributes are correctly mapped to the SCIM attributes expected by Identity Intelligence.
Microsoft Entra ID (formerly Azure AD)
For detailed guidance, refer to the Entra ID documentation on SCIM provisioning: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/user-provisioning https://learn.microsoft.com/en-us/entra/identity/app-provisioning/how-provisioning-works#provisioning-using-scim-20 https://learn.microsoft.com/en-us/entra/identity/app-provisioning/use-scim-to-provision-users-and-groups
Add Application: In the Entra ID admin center, navigate to Enterprise applications > All applications. Click "New application" and then "Create your own application" (or search for a pre-integrated one if available). Choose "Integrate any other application you don't find in the gallery (Non-gallery)".
Configure Provisioning: Once the application is created, go to its Provisioning section.
Change the Provisioning Mode to Automatic.
Under Admin Credentials:
Tenant URL: Enter the SCIM Base URL obtained from Identity Intelligence (e.g.,
https://<your_cii_tenant_url>/scim/v2
).Secret Token: Enter the Bearer Token / API Key obtained from Identity Intelligence.
Click Test Connection to ensure Entra ID can connect to Identity Intelligence.
Mappings: Expand "Mappings" to configure user and group attribute mappings. Review the default mappings and adjust them to match Identity Intelligence's expected SCIM schema. Ensure that the
userName
attribute is correctly mapped as the unique identifier.Scope: Under "Settings," define the scope of provisioning. You can choose to "Sync only assigned users and groups" (recommended for controlled rollout) or "Sync all users and groups."
Enable Provisioning: Set the Provisioning Status to On.
Monitoring: Use the "Provisioning logs" in the Entra ID application's provisioning section to monitor the status of synchronization and troubleshoot any issues.
Phase 3: Verify Provisioning in Identity Intelligence
Monitor Provisioning Status: After enabling provisioning in your Identity Provider, allow some time for the initial synchronization to complete. The time taken depends on the number of users/groups and the IdP's sync cycle.
Check User/Group Inventories: Navigate to the Integrations page or Overview Dashboard to check the status of the SCIM integration. If users have been provisioned from the source IDP, then the Users page within your Identity Intelligence console will contain those users.
Confirm Data Ingestion: Verify that users and groups from your configured Identity Provider are appearing in Identity Intelligence with the correct attributes and group memberships.
Review Logs: Check provisioning logs in both your Identity Provider and, if available, in Identity Intelligence for any errors, warnings, or failed synchronizations. These logs are crucial for troubleshooting.
Managing SCIM Credentials
If desired, the SCIM Client secret used for authentication can be rotated or updated for security purposes.
Generate New Secret in Identity Intelligence:
In Identity Intelligence, navigate to the Integrations page and click Edit from the SCIM provisioning integration settings
Select the Rotate Client Secret option\
Click Save
The new Client Secret will be shown. Copy it securely.
Click Finish
Update the Client Secret in the configuration of your source IDP.