SCIM Provisioning

Overview

Cisco Identity Intelligence can receive user and group data via the System for Cross-domain Identity Management (SCIM) protocol from various identity providers, such as PingFederate. This integration enables automated user and group lifecycle management, ensuring that Identity Intelligence has up-to-date identity context for enhanced security and analytics. These instructions will guide you through the process of configuring your Identity Provider to provision data to Identity Intelligence.

NOTE - This integration is intended for identity providers and sources that don’t offer any other public API for sharing their identity data. In the case of Microsoft Entra ID and Okta, you should use the existing direct API integrations and data streaming options to integrate with CII.

Before you begin...

Make sure you have the following:

  • A Cisco Identity Intelligence account with Full Admin permissions that can manage integrations.

  • An Identity Provider (e.g. PingFederate or another identity source that supports outbound SCIM provisioning) configured and ready to provision users/groups.

  • Necessary administrative privileges within your chosen Identity Provider to configure SCIM applications.

The CII SCIM Provisioning function does NOT support Bearer Token authentication at this time. Contact your Duo IAM representative if your identity source does not support OAuth client credentials as a SCIM authentication protocol.

Configuration Steps

The setup process involves two main phases: first, configuring Identity Intelligence to provide credentials for its SCIM endpoint, and second, configuring your Identity Provider to send data to that endpoint.

Phase 1: Configure Cisco Identity Intelligence for SCIM

Enable SCIM Provisioning in Identity Intelligence:

  1. Navigate to the "Integrations" section within your Identity Intelligence tenant and click Add Integration in the top right corner.

  2. Locate and click the "SCIM Provisioning" tile.

  3. Within the form, provide the following:

    1. display name, for use within the CII console

    2. description (optional)

    3. Source (optional, see above) - NOTE: if your SCIM source is not one of the three listed, choose None.

  4. Click

  5. Upon activation, Identity Intelligence will provide you with:

    • SCIM Base URL: This is the endpoint where your Identity Provider will send SCIM requests (e.g., https://<your_cii_deployment/scim/v2). NOTE - the URL is specific to your CII deployment or region.

    • Token URL

    • Client ID

    • Client Secret - Copy this token securely, as it will only be shown once.

  6. Click Finish

Phase 2: Configure your Identity Provider for SCIM Provisioning

This phase involves configuring your specific Identity Provider to send user and group data to the Identity Intelligence SCIM endpoint. While the general principles are similar, the exact steps vary by provider.

General SCIM Configuration Principles

  1. Add a SCIM Application: Within your Identity Provider's administration console, add a new application or integration that supports SCIM provisioning. This might be a pre-built gallery app or a custom SCIM 2.0 application.

  2. Configure Provisioning Method: Select "Automatic Provisioning" or "SCIM" as the provisioning method.

  3. Enter SCIM Endpoint Details:

    • Tenant URL / SCIM Connector Base URL: Enter the SCIM Base URL obtained above from Identity Intelligence (e.g., https://<your_cii_deployment>/scim/v2).

    • Enter Token URL and Client Credentials

  4. Test Connection: Most Identity Providers offer a "Test Connection" button. Use this to verify that the Identity Provider can successfully authenticate and communicate with the Identity Intelligence SCIM endpoint.

  5. Configure Attribute Mappings: Map the standard user and group attributes from your Identity Provider to the corresponding SCIM attributes expected by Identity Intelligence (e.g., userName, displayName, emails[type eq "work"].value, active, groups). Ensure that mandatory attributes are mapped correctly.

  6. Define Scope: Specify which users and groups should be provisioned to Identity Intelligence. This might involve assigning users/groups to the application or configuring filters.

  7. Enable Provisioning: Once all settings are configured and tested, enable the provisioning service. Users and groups will begin to synchronize with Identity Intelligence based on your defined scope and mapping.

Specific Notes for Identity Providers

PingFederate

  • Refer to PingFederate's official documentation for detailed steps on configuring SCIM outbound provisioning and OAuth clients. In the event of any conflicts between this document and the PingIdentity documents, use PingIdentity. https://docs.pingidentity.com/integrations/scim/pf_scim_connector.html

  • PingFederate acts as a SCIM client for outbound provisioning.

  • Create an OAuth Client (Recommended): For secure authentication, create an OAuth client in PingFederate under Applications > OAuth Clients. This client will be used by the SCIM Outbound Provisioner to obtain an access token for Identity Intelligence.

  • Configure Outbound Provisioning:

    • Navigate to Applications > Outbound Provisioning.

    • Add a new SCIM 2.0 Client instance.

    • Connection Settings:

      • Base URL: Enter the SCIM Base URL obtained from Identity Intelligence (e.g., https://<your_cii_tenant_url>/scim/v2).

      • Authentication: Select "OAuth" and configure it to use the OAuth client you created.

    • Attribute Mapping: Map the attributes from your PingFederate data store (e.g., LDAP directory) to the SCIM attributes required by Identity Intelligence. Ensure that unique identifiers like userName are correctly mapped.

    • Provisioning Rules: Define the rules for which users and groups are provisioned (e.g., based on group membership or attribute values).

    • Activation: Enable the provisioning connection.

Phase 3: Verify Provisioning in Identity Intelligence

  1. Monitor Provisioning Status: After enabling provisioning in your Identity Provider, allow some time for the initial synchronization to complete. The time taken depends on the number of users/groups and the IdP's sync cycle.

  2. Check User/Group Inventories: Navigate to the Integrations page or Overview Dashboard to check the status of the SCIM integration. If users have been provisioned from the source IDP, then the Users page within your Identity Intelligence console will contain those users.

  3. Confirm Data Ingestion: Verify that users and groups from your configured Identity Provider are appearing in Identity Intelligence with the correct attributes and group memberships.

  4. Review Logs: Check provisioning logs in both your Identity Provider and, if available, in Identity Intelligence for any errors, warnings, or failed synchronizations. These logs are crucial for troubleshooting.

Processing New Data

CII will automatically process new SCIM data pushed to it from the identity source every 24 hrs on a regular schedule, but if you would like to manually trigger the processing of any data that has been pushed within the past 24 hrs, you can use the Process New Data menu option in the Integrations page for that integration.

Managing SCIM Credentials

If desired, the SCIM Client secret used for authentication can be rotated or updated for security purposes.

  1. Generate New Secret in Identity Intelligence:

    1. In Identity Intelligence, navigate to the Integrations page and click Edit from the SCIM provisioning integration settings

    2. Select the Rotate Client Secret option\

    3. Click Save

    4. The new Client Secret will be shown. Copy it securely.

    5. Click Finish

  2. Update the Client Secret in the configuration of your source IDP.

Last updated