UKG (via SCIM)

2025.09.17

Overview

This project focuses on synchronizing user data from UKG (UltiPro) to Cisco Identity Intelligence (CII) using the SCIM integration. This is accomplished using a script which collects the data from the UKG API and effectively "pushes" it to the CII tenant using the SCIM API endpoint.

While the principles may apply to other SCIM implementations, this tool has been specifically tested and optimized for CII's SCIM interface. The script and associated collateral are provided as part of the Cisco Open Source repository. They can be found here - https://github.com/cisco-open/cisco-cii-ukg2scim

Please review the README.md file within the repository for the most current information on how to configure and run the tool.

Customization

This tool was designed to work locally but is highly adaptable to different environments and requirements. You can use it as a core component and wrap it with whatever infrastructure is needed for your specific use case. You can customize various aspects to fit your specific:

  • Organizational structure and user data model

  • Field mappings between UKG and SCIM

  • Execution environment (servers, containers, schedulers, cloud functions)

  • Performance requirements via concurrency and batch size settings

  • Error handling and logging preferences

  • Integration with your existing automation workflows

Key customization points are highlighted throughout this documentation, especially in the "Field Mapping" and "Configuration" sections.

Key Information

  • Daily Synchronization: This script should be configured to run daily to maintain proper synchronization between UKG and CII. Each run recreates all user records on CII, ensuring the most up-to-date information is always reflected. Note that this is a full refresh approach where users are entirely replaced rather than incrementally updated.

  • Handling Deleted Users: Currently, this tool does not have a mechanism to detect and remove users that were completely deleted from UKG. If a user's record status (employeeStatusCode) in UKG changes from active ('A') or leave ('L') to terminated ('T'), the tool correctly updates their status on CII. However, if a user is completely removed from the UKG system, their record will persist in CII as this tool has no way to identify such deletions.

  • CII Integration Setup: Before using this script, you must create a SCIM integration on your CII tenant. Use the integration API credentials (Base URL, Token URL, Client ID and Client Secret) to configure this script via the .env file. Important Security Note: The Client Secret is highly sensitive and should be treated as a credential. Never share it, commit it to public repositories, or expose it in logs.

  • UKG Pro REST API: This project utilizes the UKG Pro REST API to fetch user data from UltiPro. You can learn more about this API, its endpoints, and authentication requirements at the UKG Pro API Documentation.

This tool provides an automated solution for synchronizing user data between systems with configurable settings for pagination, rate limiting, and concurrency.

PreviousAWS S3 Splunk CII IntegrationNextWebex Notification

Last updated