How to use Risk Cloud’s SCIM integration to automatically provision or de-provision users, update user information, and manage access.
Integration Capabilities
With our SCIM integration, you can manage users and roles in the following ways:
- Push New Users: New users created through Okta will also be created in Risk Cloud.
- Push Profile Updates: Updates made to the user's given name, family name, and email address in Okta will be made in Risk Cloud.
- Push User Deactivation: Deactivating the user or restricting the user's access to the application through Okta will deactivate the user in Risk Cloud. Note: No data is deleted in Risk Cloud.
- Reactivate Users: User accounts can be reactivated in the application.
- Push Groups: Identity provider Groups are mapped to existing Risk Cloud Roles or create new ones
- Update Role membership: The users belonging to a Role are added or removed depending on changes in the identity provider.
Requirements
- You must have the SCIM integration enabled in your Risk Cloud instance. Please get in touch with your LogicGate account team for more information.
- You must configure SAML for SSO. For more information on that, please see Enable Single-Sign-On.
- Your identity provider (IDP) must support SCIM integrations. In this article, we will share configuration settings for Okta and Entra (formerly Active Directory). You can also use other IDPs with Risk Cloud and can contact your account team if you need assistance with configuration.
How to Generate Your OAuth Bearer Token
To use the SCIM integration, you will need to enter an access token into your identity provider.
1. After enabling the SCIM integration in your Risk Cloud instance, navigate to Admin > Integrations in the top navigation bar.
2. From there, you should see a SCIM tile that is marked as enabled.
3. Click the "gear" icon on the SCIM tile (see above) and click 'Configure.'
- You will be prompted to generate an OAuth Bearer Token, which you can copy and enter into your identity provider. Do NOT use the API token for a regular user in Risk Cloud.
Please note that the Token will expire after one year. To set up a reminder, you can create a Fixed Schedule Job to send an email with instructions to generate a new Token to avoid any service interruptions.
Okta Configuration Instructions
This Configuration Guide is opened from the Provisioning tab after configuring the General and Sign-On settings.
Note: Risk Cloud only provides support for “To App” Provisioning. Any use of “To Okta” is at your own discretion, and Risk Cloud cannot provide support for that use case.
-
Click Integration. Click Edit.
- For SCIM 2.0 Base Url, enter your environment’s subdomain. For instance, the environment subdomain for https://grc.logicgate.com/ is "GRC."
- For OAuth Bearer Token, use the token generated on the SCIM Integration page in your Risk Cloud environment. Do NOT use the API token for a regular user in Risk Cloud.
- Click Test API Credentials to verify the information is good. If it is not, then contact your account representative for support.
- On the Provisioning tab’s "To App," click Edit and select the items you want to enable.
- Note: Risk Cloud does NOT support Sync Password. If you enable it, we will ignore the information Okta sends Risk Cloud.
- Click General
- Under Application visibility, ensure both boxes are unchecked. (SSO via Okta to Risk Cloud is provided outside the SCIM integration. For more information, please check with LogicGate's Customer Support Team.)
Okta Group Push Configuration Instructions
Before setting up SCIM Group Sync, we recommend reviewing your existing identity provider groups and comparing them to any existing Risk Cloud Roles. For your identity provider groups to sync with Risk Cloud Roles, their names must match exactly. If the pushed group does not match an existing role, a new role will be created.
- After completing the initial configuration instructions, navigate to your Risk Cloud application and select the Push Groups tab
- Click the Push Groups button and select Find Groups by name
- Search for the group you want to sync with Risk Cloud and select it
- Click the Create Group button and then select Create Group from the menu
- Repeat this process to add multiple groups, then click Save.
Your groups will begin syncing with Risk Cloud. Any groups you selected will be created as Roles in Risk Cloud (or mapped to existing Roles if they share an identical name), and members of that group will become members of the Risk Cloud Role.
Microsoft Entra and other Identity Provider Setup Instructions
Before setting up SCIM Group Sync, we recommend reviewing your existing identity provider groups and comparing them to any existing Risk Cloud Roles. For your identity provider groups to sync with Risk Cloud Roles, their names must match exactly. If the pushed group does not match an existing role, a new role will be created.
- Navigate to Entra > Enterprise Applications
- Click + New Application
- Click + Create your own application
- Name the application
- Select "Integrate any other application you don't find in the gallery (Non-gallery)"
- Click Create
- Navigate to Provisioning
- From Provisioning Mode select Automatic
-
Enter your Tenant URL. Your Tenant URL is: https://YOUR_SUBDOMAIN_HERE.logicgate.com/scim/v2
(Replace YOUR_SUBDOMAIN_HERE with your environment’s subdomain) - Enter your Secret Token (i.e., OAuth Bearer token) that you generated in Risk Cloud
- After your credentials are entered, click Test Connection
- Update your User and Groups attribute mappings to match the tables below in the Required Entra attribute mappings section
-
Select users and groups to push to Risk Cloud. Any groups you select will be created as Roles in Risk Cloud (or mapped to existing Roles if they share an identical name), and members of that group will become members of the Risk Cloud Role
Required Entra attribute mappings
Provision Entra Users |
|
---|---|
customappSSO Attribute |
Microsoft Entra ID Attribute |
userName |
|
name.givenName |
givenName |
name.familyName |
surname |
externalId |
userPrincipalName |
active |
Expression Switch([IsSoftDeleted], , "False", "True", "True", "False") |
Note: Some organizations have userPrincipalName
values that are not valid email addresses. If the users provisioned in Risk Cloud have usernames that do not match the user’s email, check Entra to confirm that the mail
attribute is mapped properly or remove the mapping for userPrincipalName
.
Provision Entra Groups |
|
---|---|
customappSSO Attribute |
Microsoft Entra ID Attribute |
displayName |
displayName |
externalId |
objectId |
members |
members |
SCIM Group Sync Overview and FAQs
The video below demonstrates the process for configuring SCIM Group Sync in Risk Cloud with Okta.
-
What is the SCIM Group Sync feature?
- This enhancement to our existing SCIM integration allows your identity provider tool to push Groups to Risk Cloud. Those Groups will be associated with a Risk Cloud Role and determine the membership of those Roles. As the membership of a Group changes, those changes are reflected in the associated Risk Cloud Role.
- This enhancement to our existing SCIM integration allows your identity provider tool to push Groups to Risk Cloud. Those Groups will be associated with a Risk Cloud Role and determine the membership of those Roles. As the membership of a Group changes, those changes are reflected in the associated Risk Cloud Role.
-
What determines a synced Role’s access within Risk Cloud?
- All entitlements and permissions for a synced Role are configured within Risk Cloud.
-
Will my synced Groups always create a new Risk Cloud Role?
- No. A new Role will only be created when a synced Group’s name is unique and does not match an existing Role. When Risk Cloud receives a synced Group that matches an existing Role, the membership of the Role will be overwritten by the membership of the synced Group.
-
If I sync an identity provider Group with an existing Role in Risk Cloud, what happens to the users in that Role?
- Any users who were added to the Role via Risk Cloud will be removed. The Role’s membership will be determined solely by your identity provider.
-
Can I add users to a synced Role or make a synced Role a default Role within Risk Cloud?
No. The membership of a synced Role will always be limited to members of the Identity Provider Group.
-
What happens to synced Roles when they are unlinked from my identity provider?
- The Role will remain in Risk Cloud and retain any selected entitlements. Users added to the Role by SCIM Group Sync will be removed. You will be able to manage this Role’s membership entirely within Risk Cloud going forward.
-
How is this functionality related to Risk Cloud’s User Groups?
- The SCIM integration and SCIM Group Sync does not impact Risk Cloud’s User Groups. This feature specifically relates to your identity management provider’s Groups and Risk Cloud’s Roles.
-
If I am already using the SCIM integration, what must I do to get access to the Group Sync feature?
- To begin taking advantage of this functionality, coordinate with the owner of your company’s identity management provider to determine what groups should be pushed to Risk Cloud.
- Remember that if the name of a synced group does not exactly match that of a Risk Cloud Role, a new Role will be created, and any members of the group will receive that Role.
- Remember that if the name of a synced group does not exactly match that of a Risk Cloud Role, a new Role will be created, and any members of the group will receive that Role.
- To begin taking advantage of this functionality, coordinate with the owner of your company’s identity management provider to determine what groups should be pushed to Risk Cloud.
-
How can I get the SCIM integration enabled in my environment?
- If you are not already using our SCIM integration, contact your LogicGate account team to discuss enabling it.
Troubleshooting
- Error Messages: If you encounter an error message that says “Error authenticating: null” when enabling the integration in Okta, please contact your Risk Cloud representative.
-
Risk Cloud users or Roles are not updating: In order for the SCIM integration to assume control of a Risk Cloud role, the names of the two objects must match exactly, including case sensitivity and spacing. If you expect a Risk Cloud role to become managed by an IDP and instead see a new role created, compare the names of the objects.
-
Duplicate users or Roles exist and cannot be merged: LogicGate's SCIM integration expects unique values for role names and usernames. While the integration will take over existing roles or usernames when there is a match if a user or Role appears to be failing to update, check for an existing role or username with an identical name.
-
For example, you may have expected a Risk Cloud role, "Risk Owners," to be taken over by SCIM. Instead, the IDP-managed role "Risk Owner" was created due to a name mismatch. To sync the IDP’s group with the Risk Owners role, an IDP administrator would need to unlink the group and update the name, and the Risk Owner group would need to be deleted in Risk Cloud, then the SCIM group can be pushed again.
-
- Changes Made in IDP not Updating in Risk Cloud: While most identity providers have a method of forcing an update to Risk Cloud, we recommend allowing the identity provider to push updates as scheduled. This ensures that all changes made in the identity provider are included in the information sent to Risk Cloud.
If you run into any issues setting up SCIM or Group Sync, please get in touch with support@logicgate.com for assistance.
Get Risk Cloud API Updates in Your Inbox
A new Postman Workspace, new API-first endpoints, and detailed API usage guides are just a few ways we’ve enhanced the Risk Cloud Open API in 2023. Subscribe to our new Developer Relations newsletter for easy access to these new resources, API updates, endpoint deprecation notices, and more!
Not an API user? Explore the Developer Portal or share this link with your development team to learn more.
Comments
0 comments
Please sign in to leave a comment.