How to use SCIM to provision/deprovision users and push user updates automatically.
Requirements
You must have the SCIM integration enabled in your Risk Cloud instance. Please contact your Relationship Manager for more information.
Note: Risk Cloud supports SAML for SSO. For more information on that, please see Enable Single-Sign On.
How to Generate your OAuth Bearer Token
After the SCIM integration has been enabled in your Risk Cloud instance, log into your instance and navigate to Admin > Integrations on your top navigation bar.
From there you should see a SCIM tile that is mark as enabled.
Click 'Configure Integration' on the SCIM tile, and a popup should show with the ability to generate your OAuth Bearer Token. Do NOT use the API token for a regular user in Risk Cloud.
Okta
The following provisioning features are supported:
Push New Users: New users created through Okta will also be created in Risk Cloud.
Push Profile Updates: Updates made to the user's given name, family name, and email address in Okta will be made in Risk Cloud.
Push User Deactivation: Deactivating the user or disabling the user's access to the application through Okta will deactivate the user in Risk Cloud. Note: No data is deleted in Risk Cloud.
Reactivate Users: User accounts can be reactivated in the application.
Step-by-Step Configuration Instructions
Note: This Configuration Guide is opened from the Provisioning tab. The General settings and Sign On settings have already been configured.
Risk Cloud only provides support for “To App” Provisioning. Any use of “To Okta” is at your own discretion and Risk Cloud cannot provide support for that use case.
Step 1:
Click Integration. Click Edit.
For SCIM 2.0 Base Url, enter your environment’s subdomain. For instance, the environment subdomain for https://grc.logicgate.com/ is grc.
For OAuth Bearer Token, use the token generated on the SCIM Integration page in your Risk Cloud environment. Do NOT use the API token for a regular user in Risk Cloud.
Click Test API Credentials to verify the information is good. If it is not, then contact your account representative for support.
Step 2:
On the Provisioning tab’s To App, click Edit and select the items you want to enable.
Note: Risk Cloud does NOT support Sync Password. If you enable it, we will ignore the information Okta sends Risk Cloud.
Step 3:
Click General. Under Application visibility, ensure both boxes are unchecked. (SSO via Okta to Risk Cloud is provided outside the SCIM integration. For more information, please check with LogicGate's Customer Support Team.)
Known Issues/Troubleshooting
-
If you encounter an error message that says “Error authenticating: null” when enabling the integration in Okta, please reach out to your Risk Cloud representative.
Azure AD and other Non-Okta SCIM Providers
The following provisioning features are supported:
Push New Users: New users created through Azure AD or other Non-Okta SCIM providers will also be created in Risk Cloud.
Push Profile Updates: Updates made to the user's given name, family name, and email address in your SCIM provider will be made in Risk Cloud.
Push User Deactivation: Deactivating the user or disabling the user's access to the application through SCIM will deactivate the user in Risk Cloud. Note: No data is deleted in Risk Cloud.
Reactivate Users: User accounts can be reactivated in the application.
IMPORTANT: We do not support the ability to push over groups at this time. You may experience connection errors and SCIM quarantining.
Setup Instructions
Step 1:
Navigate to the Provisioning section of your SCIM provider. There you will be given the option to enter in your Tenant URL and Secret Token.
Step 2:
Enter in your Tenant URL. Your Tenant URL is: https://YOUR_SUBDOMAIN_HERE.logicgate.com/scim/v2
(Replace YOUR_SUBDOMAIN_HERE with your environment’s subdomain).
Step 3:
Enter in your Secret Token (i.e. OAuth Bearer token) that you generated in Step 1. After your credentials are entered, please test the connection.
If you run into any issues setting up SCIM, please reach out to support@logicgate.com for assistance.
Comments
0 comments
Please sign in to leave a comment.