Skip to main content

SCIM Integration Guide

Dylan
  • Updated

How to use Risk Cloud’s SCIM integration to automatically provision or de-provision users, update user information, and manage access. 

Integration Capabilities

With our SCIM integration, you can manage users and roles in the following ways:

  • Push New Users: New users created through Okta will also be created in Risk Cloud.
  • Push Profile Updates: Updates made to the user's given name, family name, and email address in Okta will be made in Risk Cloud.
  • Push User Deactivation: Deactivating the user or restricting the user's access to the application through Okta will deactivate the user in Risk Cloud. Note: No data is deleted in Risk Cloud.
  • Reactivate Users: User accounts can be reactivated in the application.
  • Push Groups: Identity provider Groups are mapped to existing Risk Cloud Roles or create new ones
  • Update Role membership: The users belonging to a Role are added or removed  depending on changes in the identity provider. 

 

Requirements

You must have the SCIM integration enabled in your Risk Cloud instance. Please get in touch with your LogicGate account team for more information.

Note: Risk Cloud supports SAML for SSO. For more information on that, please see Enable Single-Sign-On.

 

How to Generate Your OAuth Bearer Token

To use the SCIM integration, you will need to enter an access token into your identity provider. 

1. After enabling the SCIM integration in your Risk Cloud instance, navigate to Admin > Integrations in the top navigation bar.

inttab.jpg

 

2. From there, you should see a SCIM tile that is marked as enabled.

scim1.png

 

3. Click the "gear" icon on the SCIM tile (see above) and click 'Configure.'

  • You will be prompted to generate an OAuth Bearer Token, which you can copy and enter into your identity provider. Do NOT use the API token for a regular user in Risk Cloud.

scim2.png

 

SCIM Group Sync or Push Groups Overview

The video below demonstrates the process for configuring SCIM Group Syncing in Risk Cloud.

 

 

Okta Configuration Instructions 

This Configuration Guide is opened from the Provisioning tab after configuring the General and Sign-On settings.

Note: Risk Cloud only provides support for “To App” Provisioning. Any use of “To Okta” is at your own discretion, and Risk Cloud cannot provide support for that use case.

 

Step 1:

Click Integration. Click Edit. 

  • For SCIM 2.0 Base Url, enter your environment’s subdomain. For instance, the environment subdomain for https://grc.logicgate.com/ is "GRC."
  • For OAuth Bearer Token, use the token generated on the SCIM Integration page in your Risk Cloud environment. Do NOT use the API token for a regular user in Risk Cloud.

Click Test API Credentials to verify the information is good. If it is not, then contact your account representative for support.

Step 2:

On the Provisioning tab’s "To App," click Edit and select the items you want to enable.

  • Note: Risk Cloud does NOT support Sync Password. If you enable it, we will ignore the information Okta sends Risk Cloud.

Step 3:

Click General. Under Application visibility, ensure both boxes are unchecked. (SSO via Okta to Risk Cloud is provided outside the SCIM integration. For more information, please check with LogicGate's Customer Support Team.)

 

Okta Group Push Configuration Instructions

Before setting up SCIM Group Sync, we recommend reviewing your existing identity provider groups and comparing them to any existing Risk Cloud Roles. For your identity provider groups to sync with Risk Cloud Roles, their names must match exactly. If the pushed group does not match an existing role, a new role will be created.

Step 1:

After completing the initial configuration instructions, navigate to your Risk Cloud application and select the Push Groups tab

Step 2:

Click the Push Groups button and select Find Groups by name

Scim3.png

 

Step 3:

Search for the group you want to sync with Risk Cloud, select it, click the Create Group button, and then select Create Group from the menu. Repeat this process to add multiple groups, then click Save.

Your groups will begin syncing with Risk Cloud. Any groups you selected will be created as Roles in Risk Cloud (or mapped to existing Roles if they share an identical name), and members of that group will become members of the Risk Cloud Role.

scim4.png

 

Azure AD and other Non-Okta SCIM Providers Setup Instructions 

Before setting up SCIM Group Sync, we recommend reviewing your existing identity provider groups and comparing them to any existing Risk Cloud Roles. For your identity provider groups to sync with Risk Cloud Roles, their names must match exactly. If the pushed group does not match an existing role, a new role will be created.

Step 1:

Navigate to the Provisioning section of your SCIM provider. There you will be given the option to enter your Tenant URL and Secret Token.

scim6.png

Step 2:

Enter your Tenant URL. Your Tenant URL is: https://YOUR_SUBDOMAIN_HERE.logicgate.com/scim/v2
(Replace YOUR_SUBDOMAIN_HERE with your environment’s subdomain). 

Step 3:

Enter your Secret Token (i.e., OAuth Bearer token) that you generated in Step 1. After your credentials are entered, please test the connection.

Step 4:

Select users and groups to push to Risk Cloud. Any groups you select will be created as Roles in Risk Cloud (or mapped to existing Roles if they share an identical name), and members of that group will become members of the Risk Cloud Role.

Step 5:

Ensure the following mappings are used for your Active Directory Groups and Users within your Risk Cloud application.

Required Active Directory attribute mappings

 

Provision Azure Active Directory Users

 

mail

userName
 

Note: Some organizations have userPrincipalName values that are not valid email addresses. If the users provisioned in Risk Cloud have usernames that do not match the user’s email, check Active Directory to confirm that the mail attribute is mapped properly or remove the mapping for userPrincipalName.

 

Provision Azure Active Directory Groups

 

displayName

displayName

objectId

externalId

members

members

 

SCIM Group Sync FAQs

  • What is the SCIM Group Sync feature?
    • This enhancement to our existing SCIM integration allows your identity provider tool to push Groups to Risk Cloud. Those Groups will be associated with a Risk Cloud Role and determine the membership of those Roles. As the membership of a Group changes, those changes are reflected in the associated Risk Cloud Role.
  • What determines a synced Role’s access within Risk Cloud?
    • All entitlements and permissions for a synced Role are configured within Risk Cloud.
  • Will my synced Groups always create a new Risk Cloud Role?
    • No. A new Role will only be created when a synced Group’s name is unique and does not match an existing Role. When Risk Cloud receives a synced Group that matches an existing Role, the membership of the Role will be overwritten by the membership of the synced Group.
  • If I sync an identity provider Group with an existing Role in Risk Cloud, what happens to the users in that Role?
    • Any users who were added to the Role via Risk Cloud will be removed. The Role’s membership will be determined solely by your identity provider.
  • Can I add users to a synced Role or make a synced Role a default Role within Risk Cloud?
    No. The membership of a synced Role will always be limited to members of the Identity Provider Group.
  • What happens to synced Roles when they are unlinked from my identity provider?
    • The Role will remain in Risk Cloud and retain any selected entitlements. Users added to the Role by SCIM Group Sync will be removed. You will be able to manage this Role’s membership entirely within Risk Cloud going forward.
  • How is this functionality related to Risk Cloud’s User Groups?
    • The SCIM integration and SCIM Group Sync does not impact Risk Cloud’s User Groups. This feature specifically relates to your identity management provider’s Groups and Risk Cloud’s Roles.
  • If I am already using the SCIM integration, what must I do to get access to the Group Sync feature?
    • To begin taking advantage of this functionality, coordinate with the owner of your company’s identity management provider to determine what groups should be pushed to Risk Cloud. 
      • Remember that if the name of a synced group does not exactly match that of a Risk Cloud Role, a new Role will be created, and any members of the group will receive that Role.
  • How can I get the SCIM integration enabled in my environment?
    • If you are not already using our SCIM integration, contact your LogicGate account team to discuss enabling it.

 

Known Issues/Troubleshooting

  • If you encounter an error message that says “Error authenticating: null” when enabling the integration in Okta, please contact your Risk Cloud representative.

  • Risk Cloud users or Roles are not updating
    In order for the SCIM integration to assume control of a Risk Cloud role, the names of the two objects must match exactly, including case sensitivity and spacing. If you expect a Risk Cloud role to become managed by an IDP and instead see a new role created, compare the names of the objects.

  • Duplicate users or Roles exist and cannot be merged
    LogicGate's SCIM integration expects unique values for role names and usernames. While the integration will take over existing roles or usernames when there is a match if a user or Role appears to be failing to update, check for an existing role or username with an identical name.

    For example, you may have expected a Risk Cloud role, "Risk Owners," to be taken over by SCIM. Instead, the IDP-managed role "Risk Owner" was created due to a name mismatch. To sync the IDP’s group with the Risk Owners role, an IDP administrator would need to unlink the group and update the name, and the Risk Owner group would need to be deleted in Risk Cloud, then the SCIM group can be pushed again.

  • While most identity providers have a method of forcing an update to Risk Cloud, we recommend allowing the identity provider to push updates as scheduled. This ensures that all changes made in the identity provider are included in the information sent to Risk Cloud.

If you run into any issues setting up SCIM or Group Sync, please get in touch with support@logicgate.com for assistance.

Get Risk Cloud API Updates in Your Inbox

A new Postman Workspace, new API-first endpoints, and detailed API usage guides are just a few ways we’ve enhanced the Risk Cloud Open API in 2023. Subscribe to our new Developer Relations newsletter for easy access to these new resources, API updates, endpoint deprecation notices, and more! 

Not an API user? Explore the Developer Portal or share this link with your development team to learn more. 

Subscribe to Newsletter Here

Related articles

Comments

0 comments

Please sign in to leave a comment.