1. SureCloud Platform
  2. Administration
  3. User Management

System for Cross-domain Identity Management (SCIM) - External IdP - Setup Guide : Okta

External IdP Server Setup

The objective is to correctly setup the tenant's authentication server to use SCIM to synchronise user profiles so that the tenant organisation can use their authentication server to manage users and their associated groups.

 

Roles and Responsibilities

  • SureCloud: to provide the tenant organisation with
    • The SCIM Endpoint URL
      Example:
      https://example.eu.auth0.com/scim/v2/connections/con_JHDIqSe2jfa4a8pK/?aadOptscim062020
    • The SCIM Endpoint Secret Token
      Example:
      tok_D5KL3ePbEDaJRIef.1eeebcb302fd8bb875adde183bf96edbe5eeddea5bc757d3e408b9b381501e7f
    • The Group Names and Group IDs that are to be mapped and sent in the SCIM requests
      Example:
      [{
    "groupId": "8c27f1e1-4d7e-4c85-9d28-3a9e9c9f7e41",
    "description": "Users in this group can report suspected privacy breaches and submit related incidents for review.",
    "name": "Privacy | Breach Reporter"
  },{
    "groupId": "5b4e2a17-df3c-4b82-a6f2-27a119d8c441",
    "description": "Provides users with read-only access to system resources without the ability to modify or delete data.",
    "name": "Read Only"
  },{
    "groupId": "e21c4d6a-8a6f-4f5f-b2c9-54cb6dce3d0d",
    "description": "Responsible for overseeing risk registers, assessments, and mitigation plans across the organization.",
    "name": "Risk | Manager"
  },{
    "groupId": "baf8a3c9-2b6f-41c7-bc69-9f84ad12c7c2",
    "description": "Grants full administrative rights to manage vulnerability scans, results, and remediation workflows.",
    "name": "Vulnerability | Admin"
  }]
  • Tenant organisation administrator to configure their tenant's authentication server to use SCIM.

Tenant Organisation Administrator: Configure Okta

  1. Go to your Okta Workforce Identity SAML application, select the General tab, then choose Edit for App Settings.
  2. In the Provisioning section, select SCIM and then Save.

  1. Under the General tab, also confirm that Federation Broker Mode is disabled.

  1. Select the Provisioning tab, then go to Integration tab and select Edit.
  2. Enter the SCIM Endpoint URL value you've been supplied by SureCloud.
  3. For Unique identifier field for users, enter userName.
  4. Under Supported provisioning actions, select Push New Users and Push Profile Updates, then choose HTTP Header as the Authentication Mode.
  5. Paste the SCIM token into the Authorization field, then choose Test Connection Configuration if you want to test the new connection. Select Save.

Inbound SCIM WIC Configuration

  1. Browse to Provisioning > Settings > To App and choose Edit, then enable the Create Users, Update User Attributes, and Deactivate users operations. Select Save.

  1. Under the Attribute Mappings section, use the X button to delete the following lines:
Attribute Value
Primary email type (user.email != null && user.email != ”) ? ‘work’ : ‘‘
Primary phone type (user.primaryPhone != null && user.primaryPhone != ”) ? ‘work’ : ‘‘
Address type (user.streetAddress != null && user.streetAddress != ”) ? ‘work’ : ‘’

Use the Attribute Mappings section to configure any additional SCIM attributes you want Okta WIC to send to your SCIM endpoint. If you add custom attributes, they must include a valid SCIM 2.0 external namespace property. For more information on external namespaces, read Okta’s help section.You can now test user provisioning in the Assignments tab and test update operations by editing the user attributes in the Directory > People section of your Okta admin portal.

 

Tenant Organisation : Mapping Okta Groups to SureCloud Groups

SureCloud uses the userType attribute in SCIM provisioning to determine group membership. This attribute should contain a comma-separated list of SureCloud group UUIDs.

Example: "b4274fd6-65ef-4b2b-bb2f-ca8dbd81418a,c3d4e5f6-a7b8-9012-cdef-123456789012"

Configuration Options

You can configure this mapping in Okta using any of the following methods:

  1. Manual Assignment - Set the userType directly on each user's profile in Okta
  2. Okta Expression Language - Use expressions in the SCIM attribute mapping (note: this only works if userType is configured as a Personal-scoped attribute in your Okta profile)
  3. Okta Group Rules - Create rules that automatically set userType based on Okta group membership
  4. Okta API - Programmatically set userType via the Okta API based on your organization's logic
  5. Okta Workflows - Use Okta Workflows to automate userType assignment

Required Configuration

Regardless of your chosen method, ensure that:

  • The userType attribute is mapped in your Auth0 SCIM provisioning settings in Okta
  • The attribute mapping is set to apply on Create and Update
  • The values are valid SureCloud group UUIDs (provided by SureCloud)

Contact SureCloud support for the list of available group UUIDs for your organization.

 

FAQs

  1. If a user leaves the company, do we need to remove their permissions in SureCloud?
    • No. If the user is disabled in you IdP, they will be unable to authenticate via SSO and therefore can no longer access SureCloud. Their permissions will remain stored but they will be marked as an INACTIVE user.

 

Was this article helpful?
0 out of 0 found this helpful

Articles in this section