Create a SCIM provisioning app in PingOne

  • Updated
Optimizely officially supports SCIM provisioning with Entra ID, Okta, and PingOne. Other IdPs are not officially supported for SCIM provisioning, and Optimizely does not assist with custom configuration or troubleshooting.

You can configure a PingOne integration that uses System for Cross-domain Identity Management (SCIM) for provisioning. This securely automates and manages user identity information, such as user and group creation, updates, and deactivation from PingOne to Opti ID.

Prerequisites

  • Configure the SAML or OIDC SSO connection in your identity provider (IdP). If you intend to use your IdP for provisioning and SSO, the best practice is to use two separate apps in your IdP: one to manage the SCIM integration and one to manage the SSO integration.
  • Decide to use just-in-time (JIT) or SCIM for user and group provisioning. You cannot use JIT and SCIM at the same time. Default SSO in Opti ID uses JIT provisioning. Choosing SCIM automatically opts you out of JIT provisioning. Contact Optimizely Support to configure your SCIM organization.
  • You must be in the Admin Center Administrators group in the Opti ID Admin Center.
  • You must have administrator rights in your IdP account.
If you create multiple SSO connections, you can only use SCIM for one of those SSO connections.

Add an attribute in PingOne

  1. Go to Attributes and click the Add (+) icon to add an attribute in your PingOne admin console.
  2. Select Declared for the attribute type, then click Next.
  3. Enter a Name for the attribute, then click Save to finish creating the attribute.
  4. Add this newly created attribute to users you want to sync with Opti ID.

Configure SCIM provisioning in PingOne

  1. Generate a SCIM token in Opti ID. This token is required for step 7. It is your responsibility to keep this token secure.
  2. Go to Integrations > Provisioning in PingOne.
  3. Click the Add (+) icon, then select New Connection to create a provisioning connection.
  4. Click Select for Identity Store.
  5. Select SCIM Outbound, then click Next.
  6. Enter a Name, then click Next.
  7. Complete the following information:
    • SCIM Base URL – Enter https://identity-api.optimizely.com/api/scim/v2.
    • SCIM Version – Enter 2.0.
    • Authentication Method – Select OAuth 2 Bearer Token.
    • Oauth Access Token – Paste the token you generated from Generate a SCIM token in Opti ID.
    • Auth Type Header – Select Bearer.
    • Users Resource – Enter /Users.
    • Groups Resource – Enter /Groups.
  8. Click Test Connection to test whether the integration can connect to the SCIM API. If there are errors, ensure your base URL and API token are correct and try again.
  9. Click Next after you confirm the API connection works.
  10. Complete the following information if it is not already pre-filled, then click Save to finish creating the connection.
    • User Filter Expression – Enter username Eq "%s".
    • User Identifier – Enter userName.
    • Allow Users to be Created – Select this checkbox.
    • Allow Users to be Updated – Select this checkbox.
    • Allow Users to be Disabled – Leave this toggled off.
    • Allow Users to be Deprovisioned – Select this checkbox.
    • Deprovision on Rule Deletion – Toggle this on.
  11. After you create the connection, you should be taken back to the Integrations > Provisioning page.
  12. Go to the Connections tab, select the SCIM connection you just created, and toggle the connection on.
  13. Go back to Integrations > Provisioning.
  14. Click the Add (+) icon, then select New Rule.
  15. Enter a Name, then click Create Rule.
  16. Click the Add (+) icon on the Configuration tab for the SCIM connection you created. This adds the SCIM connection to your rule.
  17. Click Save.
  18. After you save the connection, you should be taken back to the Integrations > Provisioning page.
  19. Go to the Rules tab and click the SCIM icon for the rule you just created to open the configuration window.
  20. Click User Filter, then click the Edit icon to edit the filter.
  21. Add the following user filter, then click Save.
    • Attribute – Select the attribute you created in the Add an attribute in PingOne section.
    • Operator – Select Equals.
    • Value – Enter true.
  22. Click Attribute Mapping, then click the Edit icon to edit the mapping.
  23. Make the following changes, then click Save.
    • Delete the Email Address and Primary Phone attributes.
    • Expand the Username drop-down list in the PingOne Directory column and select Email Address.
  24. Click Group Provisioning, then click Add Groups.
  25. Select the groups you want to sync with Opti ID, then click Save.
  26. Toggle the rule on.
  27. This initiates the sync to Opti ID. The results display in PingOne when it is complete.

User management in Opti ID

SCIM syncs only groups and users from your SSO. Instances, roles, and permissions are managed within the Opti ID Admin Center. When using SCIM provisioning, performing a group push creates internal groups in Opti ID.

In addition to managing users and groups through your IdP, you have the flexibility to continue managing non-IdP users and groups directly through the Opti ID Admin Center:

  • Manually add collaborators or partners and groups.
    • You should manage your SSO users with an upstream IdP.
  • Assign a product instance to a group.
  • Assign roles to product instances.

Only make the following changes in your upstream IdP and let it flow downstream to Opti ID. Do not make these changes in the Opti ID Admin Center:

  • Edit users' first and last names. This causes a discrepancy between the IdP and Opti ID.
  • Edit group names and user memberships of groups provisioned from SCIM to Opti ID. This causes out-of-sync user assignments for your SSO users. Instead, create separate groups for collaborators or partners in Opti ID because those are not managed by SCIM provisioning.
  • Delete users and groups. This makes that resource unavailable for updates from the IdP.

The following groups are reserved only for internal Opti ID use. Do not link them to your Opti ID SCIM application:

  • Everyone
  • Admin Center Administrators

Troubleshoot

PingOne's audit log records system events related to your organization, providing an audit trail that you can use to understand platform activity and diagnose problems. You should start with PingOne's audit log when troubleshooting issues related to your Opti ID SCIM provisioning in PingOne.

Frequently Asked Questions (FAQ)

If your organization is already onboarded to Opti ID using SSO and JIT, what happens to existing users when your organization switches to using SCIM?

There will not be any issues with users created in the Opti ID Admin Center, as these users are mapped to newly assigned groups from the upstream IdP during SCIM provisioning.

If your organization is already onboarded to Opti ID using SSO and JIT, what happens to existing groups when your organization switches to using SCIM?

Opti ID has three group types. See Manage groups for the list of group types and their descriptions.

If your organization wants to manage users with groups that have the same name as previously created Custom groups in Opti ID, then you must delete those groups in Opti ID before enabling SCIM provisioning.

You cannot delete Product user groups in Opti ID. When you enable SCIM, any group you create on your side cannot have the same name as a Product group in Opti ID. You must pick a different name (like, Opti_SCIM_<existing-Product-user-group-name>) and assign that SCIM group the same access that the corresponding group has in Opti ID. After you enable SCIM, do not use previously defined Product groups.