You can configure a PingOne integration that uses System for Cross-domain Identity Management (SCIM) for provisioning. This securely automates and manages user identity information, such as user and group creation, updates, and deactivation between PingOne and Opti ID.
User and group provisioning with SCIM lets you manage your organization’s users and groups in one place and have those users and groups populate in Opti ID. Provisioning prevents the need to create a duplicate set of users and groups in Opti ID that already exist in your identity management service.
With Opti ID and SCIM, users and groups are first set up in your identity provider and then provisioned to Opti ID. After you set up SCIM provisioning, changes you make to users and groups at the source identity provider sync down to Opti ID using the SCIM protocol. You should not edit users and groups that SCIM provisioned into Opti ID directly in Opti ID. Instead, make changes to the users and groups at the source identity provider, so you can sync these changes downstream into Opti ID with SCIM.
Prerequisites
- Configure single sign-on (SSO). If you intend to use your identity provider (IdP) for provisioning and SSO, the best practice is to use two separate apps in your IdP: one to manage the SCIM integration and one to manage the SSO integration.
- Decide to use just-in-time (JIT) or SCIM for user and group provisioning. You cannot use JIT and SCIM at the same time. Default SSO in Opti ID uses JIT provisioning. Choosing SCIM automatically opts you out of JIT provisioning. Contact Optimizely Support to configure your SCIM organization.
- You must be in the Admin Center Administrators group in the Opti ID Admin Center.
- You must have administrator rights in your IdP account.
Supported provisioning features
Opti ID supports the following SCIM provisioning features:
- Push users – Users that you assign to the Opti ID SCIM application in your IdP are automatically added as users in Opti ID.
- Update user attributes – When you update user attributes in your IdP (like first and last names), they are updated in Opti ID.
- Deactivate users – When you deactivate users in your IdP or unassign them from the Opti ID application, they are deleted in Opti ID.
- Push groups – Groups and their users in your IdP are pushed to Opti ID.
Add an attribute in PingOne
- Go to Attributes and click the Add (+) icon to add an attribute in your PingOne admin console.
- Select Declared for the attribute type, then click Next.
- Enter a Name for the attribute, then click Save to finish creating the attribute.
- Add this newly created attribute to users you want to sync with Opti ID.
Configure SCIM provisioning in PingOne
- Request your SCIM token from Optimizely Support. This token is required for step 7. It is your responsibility to keep this token secure.
- Go to Integrations > Provisioning in PingOne.
- Click the Add (+) icon, then select New Connection to create a provisioning connection.
- Click Select for Identity Store.
- Select SCIM Outbound, then click Next.
- Enter a Name, then click Next.
- Complete the following information:
-
SCIM Base URL – Enter
https://identity-api.optimizely.com/api/scim/v2
. - SCIM Version – Enter 2.0.
- Authentication Method – Select OAuth 2 Bearer Token.
- Oauth Access Token – Paste the token you received from Optimizely Support.
- Auth Type Header – Select Bearer.
- Users Resource – Enter /Users.
-
Groups Resource – Enter /Groups.
-
SCIM Base URL – Enter
- Click Test Connection to test whether the integration can connect to the SCIM API. If there are errors, ensure your base URL and API token are correct and try again.
- Click Next after you confirm the API connection works.
- Complete the following information if it is not already pre-filled, then click Save to finish creating the connection.
- User Filter Expression – Enter username Eq "%s".
- User Identifier – Enter userName.
- Allow Users to be Created – Select this checkbox.
- Allow Users to be Updated – Select this checkbox.
- Allow Users to be Disabled – Leave this toggled off.
- Allow Users to be Deprovisioned – Select this checkbox.
-
Deprovision on Rule Deletion – Toggle this on.
- After you create the connection, you should be taken back to the Integrations > Provisioning page.
- Go to the Connections tab, select the SCIM connection you just created, and toggle the connection on.
- Go back to Integrations > Provisioning.
- Click the Add (+) icon, then select New Rule.
- Enter a Name, then click Create Rule.
- Click the Add (+) icon on the Configuration tab for the SCIM connection you created. This adds the SCIM connection to your rule.
- Click Save.
- After you save the connection, you should be taken back to the Integrations > Provisioning page.
- Go to the Rules tab and click the SCIM icon for the rule you just created to open the configuration window.
- Click User Filter, then click the Edit icon to edit the filter.
- Add the following user filter, then click Save.
- Attribute – Select the attribute you created in the Add an attribute in PingOne section.
- Operator – Select Equals.
-
Value – Enter true.
- Click Attribute Mapping, then click the Edit icon to edit the mapping.
- Make the following changes, then click Save.
- Delete the Email Address and Primary Phone attributes.
- Expand the Username drop-down list in the PingOne Directory column and select Email Address.
- Click Group Provisioning, then click Add Groups.
- Select the groups you want to sync with Opti ID, then click Save.
- Toggle the rule on.
- This initiates the sync to Opti ID. The results display in PingOne when it is complete.
User management in Opti ID
In addition to managing users and groups through your IdP, you have the flexibility to continue managing non-IdP users and groups directly through the Opti ID Admin Center:
- Manually add collaborators or partners and groups.
- You should manage your SSO users with an upstream IdP.
- Assign a product instance to a group.
- Assign roles to product instances.
Only make the following changes in your upstream IdP and let it flow downstream to Opti ID. Do not make these changes in the Opti ID Admin Center:
- Edit users' first and last names. This causes a discrepancy between the IdP and Opti ID.
- Edit group names and user memberships of groups provisioned from SCIM to Opti ID. This causes out-of-sync user assignments for your SSO users. Instead, create separate groups for collaborators or partners in Opti ID because those are not managed by SCIM provisioning.
- Delete users and groups. This makes that resource unavailable for updates from the IdP.
The following groups are reserved only for internal Opti ID use. Do not link them to your Opti ID SCIM application:
- Everyone
- Admin Center Administrators
Troubleshoot
PingOne's audit log records system events related to your organization, providing an audit trail that you can use to understand platform activity and diagnose problems. You should start with PingOne's audit log when troubleshooting issues related to your Opti ID SCIM provisioning in PingOne.
Frequently Asked Questions (FAQ)
If your organization is already onboarded to Opti ID using SSO and JIT, what happens to existing users when your organization is switched to using SCIM?
There will not be any issues with users created in the Opti ID Admin Center, as these users are mapped to newly assigned groups from the upstream IdP during SCIM provisioning.
If your organization is already onboarded to Opti ID using SSO and JIT, what happens to existing groups when your organization is switched to using SCIM?
If your organization wants to manage users with user groups with the same name as previously created in the Opti ID Admin Center, then you must delete those user groups in the Opti ID Admin Center before enabling SCIM provisioning.
Article is closed for comments.