Overview
System for Cross-Domain Identity Management (SCIM) is an open standard protocol used to automate the exchange of user and group information between Identity providers and Enterprises. SCIM ensures that users added to the Identity Management System should have their accounts automatically created in VIDIZMO. User attributes and profiles are synchronized between the two systems, updating removing users based on the user status or role change.
VIDIZMO offers a SCIM 2.0 REST API so that the pain of working with proprietary user management APIs or products can be reduced or eliminated. The knowledge of how to set up and test your application and API endpoints in order to be able to successfully deploy an OKTA integration using SCIM Provisioning is of utmost importance whether you are an independent software vendor (ISV), an existing OKTA user, or an IT systems administrator.
Before you start
- Make sure you are logged in as Manager+ role in VIDIZMO to be able to configure SCIM Provisioning App in VIDIZMO.
- Before provisioning users and groups from Okta through SCIM protocol, make sure you have an OKTA IDP account so that you can configure the General Settings and any Sign-On Options for the VIDIZMO Application in OKTA.
Configuration Steps
VIDIZMO Configuration
Following are the steps to configure OKTA Provisioning in VIDIZMO:
1. Log in to VIDIZMO portal and from the Portal's Homepage:
- Click on the Navigation menu on the left corner of the page.
- In the Admin tab, open the Portal Settings page.
2. From the Portal Settings page:
- Click on Apps option to expand it.
- Navigate to the Provisioning Tab, and click to open it.
- Navigate to the Configuration icon, and click to open it.
3. In order to enable the SCIM app first you need to perform the following actions:
- Select a default role.
Note: The default role is the role that will be assigned to the users by default during the time of provisioning from Okta if you have not explicitly define any roles.
ii. Click on Add New to generate an API key against your domain for authorization purposes.
4. You need to provide the expiry date to generate an API Key.
Note: The provisioning and de-provisioning management will be revoked from Okta once the expiry date limit exceeds.
5. Copy the generated API token to the clipboard and save the changes from the Save Changes button.
Note: This API Key will be used during the configuration of API Integration in Okta.
6. If you want to configure the following option of setting rules for automatic role assignment specifically for user belonging to specialized groups then refer to this article How to Configure Rules for Automatic Role Assignment using SCIM
7. Enable the app by clicking on the toggle button.
Note: A notification will appear stating "Portal Information Updated Successfully"
OKTA Configuration
Following steps will be taken in the Okta account for building a connection with VIDIZMO portal in order to implement user provisioning in VIDIZMO.
1. In Okta search for SCIM 2.0 Test App (OAuth Bearer Token) and complete the following configuration steps:
- Click on the Applications in the Application tab.
- Navigate to the Add Application option.
- Search SCIM 2.0 Test App (OAuth Bearer Token) and add it.
2. Now, In the Provisioning Tab
- Click on the Integration from the settings menu
- Select the Configure API Integration box.
3. Check the Enable API Integration option and follow these steps:
- For Base URL follow the convention as https://{yourtenantdomainURL}/api/v1/SCIM/SCIMOkta.
- For API Token, enter the value generated above from the clipboard.
- Click the Test API Credentials button.
- Save the configuration if the configuration is successful.
Note: The SCIM Provisioning is supported on portals created on sub-domains. To learn more about domain options in vidizmo, read more at Understanding Domain Options For A Portals : VIDIZMO Helpdesk
3. Now, Select the To App option in the left hand menu in the Provisioning Tab and select the Provisioning Features that needs to be enabled.
Provisioning
User(s)
Following are the steps to manage provisioning of users in Okta that are there in your directory folder to VIDIZMO portal.
Add
In order to add users in the VIDIZMO portal following steps needs to be followed:
From the Assignments Tab:
- Click on the Assign option in order to start assigning users to the SCIM 2.0 App.
- Select Assign to People option and select users from the directory to assign them.
Bulk Add
The another way to assign users to application in Okta in bulk is as follows:
- In the Application Tab, click on Assign Applications button.
ii. Select the users that you want to assign or simply check all the users that are present in your Okta directory.
iii. Select the Application name from the applications tab that you want your users to be assigned in.
iv. Click on Next to confirm the assignments.
Edit
As SCIM provides a functionality of updating the user profile information as well so following steps should be followed to achieve this functionality:
- In the AssignmentsTab, click on the name of the user you wish to update its profile information.
ii. Navigate to the Profile tab and click on the edit.
iii. The profile information that can be edited is Email, First Name and Last Name.
Group(s)
Following steps needs to be followed in order to provision groups in Okta to VIDIZMO Portal.
Add
In order to add groups in the vidizmo portal from Okta following steps needs to be followed:
1. For pushing groups to VIDIZMO Portal:
- Navigate to the Push Groups tab in the SCIM App in OKTA.
- Click on Push Groups and select the group you want to push to VIDIZMO Portal.
2. Now, you need to assign that pushed group in the Assignments Tab:
- Click on the Assign button and select Assign to Groups from the drop down menu
Note: Assign to groups is a very important step for the all the users that are part of the pushed group to appear in the VIDIZMO Portal.
ii. Search for the group that you need to assign to the SCIM 2.0 App.
iii. Click on the Assign button
iv. Click on the Save button and check if it appears in the list.
Edit
The groups edit supported in VIDIZMO is the name of the group as of yet.
By clicking the name of the group you will be navigated to the following screen:
- Update the name of the group.
- click the tick button to save the changes.
De-Provisioning
User(s)
In order to deactivate the users from the VIDIZMO Portal following steps should be followed:
- Click on the cross sign and modal for confirmation will pop up.
ii. Conform the deactivation of the user by clicking ok.
Group(s)
In order to delete the groups from the VIDIZMO Portal following steps should be followed:
- Click on the bulk edit button on the push group screen.
ii. Select any of the group that you wish to delete.
Limitations
- Users cannot be permanently deleted from VIDIZMO, they will be deactivated instead. A deactivated user can be reactivated. When a user is deactivated via SCIM, VIDIZMO immediately disables their membership to their account, ensuring that their access is immediately revoked. The user is treated as an anonymous user in the VIDIZMO portal.
- Provisioned users cannot change their user profile information because they are treated as a Federated User in the VIDIZMO portal
- Provisioning and deprovisioning can be enabled only on portals that are created under the subdomain policy. Learn more about domain options in VIDIZMO from Understanding Domain Options for a Portal