Provision users and groups into IDaaS
Use this procedure to add users and groups to IDaaS from a third-party application (SCIM 2.0 client), such as Microsoft Entra ID, to IDaaS. When configured, changes to user and group information in the third-party application are made to the users that are mapped to IDaaS.
Mandatory SCIM attributes for user provisioning
When provisioning users through SCIM, the following attributes are mandatory and must be included in the SCIM user payload:
Required attributes
- userName - Unique identifier for the user within the SCIM domain. This is typically the user's email address or username. The userName is mapped to userId in IDaaS.
Conditionally required attributes
The following attributes are mandatory only if they are marked as Attribute is required in IDaaS:
- name.givenName - The user's First Name attribute.
- name.familyName - The user's Last Name attribute.
- emails - An array containing one user's Email address. IDaaS accepts only one email address; if more than one email is provided, it will not be accepted.
- phoneNumbers - An array containing phone number objects. Each phone number can include
value,type, andprimaryfields. IDaaS handles phone number mapping as follows:- If
typeis user's "mobile", the Mobile attribute is set in IDaaS - If
typeis user's "phone", the Phone attribute is set in IDaaS - If
typeis not defined:- If
primaryistrue, it's considered as Mobile - Otherwise, it's considered as a Phone number
- If
- If
Optional attributes
- active - Boolean value indicating whether the user account is active. If not provided, this attribute defaults to
true.
Example SCIM user payload structure
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": "jdoe@example.com",
"name": {
"familyName": "Doe",
"givenName": "John"
},
"emails": [
{
"value": "jdoe@example.com"
}
],
"active": true,
"phoneNumbers": [
{
"value": "+12015550123",
"type": "mobile"
},
{
"value": "+12015550124",
"type": "phone"
}
]
}
Users cannot be provisioned successfully unless all IDaaS mandatory attributes are provided. Ensure your SCIM client is configured to provide all required fields.
SCIM attributes for group provisioning
When provisioning groups through SCIM, the following attributes can be included in the SCIM group payload:
Required attributes
- displayName - The name of the group. This is mapped to the group name in IDaaS.
Optional attributes
- members - An array containing group member objects. Each member object includes:
- value - The unique identifier (userName) of the user to be added to the group
Example SCIM group payload structure
{
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
"displayName": "Marketing Team",
"members": [
{
"value": "jdoe@example.com"
},
{
"value": "jsmith@example.com"
}
]
}
Group provisioning allows you to create groups and assign users as members. The users referenced in the members array must already exist in IDaaS or be provisioned before the group creation.
If a group with the same displayName already exists in IDaaS, the SCIM server returns a 409 Conflict error. Ensure the group name is unique before attempting to provision it.
Provision users and groups into IDaaS from another service
-
Create an Administration API application in IDaaS, assign the API the SCIM Provisioning role and generate a long-lived token. See Integrate Administration API.
noteWhen creating an Administration API for SCIM provisioning, assign the SCIM Provisioning role to the Admin API.
-
Copy and paste from the Administration API the long-lived token to a text file such as Notepad.
-
Make note of your IDaaS Tenant URL and add it to the text file.
noteThe IDaaS SCIM endpoint is
/api/web/scim/v2Example:
https://mycompany.us.trustedauth.com/api/web/scim/v2 -
Open your SCIM 2.0 client.
-
Locate the provisioning section of your SCIM 2.0 client.
-
Copy and paste, where required, the long-lived token and IDaaS tenant URL.
-
Save your inbound SCIM application.