User Update with SCIM Protocol

Edited

The Cyberguru platform needs to store customer user information in order to provide all Awareness, Channel, and Phishing services. User information must be created, updated, and deleted.

The exchange of such information can occur in different modes. This article outlines the prerequisites and configurations to enable this information exchange via the IdM SCIM protocol.

Identity Management SCIM (System for Cross-domain Identity Management) is an open standard protocol designed to automate the exchange of user identity information between systems. SCIM simplifies the provisioning, removal, and management of user identities across different platforms using a consistent and standardized API. It helps ensure that user data, such as names, roles, and groups, are efficiently synchronized between identity providers and service providers.

SCIM API Services offered by Cyberguru are as follows:

  • Create: Adding new users.

  • Update: Modifying user details.

  • Delete: Removing users*

*The user on the platform will be suspended by default.

Prerequisites

1) The user profile in the Identity Provider must contain all the attributes used by the Cyberguru platform:

  • username

  • firstname

  • lastname

  • email

  • language

  • country

  • organization 1

  • ...

  • organization n

2) User authentication occurs via Single Sign-On (SAML2)

Configuration

The configuration of SCIM services may vary among different Identity Management providers. As SCIM is a standard protocol, Cyberguru will provide the tenant URL and the token to be supplied with each SCIM call. The token has a validity period of one year.

Example of Client-Side Configuration

Below is an example of client-side configuration with Microsoft Entraid:

Create an enterprise application

Proceed to Manage -> Provisioning and configure:

Provisioning mode: "Automatic"

In the Admin Credential Section

  • enter the tenant URL and the token provided by Cyberguru

  • Run "Test Connection"

In the Mapping section:

  • Disable group provisioning (in "Provision Microsoft Entra ID Groups" and set "Enabled" to "NO")

  • In "Provisioning Microsoft Entraid Users" configure the User mapping:

    • Target object actions: check "Create", "Update", "Delete"

In Attribute Mappings configure:

  • required:

    • userName -> mail

    • active -> Switch([IsSoftDeleted], , "False", "True", "True", "False")

    • emails[type eq "work"].value -> userPrincipalName

    • externalId -> mail

  • supported not required:

    • name.givenName

    • name.familyName

    • addresses[type eq "work"].country

    • phoneNumbers[type eq "work"].value

    • locale

to provision organizations add a custom attribute mapping:

  • check "Show advanced options"

  • click "Edit attribute list for customappsso"

  • scroll to the bottom of the mapper list and add in the last row a mapper of the form: urn:ietf:params:scim:schemas:extension:Tags:2.0:User:[org-name] -> Save and return to the "Attribute Mapping" section

  • click "Add New Mapping"

    • "Mapping type" -> Direct

    • "Source Attribute" -> the attribute to be mapped in the org

    • "Target attribute" -> urn:ietf:params:scim:schemas:extension:Tags:2.0:User:[org-name]