User Update with SCIM Protocol
The Cyberguru platform needs to store customer user information in order to provide all Awareness, Channel, and Phishing services. User information must be created, updated, and deleted.
The exchange of such information can occur in different modes. This article outlines the prerequisites and configurations to enable this information exchange via the IdM SCIM protocol.
Identity Management SCIM (System for Cross-domain Identity Management) is an open standard protocol designed to automate the exchange of user identity information between systems. SCIM simplifies the provisioning, removal, and management of user identities across different platforms using a consistent and standardized API. It helps ensure that user data, such as names, roles, and groups, are efficiently synchronized between identity providers and service providers.
SCIM API Services offered by Cyberguru are as follows:
Create: Adding new users.
Update: Modifying user details.
Delete: Removing users*
*The user on the platform will be suspended by default.
Prerequisites
1) The user profile in the Identity Provider must contain all the attributes used by the Cyberguru platform:
username
firstname
lastname
email
language
country
organization 1
...
organization n
2) User authentication occurs via Single Sign-On (SAML2)
Configuration
The configuration of SCIM services may vary among different Identity Management providers. As SCIM is a standard protocol, Cyberguru will provide the tenant URL and the token to be supplied with each SCIM call. The token has a validity period of one year.
Example of Client-Side Configuration
Below is an example of client-side configuration with Microsoft Entraid:
Create an enterprise application
Proceed to Manage -> Provisioning and configure:
Provisioning mode: "Automatic"
In the Admin Credential Section
enter the tenant URL and the token provided by Cyberguru
Run "Test Connection"
In the Mapping section:
Disable group provisioning (in "Provision Microsoft Entra ID Groups" and set "Enabled" to "NO")
In "Provisioning Microsoft Entraid Users" configure the User mapping:
Target object actions: check "Create", "Update", "Delete"
In Attribute Mappings configure:
required:
userName -> mail
active -> Switch([IsSoftDeleted], , "False", "True", "True", "False")
emails[type eq "work"].value -> userPrincipalName
externalId -> mail
supported not required:
name.givenName
name.familyName
addresses[type eq "work"].country
phoneNumbers[type eq "work"].value
locale
to provision organizations add a custom attribute mapping:
check "Show advanced options"
click "Edit attribute list for customappsso"
scroll to the bottom of the mapper list and add in the last row a mapper of the form: urn:ietf:params:scim:schemas:extension:Tags:2.0:User:[org-name] -> Save and return to the "Attribute Mapping" section
click "Add New Mapping"
"Mapping type" -> Direct
"Source Attribute" -> the attribute to be mapped in the org
"Target attribute" -> urn:ietf:params:scim:schemas:extension:Tags:2.0:User:[org-name]