Skip to main content

Privacera Documentation

Table of Contents

SCIM Server User-Provisioning on PrivaceraCloud

Note

Contact Privacera Support to request enabling this feature.

PrivaceraCloud can be configured to use the System for Cross-Domain Identity Management (SCIM) 2.0 protocol.

This allows external management and synchronization of your PrivaceraCloud data access users and groups.

After you connect your Identity Provider to your PrivaceraCloud account via SCIM, data user attributes and group memberships are managed in the Identity Provider, not in PrivaceraCloud.

Note

Data access users, groups, and roles can still be added in PrivaceraCloud, but users, groups, or roles created in PrivaceraCloud are not synchronized back to the Identity Provider.

SCIM server user provisioning does not apply to portal users (those who login to the portal).

Enable SCIM Server in PrivaceraCloud

  1. In your PrivaceraCloud account, navigate to Settings > Datasource

  2. Choose UserSync.

  3. Enter a name to identify the connector. Click Next.

  4. Copy the Endpoint URL.

    Enter a value for Username and Password. Save all three values: Endpoint URL, Username, and Password values as they will be used by your SCIM Client or Okta SCIM Client.

    Click Next.

  5. Users or groups specified in Inclusions are added to filters. Specify any user or group Exclusions and click Next.

  6. Base User Attributes maps identity attributes in the SCIM payloads to Privacera data access user attributes.

    • On the right the source fields for PrivaceraCloud users.

    • These value can be available from your Okta or other identity provider.

Okta Identity Provider Integration

For Okta SCIM client operations supported by PrivaceraCloud, see Supported Okta SCIM Client Operations.

Prerequisites

  1. Obtain user provisioning functionality for your Okta account. For details, see Okta Lifecycle Management.

  2. Resolve group name conflicts before syncing to your PrivaceraCloud account. Rename groups that have the same name in your identity provider and in your PrivaceraCloud account.

Recommendation: Before integrating your production users and groups, create a test account and group in Okta, such as privacera-test-users, and use those test values to confirm integration. When you are satisfied with the results, repeat the process using live production users and groups.

Integration Steps

Step 1. Enable SCIM API Integration in Okta

Be sure you have the Endpoint URL and the username and password you specified from Enable SCIM Server in PrivaceraCloud.

  1. Log in to Okta and add the PrivaceraCloud application.

  2. From the application, click the Provisioning tab.

  3. Click Configure API integration.

  4. Select Enable API integration.

  5. Enter the Endpoint URL that was generated for you, and the Username/Password you provided in your PrivaceraCloud account in Enable SCIM Server in PrivaceraCloud.

  6. Click Test API Credentials. If the test passes, click Save.

  7. Under Settings, click To App.

  8. Click Edit and select Enable for required options.

    Use this step to map user attributes or leave them with default settings.

  9. Click Save to apply the integration settings.

Step 2: Activate application features

  1. From the application, click the Provisioning tab.

  2. Click Edit.

  3. Click the Enable checkbox for Create Users and Update User Attributes.

  4. Click Save

Step 3. Verify Email Addresses

User provisioning in Okta relies on an email address to identify a user in PrivaceraCloud and consequently create or update a Privacera Cloud account. If the email address attribute for a user is inconsistent between the SAML SSO setting and the SCIM user provisioning setting in Okta, the user might end up with duplicate PrivaceraCloud accounts.

To avoid duplicate accounts, verify the email address attribute that maps to a user account is correct and used for both SAML SSO and SCIM user provisioning:

  1. From the User provisioning tab in Okta, note the field that maps to the Primary email attribute. The default is email,.

  2. Click the Sign on tab. From the Credentials details section, look for the Application username format setting. Okta passes this field from a user's account as the SSO email address when creating or linking an account.

    If Application username format specifies an old value (for example, the old email address is user1OLD@example.com for the specified attribute) but you have another attribute that stores the same user's email address user1NEW@example.com, the user might end up with duplicate accounts. Troubleshoot as follows: - Before you complete this step, ask the user to log in with their PrivaceraCloud account at least once. - If the user still ends up with duplicate accounts, contact PrivaceraCloud support with the user's email addresses.

  3. Make sure the Application username format is set to the same attribute specified as Primary email in the previous step.

  4. Make sure that Update application username is set to Create and update. Click Save to apply your changes.

  5. Click Update Now to push the change faster than the Okta automatic update.

Step 4. Push Groups

Privacera recommends using the group synchronization feature to automatically manage user privileges and licenses from your directory, instead of manually managing these from the organization.

This section describes how to configure group-based management.

Pushing a group to your PrivaceraCloud account pushes only the detail about a group, not details about users who are part of a group.

  1. In Okta, click the Push Groups tab and then By name.

    Select the group name, and click Save.

  2. Review to make sure all required groups have been pushed.

Step 5. Assign Users to the PrivaceraCloud Application in Okta

  1. In Okta, click the Assignments tab of the PrivaceraCloud application.

  2. Click Assign, then Groups. Select the group to assign.

  3. In the displayed dialog, these default values are used only if the user profile does not have them. All fields are optional.

    When you are done with this step, click Save and Go Back.

  4. In PrivaceraCloud, to verify that users and groups are synced, navigate to Access Manager > Users Groups and Roles.

Step 6. Write a Policy for Provisioned Users or Groups

Create a data access policy for the provisioned users or groups through PrivaceraCloud to finalize the integration verification.

  1. From your PrivaceraCloud Account, navigate to Access Management > Resource Policies.

  2. Select an application to write a policy over, such as Privacera Hive.

  3. Click Add Policy and enter the details as shown below.

  4. Verify the policy is in effect in your downstream application.

Supported Okta SCIM Client Operations

User Operations

The Privacera SCIM Server supports the following operations:

Operation

Notes

Create new user

A data access user is created in PrivaceraCloud Access Management -> Users. This account cannot be edited directly in PrivaceraCloud.

Link an existing user

If a user already exists in your PrivaceraCloud Account, it is automatically linked to the user in Okta. This account can no longer be edited directly in PrivaceraCloud.

Update user details

In PrivaceraCloud, you can update the display name and email address user attributes from your identity provider.

By default, a user's first and last names are combined to create the Display name. If Any display name entered in PrivaceraCloud overwrites the first and last name combination.

Deactivate user

Deactivate is also sometimes called "soft delete".

Deactivation has the following effects:

  • The user is marked as hidden.

  • The user is removed from all groups.

Important: the Privacera administrator must manually remove the deactivated user from all user-based policies.

If your policies are based on groups (not specific users), no changes to policies are needed, because the user has been removed from the groups. You need to manually change a policy only if the user is explicitly named in it.

Delete user

Delete the user manually in PrivaceraCloud.

Group Operations

Groups created manually and by default (for example, public) in your PrivaceraCloud account cannot be managed via SCIM.

You can only manage groups synced from Okta via SCIM.

Operation

Notes

Troubleshooting

Create group

The group is created as an read-only external group in PrivaceraCloud.

Update group membership

PrivaceraCloud external data access users in your PrivaceraCloud account are modified to support the group membership changes reflected in this SCIM operation.

If a synced group is empty, when pushing a group, make sure that the synchronized group does not have the same name as a default or manually created group in PrivaceraCloud.

Push group

An error will result if the group name already exists in your PrivaceraCloud account. For example, the group named "public" might conflict.

In your identity provider, rename the conflicting group with a name different from the PrivaceraCloud built-in group name and attempt to re-sync.

Delete group

Manually delete the user account in PrivaceraCloud. Not implemented via SCIM

Okta SCIM Server - Configure custom user attributes

PrivaceraCloud Configuration

These steps will configure the Usersync connector to accept additional user attribute(s).

  1. In the PrivaceraCloud portal, navigate to Settings -> Datasources -> Usersync connector.

  2. In the “Custom User Attributes” section, add the custom attribute(s).

  3. Save the configuration,

Okta Configuration

In Okta you will need to add application profile attributes and mappings.

  1. Login to Okta. Navigate to Applications.

  2. Select your PrivaceraCloud application.

  3. Then select "Provisioning (To App)".

  4. In the "Local Attribute Mappings" section, click "Go to Profile Editor".

  5. Click Add Attribute.

    Table 49. Attribute examples:

    Data type

    string

    Display name

    Title

    Variable name

    title

    External name

    title

    External namespace

    urn:ietf:params:scim:schemas:core:2.0:User

    Description

    User Title

    Enum

    Attribute length

    Attribute required

    Scope

    User Personal



  6. Click Mappings.

  7. Select "Okta User to PrivaceraCloud". For example:

    user.title

    title

For additional information, see the Okta documentation.

SCIM Server API

SCIM 2.0 clients can also connect directly with the Privacera SCIM Server via the REST API.

Follow the steps in Enable SCIM Server in PrivaceraCloud to obtain the direct URL, username, and password.

Use Basic Authentication (base64 encoded username and password) to authenticate each API request.

See SCIM 2.0 Specification for specific protocol and call schemas.

Supported SCIM REST API Requests

PrivaceraCloud supports the following requests:

GET - /Users
    - Params
        - startIndex
        - count
        - filter (Supports single filter for ‘eq’ operator on the following attributes: userName, givenName, firstName, active)

GET - /Users/{userId}

POST - /Users
    - Params
        - user (SCIM User JSON)

PUT - /Users/{userId}
    - Params
        - user (SCIM User JSON)

GET - /Groups
    - Params
        - startIndex
        - count
        - filter (Supports single filter for ‘eq’ operator on the following attributes: displayName)

GET - /Groups/{groupId}

POST - /Groups
    - Params
        - group (SCIM Group JSON)

PATCH - /Groups/{groupId}
    - Params
        - operations  (SCIM Operation list)   Supported Operations: 
                                op: replace
                                path:members
                                value:[{value: userId} … ]

                                op: remove
                                path: members[value eq “userId”]

                                op: add
                                path: members
                                value: [{value:userId} … ]