Skip to content

Setup for SCIM Server UserSync connector

  • Enable Privacera UserSync: 

    cd ~/privacera/privacera-manager
cp config/sample-vars/vars.privacera-usersync.yml config/custom-vars/

  • Enable the SCIM Server connector: 

    cd ~/privacera/privacera-manager
cp config/sample-vars/vars.privacera-usersync.scimserver.yml config/custom-vars/
vi config/custom-vars/vars.privacera-usersync.scimserver.yml

  • Edit the following properties:

    • SCIM_SERVER_CONNECTOR: The name of this connector

    • SCIM_SERVER_ENABLED: The enabled status of the connector (true/false)

    • SCIM_SERVER_USERNAME: The basic auth username

    • SCIM_SERVER_PASSWORD: The basic auth password

    • SCIM_SERVER_BEARER_TOKEN: The bearer token for auth to SCIM API

    • SCIM_SERVER_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL: Extracts the username from the email address (true/false). By default, username is mapped to "userName" which may contain an email address.

  • Post configuration, deploy the changes Using Privacera Manager.

To add an SCIM Server UserSync connector on Privacera Cloud, follow these steps:

  1. From the navigation menu, select Settings > UserSync Configuration.

  2. Choose a data source, click the dots icon, and select Add Application.

  3. From the Application List section, select USERSYNC.

  4. From the Service Type dropdown, select SCIM-Server (System for Cross Identity Management - Server Endpoint).

  5. In the Connector Name field, enter a name for the connector.

  6. Click Next.

  7. Copy Endpoint URL for the SCIM server to be used when configuring provisioning in external service.

  8. Select desired authentication type Basic or Bearer Token.

  9. Enter Username and Password or Bearer Token.

  10. Complete each step and advance through the pages of the configuration wizard.

  11. Complete all BASIC values, then review and update ADVANCED values as required.

    Username Attribute Modification

    Some services provide username in the format of an email address. If username format should be the first part of email address then visit the Advanced tab of the Base User Attributes section and update the Username Attribute field to Extract from email.

  12. Click FINISH.

For additional details, see Advanced Configuration

Integrating SCIM Server

Okta

Okta Identity Provider Integration

For Okta SCIM client operations supported by PrivaceraCloud, see Supported Okta SCIM Client Operations.

Prerequisites

  1. Obtain user provisioning functionality for your Okta account. For details, see Okta Lifecycle Management.

  2. Resolve group name conflicts before syncing to your PrivaceraCloud account. Rename groups that have the same name in your identity provider and in your PrivaceraCloud account.

Recommendation: Before integrating your production users and groups, create a test account and group in Okta, such as privacera-test-users, and use those test values to confirm integration. When you are satisfied with the results, repeat the process using live production users and groups.

Integration Steps

Step 1. Enable SCIM API Integration in Okta

  1. Log in to Okta and add the PrivaceraCloud application.

  2. From the application, click the Provisioning tab.

  3. Click Configure API integration.

  4. Select Enable API integration.

  5. Enter the Endpoint URL

    • PrivaceraCloud - URL that was generated for you, and the Username/Password or Bearer Token you provided in your PrivaceraCloud account in Configure SCIM Server in PrivaceraCloud.
    • Self Managed - https://{SCIM_SERVER_HOST}}/api/pus/public/scim/v2/{connectorName} .

  6. Click Test API Credentials. If the test passes, click Save.

  7. Under Settings , click To App.

  8. Click Edit and select Enable for required options.
    Use this step to map user attributes or leave them with default settings.

  9. Click Save to apply the integration settings.

Step 2: Activate application features

  1. From the application, click the Provisioning tab.

  2. Click Edit.

  3. Click the Enable checkbox for Create Users and Update User Attributes.

  4. Click Save

Step 3. Verify Email Addresses

User provisioning in Okta relies on an email address to identify a user in PrivaceraCloud and consequently create or update a Privacera Cloud account. If the email address attribute for a user is inconsistent between the SAML SSO setting and the SCIM user provisioning setting in Okta, the user might end up with duplicate PrivaceraCloud accounts.

To avoid duplicate accounts, verify the email address attribute that maps to a user account is correct and used for both SAML SSO and SCIM user provisioning:

  1. From the User provisioning tab in Okta, note the field that maps to the Primary email attribute. The default is email ,.

  2. Click the Sign on tab. From the Credentials details section, look for the Application username format setting. Okta passes this field from a user's account as the SSO email address when creating or linking an account.
    If Application username format specifies an old value (for example, the old email address is user1OLD@example.com for the specified attribute) but you have another attribute that stores the same user's email address user1NEW@example.com, the user might end up with duplicate accounts. Troubleshoot as follows: - Before you complete this step , ask the user to log in with their PrivaceraCloud account at least once. - If the user still ends up with duplicate accounts, contact PrivaceraCloud support with the user's email addresses.

  3. Make sure the Application username format is set to the same attribute specified as Primary email in the previous step.

  4. Make sure that Update application username is set to Create and update. Click Save to apply your changes.

  5. Click Update Now to push the change faster than the Okta automatic update.

Step 4. Push Groups

Privacera recommends using the group synchronization feature to automatically manage user privileges and licenses from your directory, instead of manually managing these from the organization.

This section describes how to configure group-based management.

Pushing a group to your PrivaceraCloud account pushes only the detail about a group, not details about users who are part of a group.

  1. In Okta, click the Push Groups tab and then By name.
    Select the group name, and click Save.

  2. Review to make sure all required groups have been pushed.

Step 5. Assign Users to the PrivaceraCloud Application in Okta

  1. In Okta, click the Assignments tab of the PrivaceraCloud application.

  2. Click Assign , then Groups. Select the group to assign.

  3. In the displayed dialog, these default values are used only if the user profile does not have them. All fields are optional.
    When you are done with this step, click Save and Go Back.

  4. In PrivaceraCloud, to verify that users and groups are synced, navigate to Access Manager > Users Groups and Roles.

Step 6. Write a Policy for Provisioned Users or Groups

Create a data access policy for the provisioned users or groups through PrivaceraCloud to finalize the integration verification.

  1. From your PrivaceraCloud Account, navigate to Access Management > Resource Policies.

  2. Select an application to write a policy over, such as Privacera Hive.

  3. Click Add Policy and enter the details as shown below.

  4. Verify the policy is in effect in your downstream application.

Supported Okta SCIM Client Operations

User Operations

The Privacera SCIM Server supports the following operations:

Operation Notes
Create new user A data access user is created in PrivaceraCloud Access Management - > Users. This account cannot be edited directly in PrivaceraCloud.
Link an existing user If a user already exists in your PrivaceraCloud Account, it is automatically linked to the user in Okta. This account can no longer be edited directly in PrivaceraCloud.
Update user details In PrivaceraCloud, you can update the display name and email address user attributes from your identity provider. By default, a user's first and last names are combined to create the Display name. If Any display name entered in PrivaceraCloud overwrites the first and last name combination.
Deactivate user Deactivate is also sometimes called "soft delete". Deactivation has the following effects:
  • The user is marked as hidden.
  • The user is removed from all groups.
Important : the Privacera administrator must manually remove the deactivated user from all user-based policies. If your policies are based on groups (not specific users), no changes to policies are needed, because the user has been removed from the groups. You need to manually change a policy only if the user is explicitly named in it.
Delete user Delete the user manually in PrivaceraCloud.

Group Operations

Groups created manually and by default (for example, public) in your PrivaceraCloud account cannot be managed via SCIM.

You can only manage groups synced from Okta via SCIM.

Operation Notes Troubleshooting
Create group The group is created as an read-only external group in PrivaceraCloud.
Update group membership PrivaceraCloud external data access users in your PrivaceraCloud account are modified to support the group membership changes reflected in this SCIM operation. If a synced group is empty, when pushing a group, make sure that the synchronized group does not have the same name as a default or manually created group in PrivaceraCloud.
Push group An error will result if the group name already exists in your PrivaceraCloud account. For example, the group named "public" might conflict. In your identity provider, rename the conflicting group with a name different from the PrivaceraCloud built-in group name and attempt to re-sync.
Delete group Manually delete the user account in PrivaceraCloud. Not implemented via SCIM

Okta SCIM Server - Configure custom user attributes

These steps will configure the Usersync connector to accept additional user attribute(s).
1. In the PrivaceraCloud portal, navigate to Settings -> Datasources -> Usersync connector. 2. In the “Custom User Attributes” section, add the custom attribute(s). 3. Save the configuration

Okta Configuration

In Okta you will need to add application profile attributes and mappings.

  1. Login to Okta. Navigate to Applications.

  2. Select your PrivaceraCloud application.

  3. Then select "Provisioning (To App)".

  4. In the "Local Attribute Mappings" section, click "Go to Profile Editor".

  5. Click Add Attribute.
    Table 71. Attribute examples:

    Data type string
    Display name Title
    Variable name title
    External name title
    External namespace urn:ietf:params:scim:schemas:core:2.0:User
    Description User Title
    Enum
    Attribute length
    Attribute required
    Scope User Personal

  6. Click Mappings.

  7. Select "Okta User to PrivaceraCloud".
    For example:

    user.title title

For additional information, see the Okta documentation.

SCIM Server API

SCIM 2.0 clients can also connect directly with the Privacera SCIM Server via the REST API.

Follow the steps in Enable SCIM Server in PrivaceraCloud to obtain the direct URL, username, and password.

Use Basic Authentication (base64 encoded username and password) to authenticate each API request.

See SCIM 2.0 Specification for specific protocol and call schemas.

Supported SCIM REST API Requests

SCIM Server supports the following requests: 

    GET - /Users
        - Params
            - startIndex
            - count
            - filter (Supports single filter for ‘eq’ operator on the following attributes: userName, givenName, firstName, active)

    GET - /Users/{userId}

    POST - /Users
        - Params
            - user (SCIM User JSON)

    PUT - /Users/{userId}
        - Params
            - user (SCIM User JSON)

    GET - /Groups
        - Params
            - startIndex
            - count
            - filter (Supports single filter for ‘eq’ operator on the following attributes: displayName)

    GET - /Groups/{groupId}

    POST - /Groups
        - Params
            - group (SCIM Group JSON)

    PATCH - /Groups/{groupId}
        - Params
            - operations  (SCIM Operation list)   Supported Operations: 
                                    op: replace
                                    path:members
                                    value:[{value: userId} … ]

                                    op: remove
                                    path: members[value eq “userId”]

                                    op: add
                                    path: members
                                    value: [{value:userId} … ]
Entra ID (AAD)

Entra ID (AAD) SCIM Server UserSync

Entra ID (AAD or Azure AD) can be configured to sync identities with Privacera UserSync.

Prerequisites

Entra ID (AAD) Administrator account access.

Privacera UserSync Configuration

These Privacera Manager variables need to be set in ~/privacera/custom-vars/vars.privacera-usersync.scimserver.yml:
Add :
SCIM_SERVER_BEARER_TOKEN: “{BEARER_TOKEN_VALUE}”
Update:
SCIM_SERVER_ATTRIBUTE_EMAIL: "emails[type-work].value"

  1. In Configure Connector > Authentication Type, select Bearer and click Generate Token and Copy, making sure to save the token value for later.
  2. In the Base User Attributes section, update the Email Address value to emails[type-work].value

Entra ID (AAD) Configuration

For additional information regarding configuring a SCIM client in AAD, see the Microsoft documentation.

Create application

  1. Select Enterprise applications from the left pane. Then + New application > + Create your own application.

  2. Enter an application name (e.g. “Privacera Provisioning”).

  3. Select “Integrate any other application you don’t find in the gallery (Non-gallery)” and click the Create button.

  4. On the app management screen, select Provisioning in the left panel. Then click Get Started.

  5. Choose Automatic for the Provisioning Mode.

  6. Configure the Privacera credentials from the Usersync configuration.

    • PrivaceraCloud - URL that was generated for you, and the Username/Password or Bearer Token you provided in your PrivaceraCloud account in Configure SCIM Server in PrivaceraCloud.
    • Self Managed - https://{SCIM_SERVER_HOST}}/api/pus/public/scim/v2/{connectorName} .

Configure mappings

It is important to only include attributes configured in both Privacera and Azure AD. Below is a list of default attributes supported by Privacera Usersync, any additional attributes should be removed from the Azure AD mapping unless added to the Privacera Usersync configuration as well. 

Groups:
displayName     :   displayName     
members         :   members

Users:
userPrincipalName           :   userName        
Switch([IsSoftDeleted]...)  :   active      
mail                        :   emails[type eq “work”].value        
givenName                   :   name.givenName      
surname                     :   name.familyName

Limitations

Microsoft Azure AD does not support syncing service principals or nested groups, thus Privacera also cannot support these specific capabilities.

Configure scope

Select Sync all users and groups or Sync only assigned users and groups.

OneLogin

OneLogin UserSync

OneLogin can be configured to sync identities with Privacera UserSync

Prerequisites

OneLogin Administrator account access with user provisioning enabled.

Privacera UserSync Configuration

These Privacera Manager variables need to be set in ~/privacera/custom-vars/vars.privacera-usersync.scimserver.yml:
Add :
SCIM_SERVER_BEARER_TOKEN: “{BEARER_TOKEN_VALUE}”
Update:
SCIM_SERVER_ATTRIBUTE_EMAIL: "emails[type-work].value"

  1. In Configure Connector > Authentication Type, select Bearer and click Generate Token and Copy, making sure to save the token value for later.
  2. In the Base User Attributes section, update the Email Address value to emails[type-work].value

OneLogin Configuration

Privacera App Configuration

Access OneLogin and go to Apps -> Add Apps. Search and select "Privacera".

Configuration values

SCIM BASE URL: Provide the Privacera Usersync SCIM Server URL, this varies slightly for PrivaceraCloud and Privacera self managed.

  • PrivaceraCloud: (Can be copied from UserSync configuration UI)
    https://api.privaceracloud.com/api/{API_KEY}/usersync/{CONNECTOR_NAME}

  • Self Managed and Data Plane:
    https://{HOST}/api/pus/public/scim/v2/{CONNECTOR_NAME}

SCIM Bearer Token: Provide the configured bearer token for SCIM Server connector.

SCIM JSON Template: Modify JSON Template for any custom attribute mappings required. (No changes required for default mapping.) Note that the user field that is mapped to userName and must have a value for the integration .

In the Privacera App, select the Parameters tab, then Groups. Scroll down and select the "Include in User Provisioning" option.

Select the Rules tab to create groups in Privacera for each Role that a user belongs to in OneLogin, click Add Rule.

Role Limitations

Since Roles are created as part of a rule, some features do not perform as expected:
Role delete- If a role is deleted, users in Privacera will not be removed from the group and the group will not be made inactive. To account for this, remove all users from the Role prior to deleting the Role in OneLogin, then delete the matching group in Privacera. Role rename- Renaming a Role in OneLogin will create a new group in Privacera. Users will be removed from the group having the previous name and correctly associated with the new group. The group with the old Role name can be manually deleted from Privacera Portal.

Rule Mapping Name: Provide desired name of rule. (Role to Group mapping)

Conditions: No changes.

Actions:

Select Set Groups in {APP_NAME}.

Select Map from OneLogin.

For each “role” with value that matches “.*” set {APP_NAME} Groups name after roles.

Under the Access tab, select any Roles containing users you require to be provisioned.

Under the Provisioning tab:

Check Enable Provisioning.

Select actions that require approval before being provisioned: (For automatic provisioning unselect all actions.)

Create user

Delete user

Update user

In the "When users are deleted in OneLogin…" dropdown, select Delete.

In the "When user accounts are suspended in OneLogin..." dropdown, select Suspend.

Click the Users tab to view a list of “assigned” users and current provisioning state.

No changes are required in the Privileges tab.

Note For more details of steps see the OneLogin documentation.

Comments