You do not have permission to edit this page, for the following reason:
You can view and copy the source of this page:
Return to System for Cross Domain Identity Management.
Contents
System for Cross Domain Identity Management (SCIM)[edit]
ICI is now providing support for System for Cross-domain Identity Management (SCIM), which is an open standard protocol to automate the provisioning and deprovisioning of users. This framework allows exchange of user identity and user group information between identity providers (such as OKTA) and service providers (such as ICI – SaaS-based application). As a single system is used to manage permissions and groups, and data is transferred automatically, the risk of error is considerably reduced. This makes user management simpler and easier for customers.
OKTA integrates various applications into its service, and you simply deploy these pre-integrated applications to your users as necessary. For example, OKTA uses the SCIM application to provision users or user groups in ICI.
To provision or deprovision ICI users, the OKTA Administrator first needs to create and configure an application which supports the SCIM protocol.
Note: ICI only supports SCIM 2.0 version.
Configuring the SCIM Application[edit]
The OKTA Administrator uses the OKTA Dashboard to configure the SCIM application.
1. Click the "Applications" tab.
2. Select "Applications" from the drop-down. The Applications page opens.
3. Click "Add Application".
4. Enter "scim" in the search field to search applications that are supporting SCIM.
Note: ICI supports the SCIM 2.0 App (Header Auth)version to provision and deprovision users through OKTA.
5. Select the application created by the OKTA Administrator using SCIM 2.0 App (Header Auth) for SCIM protocol. For example, "SCIM to ICI" application (as shown in the screenshot below):
To configure SCIM to ICI application, the OKTA Administrator performs the following steps:
1. Click the "Provisioning" tab.
2. Click the "Integration" tab.
3. Enter the Base URLand API Token as provided by ICI Administrator.
Note: Ensure that the Enable API Integration box is checked.
4. Click the "Test API Credentials" button to validate the credentials (ICI Base URLand API Token). A validation message will be displayed on entering incorrect credentials indicating that an authentication error has occurred.
To allow Provisioning of SCIM application i.e. from OKTA to SCIM, the Administrator enables functionalities such as Create Users, Update User Attributes, and Deactivate Users. After enabling the functionalities, you can provision/deprovision users in ICI from OKTA using the SCIM protocol (for example, SCIM to ICI application as mentioned in Step 5).
Adding a user in OKTA[edit]
To add a user in OKTA:
1. Click "Users" menu on the Dashboard.
2. Click "People".
3. Click "Add Person". The Add Person window opens.
4. Enter details such as First name, Last name, Username and Primary email. For example, add user - Michael Smith.
5. Click "Save". The user Michael Smith is added to the application SCIM to ICI.
6. The user Michael Smithcan now be provisioned to ICI using Assignments tab.
Provisioning users[edit]
You can provision users by adding users individually or by user group in ICI:
1. Click the "Assignments" tab.
2. Click "Assign" drop-down.
3. Select "Assign to People" to select an individual user or select "Assign to Groups"to select a user group.
Note: A user needs to be added to the OKTA global directory to be provisioned in ICI.
Provisioning users using assignment[edit]
To add a user to SCIM to ICI Assignments:
1. Click the "Assignments" tab in the Applications menu.
2. Click the "Assign" drop-down.
3. Click "Assign to People". The Assign SCIM to ICI to People window opens.
4. Search for a user in the search tab. For example, Morita Akemi.
5. Click "Assign".
Note: As per the ICI SCIM implementation, when a user gets provisioned, ICI first verifies if the user is already present or not.
- If the user is not present, ICI creates a new user.
- If the user is present, but in the deprovisioned state, then ICI reprovisions the user only if the External identifier value in ICI is matching with the value of SCIM External identifier.
6. Click "Save and Go Back".
7. Click "Done".
The user is assigned and provisioned in ICI.
Provisioning users using group assignment[edit]
Group assignment in SCIM is a convenient way to get multiple assignments. Using SCIM Group, users are provisioned to ICI in one go. You can create User Groups in ICI using Add Group functionality of SCIM.
You can provision multiple users in ICI by using a group assignment provided they are already assigned and displayed in the Assignments tab.
Note: Do not use the same group for Assignment and Push Groups.
To add already assigned members to a group SCIM to ICI group:
1. Click "SCIM to ICI group".
2. Click "Manage People".
3. Search a user. For example, Michael Smith should already be provisioned in ICI through an individual or group assignment.
4. Click the Add icon.
5. Click Save. The user Michael Smith is added to the group SCIM to ICI group.
Mapping ICI attributes with SCIM attributes[edit]
To map ICI attributes with SCIM attributes, you must create the Client App Entity Mapping.
Client App Entity Mapping[edit]
1. Click "Configure" > "Masterdata" on the Home page. The Masterdata index page opens.
2. Click "Create". The "Create Masterdata" page opens.
The Create Masterdata page contains the following tabs:
a. Masterdata Details
b. Attributes
a. Masterdata Details
1. Select the Category from the drop-down. For example, Default.
2. Select the Masterdata Contract Type.
Note: In order to map the SCIM attribute name with ICI attribute name, you must select Client App Entity Mapping from the drop-down.
3. Click Next. The Attributes page opens.
b. Attributes
Provide relevant attribute values in the respective fields. For example:
- Client Name: Select the client name from the drop-down. Here, it must be SCIM.
- Name: Enter the Masterdata name. For example, External UPN.
- ICI Entity Name: Enter the ICI Entity Name. For example, UserInformation.
- ICI Attribute Name: Enter the ICI attribute name, which is mapped with the attribute name in SCIM. For example, ExternalUPN.
- Client Entity Name: Enter the SCIM entity name. For example, SCIM Request.
- Client Attribute Name: Enter the SCIM attribute name. For example, userName.
- Data Flow Type: Select the data flow type to map the data from SCIM to ICI. For example, Client to ICI.
- Enable Sync: Set "Enable Sync" to "Yes" to synchronize data mapping of ICI attributes with SCIM attributes.
Note:
- It is mandatory to create the Client App Entity Mapping for the attribute ExternalUPN.
- Repeat the steps under Client App Entity Mapping to map other attributes such as Phone Number from SCIM to ICI.
The Client App Entity Mapping created is displayed as shown in the screenshot below:
The value of the SCIM attribute name (for example, userName) is mapped with ICI attribute name (for example, ExternalUPN) as shown in the screenshot below:
Note: To map attributes such as Organization Unit Id, Organization Path Id or SharedOrgPathId, apart from the Client App Entity Mapping masterdata, you must create the Org Path Mapping masterdata, and map with the Client Attribute Name specified in Client App Entity Mapping. The Org Path Mapping masterdata is used to map the value of the Client Attribute Name with the respective Organization using the Organization Unit Path value.
In this example, the value of Client Attribute Name as shown in the above screenshot is mapped to the Org Path Mapping masterdata.
In the above screenshot, name (for example, north) is the value of Client Attribute Name (for example, bCGHomeOfficeCode) in Client App Entity Mapping and Organization Unit Path is the org path.
Using the Client App Entity Mapping for attributes such as OrganizationUnitId, OrgPathId or SharedOrgPathId, the Org Path Mapping will be used to map the respective Org of a user.
Deprovisioning users[edit]
You can deprovision users in ICI using the Assignments tab.
Deprovisioning user from assignment[edit]
You can deprovision user either individually or by removing the user from the group which was used as assignment.
To deprovision an assigned user from SCIM:
1. Click the 
icon to unassign a user from OKTA. The Unassign User window opens.
icon to unassign a user from OKTA. The Unassign User window opens.2. Select the user to be unassigned from the displayed records. For example, Michael Smith.
3. Click "OK".
The user Michael Smith is unassigned from SCIM to ICI and subsequently deprovisioned from ICI.
Note: You can reprovision the user only in ICI only if the External identifier value in ICI is matching with the value of SCIM External identifier.
Creating User Groups in ICI using SCIM[edit]
To create user groups in ICI using SCIM, you must create the SCIM Groups Mapping masterdata.
The SCIM Groups Mapping masterdata is created to define the mapping before pushing the group from SCIM to ICI, for example, to push the Group SCIM Admins from SCIM to ICI as Local Admins. If the mapping is not present, the Group SCIM Admins will be created as Group SCIM Admins in ICI, and a masterdata record will also be created in SCIM Groups Mapping masterdata if the masterdata Contract Type is available.
Note: The SCIM Groups Mapping masterdata is optional.
SCIM Groups Mapping[edit]
1. Click "Configure" > "Masterdata" on the Home page. The Masterdata index page opens.
2. Click "Create". The "Create Masterdata" page opens.
The Create Masterdata page contains the following tabs:
a. Masterdata Details
b. Attributes
a. Masterdata Details
1. Select the "Category" from the drop-down. For example, Default.
2. Select the Masterdata Contract Type.
Note: In order to create user groups in ICI using SCIM, you must select SCIM Groups Mappingfrom the drop-down.
3. Click "Next". The Attributes page opens.
b. Attributes
- Enter the masterdata Name (such as SCIM to ICI group) and the SCIM Group Name (such as SCIM to ICI group).
- Click Save.
The SCIM Groups Mapping is created.
To create User Group using SCIM:
1. Click the "Users" tab on the OKTA Dashboard.
2. Select "Groups" from the drop-down menu. The Groups page opens.
3. Click "Add Group".
4. Enter "Name". For example, SCIM to ICI group.
5. Click Add Group. The group is added in SCIM.
Push Groups:
Push Group is used to create User Groups in ICI. You can push groups with members, but the member should have already been provisioned in ICI using Assignment either individually or group assignment.
6. Click the "Push Groups" tab.
7. Click the "Push Groups"drop-down.
8. Search a group using the search field. For example, SCIM to ICI group.
9. Select the desired group from the displayed records.
10. Click "Save". The SCIM to ICI group is now pushed to ICI.
Note: The difference between Groups and Push Groups is that Groups need to be assigned using Assignments, whereas Push Groups is only meant to push users (part of the selected group) to be provisioned in ICI in one go. These groups are not assigned in the Assignments tab.
11. The members of the group SCIM to ICI group are pushed to ICI. For example, the user of the group SCIM to ICI group Michael Smith is pushed to ICI.
Note: Users need to be assigned through assignment to be pushed by Push Groups.
Managing ICI User Group members using SCIM[edit]
To deprovision a user using SCIM, you first need to remove the user from the Push Groups. For example, let us remove the user Michael Smith from Push GroupsSCIM to ICI group.
1. Go to the Push Groups tab.
2. Click the Push Groups. For example, SCIM to ICI group.
3. Click Manage People. The SCIM to ICI group opens.
4. Click the remove icon for the user to be removed. For example, Michael Smith.
5. Click Save. The user is removed from the Push Group - SCIM to ICI group and consequently gets deprovisioned from the User Groups in ICI.
