From ICIHelp8.2
Jump to: navigation, search
Line 4: Line 4:
 
ICM is now providing support for System for Cross-domain Identity Management (SCIM), which is an open standard protocol to automate the provisioning and deprovisioning of users. This framework allows exchange of user identity and user group information between identity providers (such as OKTA) and service providers (such as ICM – SaaS-based application). As a single system is used to manage permissions and groups, and data is transferred automatically, the risk of error is considerably reduced. This makes user management simpler and easier for customers. 
 
ICM is now providing support for System for Cross-domain Identity Management (SCIM), which is an open standard protocol to automate the provisioning and deprovisioning of users. This framework allows exchange of user identity and user group information between identity providers (such as OKTA) and service providers (such as ICM – SaaS-based application). As a single system is used to manage permissions and groups, and data is transferred automatically, the risk of error is considerably reduced. This makes user management simpler and easier for customers. 
  
== Provisioning and Deprovisioning users in ICM through OKTA using SCIM Protocol ==
+
OKTA integrates various applications into its service, and you simply deploy these pre-integrated applications to your users as necessary. For example, OKTA uses the SCIM application to provision users or user groups in ICM.
  
OKTA integrates various applications into its service, and you simply deploy these pre-integrated applications to your users as necessary. For example, OKTA uses the SCIM application to provision users or user groups in ICM.&nbsp;<br/> To provision or de-provision ICM users, the OKTA Administrator first needs to create and configure an application which supports the SCIM protocol. &nbsp;<br/> &nbsp;
+
To provision or deprovision ICM users, the OKTA Administrator first needs to create and configure an application which supports the SCIM protocol.&nbsp;
  
'''Note''':&nbsp;ICM only supports SCIM 2.0 version.
+
'''Note: '''ICM only supports SCIM 2.0 version.
  
=== Configuring&nbsp; SCIM Application ===
+
&nbsp;
 +
 
 +
&nbsp;
 +
 
 +
&nbsp;
 +
 
 +
&nbsp;
 +
 
 +
=== Configuring the SCIM Application ===
  
 
The OKTA Administrator uses the OKTA Dashboard to configure the SCIM application.
 
The OKTA Administrator uses the OKTA Dashboard to configure the SCIM application.
Line 16: Line 24:
 
&nbsp;
 
&nbsp;
  
1.&nbsp;'''Click&nbsp;'''the&nbsp;''Applications&nbsp;''tab.&nbsp;
+
#'''Click''' the ''Applications'' tab.  
 +
#'''Select '''''Applications'' from the drop-down. The ''Applications'' page opens.
  
2.&nbsp;'''Select&nbsp;'''''Applications&nbsp;from the drop-down. The Applications page opens.&nbsp;''
+
&nbsp;
 +
 
 +
#'''Click '''''Add Application''.
  
 
&nbsp;
 
&nbsp;
  
3.&nbsp;'''Click&nbsp;'''''Add Application.''
+
&nbsp;
  
 
&nbsp;
 
&nbsp;
  
4.&nbsp;'''Enter&nbsp;'''scim in the search field to search applications that are supporting''SCIM.''
+
&nbsp;
 +
 
 +
#'''Enter '''''scim ''in the search field to search applications that are supporting ''SCIM''.
 +
 
 +
&nbsp;
  
'''Note''':&nbsp;ICM supports the SCIM 2.0 App (Header Auth) version to provision and deprovision users through OKTA.
+
'''Note:''' ICM supports the ''SCIM 2.0 App (Header Auth) ''version to provision and deprovision users through OKTA.
  
5.&nbsp;'''Select''' the application created by the OKTA Administrator using ''SCIM 2.0 App (Header Auth)'' for SCIM protocol. &nbsp;For example, ''SCIM to ICM'' application (as shown in the screenshot below).
+
#'''Select''' the application created by the OKTA Administrator using ''SCIM 2.0 App (Header Auth)'' for SCIM protocol. &nbsp;For example, ''SCIM to ICM ''application (as shown in the screenshot below).  
 +
 
 +
&nbsp;
 +
 
 +
&nbsp;
  
 
&nbsp;
 
&nbsp;
Line 36: Line 55:
 
To configure SCIM to ICM application, the OKTA Administrator performs the following steps:
 
To configure SCIM to ICM application, the OKTA Administrator performs the following steps:
  
1.&nbsp;'''Click''' the ''Provisioning'' tab.
+
#'''Click '''the ''Provisioning'' tab.
 +
#'''Click '''the ''Integration'' tab.
 +
#'''Enter''' the ''Base URL ''and ''API Token'' as provided by ICM Administrator.  
  
2.&nbsp;'''Click''' the ''Integration'' tab.
+
'''Note: '''Ensure that the ''Enable API Integration'' box is checked.
  
3. Enter the ''Base URL'' and ''API Token'' as provided by ICM Administrator.
+
&nbsp;
  
'''Note''':&nbsp;Ensure that the ''Enable API Integration'' box is selected.
+
#'''Click''' the ''Test API Credentials'' button to validate the credentials (ICM ''Base URL ''and ''API Token''). A validation message will be displayed on entering incorrect credentials indicating that an authentication error has occurred.&nbsp;
  
 
&nbsp;
 
&nbsp;
  
4.&nbsp;'''Click''' the ''Test API Credentials'' button to validate the credentials (ICM ''Base URL'' and ''API Token''). A validation message will be displayed on entering incorrect credentials indicating that an authentication error has occurred. &nbsp;
+
&nbsp;
 +
 
 +
To allow Provisioning of SCIM application i.e. from OKTA to SCIM, the Administrator enables functionalities such as ''Create Users'', ''Update User Attributes'', and ''Deactivate Users''. After enabling the functionalities, you can provision/deprovision users in ICM from OKTA using the SCIM protocol (for example, ''SCIM to ICM'' application as mentioned in Step 5).
  
 
&nbsp;
 
&nbsp;
  
To allow Provisioning of SCIM application that is from OKTA to SCIM, the Administrator enables functionalities such as Create Users, Update User Attributes, and Deactivate Users. After enabling the functionalities, you can provision/deprovision users in ICM from OKTA using the SCIM protocol (for example, SCIM to ICM application as mentioned in Step 5).
+
&nbsp;
  
=== Adding a user in OKTA&nbsp; ===
+
&nbsp;
 +
 
 +
=== Adding a user in OKTA ===
  
1.'''Click&nbsp;'''''Users&nbsp;''menu on the Dashboard.
+
To add a user in OKTA:
  
2. '''Click&nbsp;'''''People.''
+
#'''Click '''''Users'' menu on the Dashboard.  
 +
#'''Click '''''People''.
  
 
&nbsp;
 
&nbsp;
  
3.&nbsp;'''Click&nbsp;'''''Add Person.''&nbsp;The&nbsp;''Add Person&nbsp;''window opens.&nbsp;
+
#'''Click '''''Add Person''. The ''Add Person'' window opens.  
  
 
&nbsp;
 
&nbsp;
  
4.&nbsp;'''Enter''' details such as ''First name'', ''Last name'', ''Username'' and ''Primary email''. For example, add user - Michael Smith.
+
&nbsp;
  
 
&nbsp;
 
&nbsp;
  
5.&nbsp;'''Click''' ''Save''. The user ''Michael Smith'' is added to the application ''SCIM to ICM''.
+
#'''Enter '''details such as ''First name'', ''Last name'', ''Username'' and ''Primary email''. For example, add user - Michael Smith.  
  
The user&nbsp;''Michael Smith&nbsp;''can now be provisioned to ICM using&nbsp;''Assignments&nbsp;''tab.&nbsp;
+
&nbsp;
 +
 
 +
#'''Click '''''Save''. The user ''Michael Smith'' is added to the application ''SCIM to ICM''.  
  
 
&nbsp;
 
&nbsp;
 +
 +
#The user ''Michael Smith ''can now be provisioned to ICM using ''Assignments'' tab.
  
 
&nbsp;
 
&nbsp;
 +
 +
&nbsp;
 +
 +
== Provisioning users ==
 +
 +
You can provision users by adding users individually or by user group in ICM:
 +
 +
#'''Click''' the''Assignments'' tab.
 +
#'''Click '''''Assign'' drop-down.
 +
#'''Select''' ''Assign to People'' to select an individual user or select ''Assign to Groups ''to select a user group.
 +
 +
&nbsp;'''Note: '''A user needs to be added to the OKTA global directory to be provisioned in ICM.
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
=== Provisioning users using assignment ===
 +
 +
To add a user to ''SCIM to ICM'' Assignments:
 +
 +
#'''Click '''the ''Assignments ''tab in the ''Applications'' menu.
 +
#'''Click '''the ''Assign'' drop-down.
 +
 +
&nbsp;
 +
 +
#'''Click''' ''Assign to People''. The ''Assign SCIM to ICM to People'' window opens.
 +
#'''Search '''for a user in the search tab. For example, ''Morita Akemi''.
 +
#'''Click '''''Assign''.
 +
 +
'''Note: '''As per the ICM SCIM implementation, when a user gets provisioned, ICM first verifies if the user is already present or not.
 +
 +
*If the user is not present, ICM creates a new user.
 +
*If the user is present, but in the deprovisioned state, then ICM reprovisions the user only if the ''External identifier'' value in ICM is matching with the value of SCIM ''External identifier''.
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
#'''Click '''''Save'' ''and'' ''Go Back''.
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
#'''Click '''''Done.''
 +
 +
&nbsp;
 +
 +
The user is assigned and provisioned in ICM.
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
=== Provisioning users using group assignment ===
 +
 +
Group assignment in SCIM is a convenient way to get multiple assignments. Using SCIM Group, users are provisioned to ICM in one go. You can create User Groups in ICM using Add Group functionality of SCIM.
 +
 +
You can provision multiple users in ICM by using a group assignment provided they are already assigned and displayed in the ''Assignments'' tab.&nbsp;&nbsp;
 +
 +
'''Note:''' Do not use the same group for ''Assignment'' and ''Push Groups''.
 +
 +
To add already assigned members to a group ''SCIM to ICM group'':
 +
 +
#'''Click '''''SCIM to ICM group''.
 +
#'''Click '''''Manage People'''''.'''
 +
 +
&nbsp;
 +
 +
#'''Search '''a user'''. '''For example''', '''Michael Smith should already be provisioned in ICM through an individual or group assignment.
 +
 +
&nbsp;
 +
 +
#'''Click '''the ''Add'' icon.
 +
#'''Click '''''Save. ''The user ''Michael Smith'' is added to the group ''SCIM to ICM group''.
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
=== Mapping ICM attributes with SCIM attributes ===
 +
 +
To map ICM attributes with SCIM attributes, you must create the ''Client App Entity Mapping''.
 +
 +
=== Client App Entity Mapping ===
 +
 +
#'''Click''' the ''Configuration'' tile. The ''Configuration'' page opens.
 +
#'''Click''' the ''Masterdata ''tile''. ''The ''Masterdata'' page opens.
 +
#'''Click''' the ''Create Masterdata ''tile''. ''The ''Create Masterdata'' page opens.
 +
 +
The ''Create Masterdata'' page contains the following tabs:
 +
<ol style="list-style-type:lower-alpha;">
 +
<li>''Masterdata Details''</li>
 +
<li>''Attributes''</li>
 +
</ol>
 +
 +
&nbsp;
 +
 +
=== Masterdata Details ===
 +
 +
&nbsp;
 +
 +
#'''Select&nbsp;'''the ''Category'' from the drop-down. For example, ''Default''.
 +
#'''Select'''&nbsp;the Masterdata Contract Type.
 +
 +
'''Note: '''In order to map the SCIM attribute name with ICM attribute name''', '''you must select&nbsp;''Client App Entity Mapping ''from the drop-down.
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
#'''Click&nbsp;'''''Next. ''The ''Attributes''&nbsp;page opens.
 +
 +
=== Attributes ===
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
Provide relevant attribute values in the respective fields:
 +
 +
&nbsp;
 +
 +
'''Note''':
 +
 +
*It’s mandatory to create the Client App Entity Mapping for the attribute ''ExternalUPN.''
 +
*Repeat the steps under Client App Entity Mapping to map other attributes such as ''Phone Number'' from SCIM to ICM.
 +
*To map attributes such as ''Organization Unit'' ''Id ''and ''Organization Path Id'', you must create the masterdata ''Org Path Mapping, ''and map with the Client Attribute Name specified in the ''Client App Entity Mapping''. The ''Org Path Mapping ''masterdata is used to map the Client Attribute Name with a particular Organization using the Organization Unit Path value.
 +
 +
The Client App Entity Mapping created is displayed as shown in the screenshot below:
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
The value of the SCIM attribute name is automatically updated in ICM as shown in the screenshot below:&nbsp;
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
== Deprovisioning users ==
 +
 +
You can deprovision users in ICM using the ''Assignments'' tab.
 +
 +
=== Deprovisioning user from assignment ===
 +
 +
You can deprovision user either individually or by removing the user from the group which was used as assignment.
 +
 +
To deprovision an assigned user from SCIM:
 +
 +
#'''Click''' the &nbsp;icon to unassign a user from OKTA. The ''Unassign User'' window opens.
 +
#'''Select''' the user to be unassigned from the displayed records. For example, ''Michael Smith''.
 +
 +
&nbsp;
 +
 +
#'''Click '''''OK''.
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
The user ''Michael Smith ''is unassigned from ''SCIM to ICM'' and subsequently deprovisioned from ICM.
 +
 +
&nbsp;
 +
 +
'''Note:''' You can reprovision the user only in ICM only if the ''External identifier'' value in ICM is matching with the value of SCIM ''External identifier''.
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
== Creating User Groups in ICM using SCIM ==
 +
 +
To create user groups in ICM using SCIM, you must create the masterdata ''SCIM Groups Mapping''.
 +
 +
The ''SCIM Groups Mapping'' masterdata is created to define the mapping before enabling the group Push from SCIM to ICM, for example, to push the Group ''SCIM Admins'' from SCIM to ICM as ''Local Admins''.&nbsp; If the mapping is not present, the Group ''SCIM Admins'' will be created as Group ''SCIM Admins'' in ICM, and a masterdata record will also be created in ''SCIM Groups Mapping'' masterdata if the masterdata is available.
 +
 +
'''Note: '''The ''SCIM Groups Mapping'' masterdata is optional.
 +
 +
=== SCIM Groups Mapping ===
 +
 +
#'''Click''' the ''Configuration'' tile. The ''Configuration'' page opens.
 +
#'''Click''' the ''Masterdata ''tile''. ''The ''Masterdata'' page opens.
 +
#'''Click''' the ''Create Masterdata ''tile''. ''The ''Create Masterdata'' page opens.
 +
 +
The ''Create Masterdata'' page contains the following tabs:
 +
<ol style="list-style-type:lower-alpha;">
 +
<li>''Masterdata Details''</li>
 +
<li>''Attributes''</li>
 +
</ol>
 +
 +
&nbsp;
 +
 +
=== Masterdata Details ===
 +
 +
&nbsp;
 +
 +
#'''Select&nbsp;'''the ''Category'' from the drop-down. For example, ''Default''.
 +
#'''Select'''&nbsp;the Masterdata Contract Type.
 +
 +
'''Note: '''In order to create user groups in ICM using SCIM''', '''you must select&nbsp;''SCIM Groups'' ''Mapping ''from the drop-down.
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
#'''Click&nbsp;'''''Next. ''The ''Attributes''&nbsp;page opens.
 +
 +
=== Attributes ===
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
*'''Enter''' the masterdata ''Name'' (such as SCIM to ICM group) and the ''SCIM Group Name'' (such as SCIM to ICM group).
 +
*'''Click''' ''Save.''
 +
 +
The SCIM Groups Mapping created is displayed as shown in the screenshot below:
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
To create ''User Group'' using SCIM:
 +
 +
#'''Click '''the ''Users ''tab on the OKTA Dashboard.
 +
#'''Select '''''Groups'' from the drop-down menu. The ''Groups'' page opens.
 +
#'''Click '''''Add Group.''
 +
#'''Enter '''''Name''. For example, ''SCIM to ICM group''.
 +
 +
&nbsp;
 +
 +
#'''Click '''''Add Group''. The group is added in SCIM.
 +
 +
'''Push Groups:'''
 +
 +
Push Group is used to create User Groups in ICM. You can push groups with members, but the member should have already been provisioned in ICM using ''Assignment'' either individually or group assignment.
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
#'''Click '''the ''Push Groups ''tab''.''
 +
#'''Click '''the ''Push Groups ''drop-down''.''
 +
 +
&nbsp;
 +
 +
#'''Search '''a group using the search field''.'' For example,''SCIM to ICM group.''
 +
#'''Select '''the desired group from the displayed records.
 +
#'''Click '''''Save''. The ''SCIM to ICM'' group is now pushed to ICM.
 +
 +
&nbsp;
 +
 +
'''Note:''' The difference between ''Groups'' and ''Push Groups ''is that ''Groups'' need to be assigned using ''Assignments,'' whereas ''Push Groups'' is only meant to push users (part of the selected group) to be provisioned in ICM in one go. These groups are not assigned in the ''Assignments'' tab.
 +
 +
&nbsp;
 +
 +
#The members of the group ''SCIM to ICM group'' are pushed to ICM. For example, the user of the group ''SCIM to ICM group'' ''Michael Smith'' is pushed to ICM.
 +
 +
'''Note: '''Users need to be assigned through assignment to be pushed by ''Push Groups''.
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
=== Managing ICM User Group members using SCIM ===
 +
 +
To deprovision a user using SCIM, you first need to remove the user from the ''Push Groups. ''For example, let us remove the user ''Michael Smith'' from Push Groups''SCIM to ICM group''.
 +
 +
#Go to the ''Push Groups'' tab.
 +
#'''Click '''the ''Push Groups''. For example, ''SCIM to ICM group''.
 +
 +
&nbsp;
 +
 +
#'''Click '''''Manage People''. The ''SCIM to ICM group'' opens.
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
&nbsp;
 +
 +
#'''Click '''the remove icon for the user to be removed. For example, ''Michael Smith''.
 +
 +
&nbsp;
 +
 +
#'''Click '''''Save''. The user is removed from the ''Push Group'' - ''SCIM to ICM group'' and consequently gets deprovisioned from the ''User Groups ''in ICM.
  
 
&nbsp;
 
&nbsp;

Revision as of 09:13, 20 December 2019

System for Cross Domain Identity Management (SCIM)

ICM is now providing support for System for Cross-domain Identity Management (SCIM), which is an open standard protocol to automate the provisioning and deprovisioning of users. This framework allows exchange of user identity and user group information between identity providers (such as OKTA) and service providers (such as ICM – SaaS-based application). As a single system is used to manage permissions and groups, and data is transferred automatically, the risk of error is considerably reduced. This makes user management simpler and easier for customers. 

OKTA integrates various applications into its service, and you simply deploy these pre-integrated applications to your users as necessary. For example, OKTA uses the SCIM application to provision users or user groups in ICM.

To provision or deprovision ICM users, the OKTA Administrator first needs to create and configure an application which supports the SCIM protocol. 

Note: ICM only supports SCIM 2.0 version.

 

 

 

 

Configuring the SCIM Application

The OKTA Administrator uses the OKTA Dashboard to configure the SCIM application.

 

  1. Click the Applications tab.
  2. Select Applications from the drop-down. The Applications page opens.

 

  1. Click Add Application.

 

 

 

 

  1. Enter scim in the search field to search applications that are supporting SCIM.

 

Note: ICM supports the SCIM 2.0 App (Header Auth) version to provision and deprovision users through OKTA.

  1. Select the application created by the OKTA Administrator using SCIM 2.0 App (Header Auth) for SCIM protocol.  For example, SCIM to ICM application (as shown in the screenshot below).

 

 

 

To configure SCIM to ICM application, the OKTA Administrator performs the following steps:

  1. Click the Provisioning tab.
  2. Click the Integration tab.
  3. Enter the Base URL and API Token as provided by ICM Administrator.

Note: Ensure that the Enable API Integration box is checked.

 

  1. Click the Test API Credentials button to validate the credentials (ICM Base URL and API Token). A validation message will be displayed on entering incorrect credentials indicating that an authentication error has occurred. 

 

 

To allow Provisioning of SCIM application i.e. from OKTA to SCIM, the Administrator enables functionalities such as Create Users, Update User Attributes, and Deactivate Users. After enabling the functionalities, you can provision/deprovision users in ICM from OKTA using the SCIM protocol (for example, SCIM to ICM application as mentioned in Step 5).

 

 

 

Adding a user in OKTA

To add a user in OKTA:

  1. Click Users menu on the Dashboard.
  2. Click People.

 

  1. Click Add Person. The Add Person window opens.

 

 

 

  1. Enter details such as First name, Last name, Username and Primary email. For example, add user - Michael Smith.

 

  1. Click Save. The user Michael Smith is added to the application SCIM to ICM.

 

  1. The user Michael Smith can now be provisioned to ICM using Assignments tab.

 

 

Provisioning users

You can provision users by adding users individually or by user group in ICM:

  1. Click theAssignments tab.
  2. Click Assign drop-down.
  3. Select Assign to People to select an individual user or select Assign to Groups to select a user group.

 Note: A user needs to be added to the OKTA global directory to be provisioned in ICM.

 

 

 

 

 

Provisioning users using assignment

To add a user to SCIM to ICM Assignments:

  1. Click the Assignments tab in the Applications menu.
  2. Click the Assign drop-down.

 

  1. Click Assign to People. The Assign SCIM to ICM to People window opens.
  2. Search for a user in the search tab. For example, Morita Akemi.
  3. Click Assign.

Note: As per the ICM SCIM implementation, when a user gets provisioned, ICM first verifies if the user is already present or not.

  • If the user is not present, ICM creates a new user.
  • If the user is present, but in the deprovisioned state, then ICM reprovisions the user only if the External identifier value in ICM is matching with the value of SCIM External identifier.

 

 

  1. Click Save and Go Back.

 

 

 

  1. Click Done.

 

The user is assigned and provisioned in ICM.

 

 

Provisioning users using group assignment

Group assignment in SCIM is a convenient way to get multiple assignments. Using SCIM Group, users are provisioned to ICM in one go. You can create User Groups in ICM using Add Group functionality of SCIM.

You can provision multiple users in ICM by using a group assignment provided they are already assigned and displayed in the Assignments tab.  

Note: Do not use the same group for Assignment and Push Groups.

To add already assigned members to a group SCIM to ICM group:

  1. Click SCIM to ICM group.
  2. Click Manage People.

 

  1. Search a user. For example, Michael Smith should already be provisioned in ICM through an individual or group assignment.

 

  1. Click the Add icon.
  2. Click Save. The user Michael Smith is added to the group SCIM to ICM group.

 

 

Mapping ICM attributes with SCIM attributes

To map ICM attributes with SCIM attributes, you must create the Client App Entity Mapping.

Client App Entity Mapping

  1. Click the Configuration tile. The Configuration page opens.
  2. Click the Masterdata tile. The Masterdata page opens.
  3. Click the Create Masterdata tile. The Create Masterdata page opens.

The Create Masterdata page contains the following tabs:

  1. Masterdata Details
  2. Attributes

 

Masterdata Details

 

  1. Select the Category from the drop-down. For example, Default.
  2. Select the Masterdata Contract Type.

Note: In order to map the SCIM attribute name with ICM attribute name, you must select Client App Entity Mapping from the drop-down.

 

 

  1. Click Next. The Attributes page opens.

Attributes

 

 

 

Provide relevant attribute values in the respective fields:

 

Note:

  • It’s mandatory to create the Client App Entity Mapping for the attribute ExternalUPN.
  • Repeat the steps under Client App Entity Mapping to map other attributes such as Phone Number from SCIM to ICM.
  • To map attributes such as Organization Unit Id and Organization Path Id, you must create the masterdata Org Path Mapping, and map with the Client Attribute Name specified in the Client App Entity Mapping. The Org Path Mapping masterdata is used to map the Client Attribute Name with a particular Organization using the Organization Unit Path value.

The Client App Entity Mapping created is displayed as shown in the screenshot below:

 

 

 

The value of the SCIM attribute name is automatically updated in ICM as shown in the screenshot below: 

 

 

 

Deprovisioning users

You can deprovision users in ICM using the Assignments tab.

Deprovisioning user from assignment

You can deprovision user either individually or by removing the user from the group which was used as assignment.

To deprovision an assigned user from SCIM:

  1. Click the  icon to unassign a user from OKTA. The Unassign User window opens.
  2. Select the user to be unassigned from the displayed records. For example, Michael Smith.

 

  1. Click OK.

 

 

 

The user Michael Smith is unassigned from SCIM to ICM and subsequently deprovisioned from ICM.

 

Note: You can reprovision the user only in ICM only if the External identifier value in ICM is matching with the value of SCIM External identifier.

 

 

 

Creating User Groups in ICM using SCIM

To create user groups in ICM using SCIM, you must create the masterdata SCIM Groups Mapping.

The SCIM Groups Mapping masterdata is created to define the mapping before enabling the group Push from SCIM to ICM, for example, to push the Group SCIM Admins from SCIM to ICM as Local Admins.  If the mapping is not present, the Group SCIM Admins will be created as Group SCIM Admins in ICM, and a masterdata record will also be created in SCIM Groups Mapping masterdata if the masterdata is available.

Note: The SCIM Groups Mapping masterdata is optional.

SCIM Groups Mapping

  1. Click the Configuration tile. The Configuration page opens.
  2. Click the Masterdata tile. The Masterdata page opens.
  3. Click the Create Masterdata tile. The Create Masterdata page opens.

The Create Masterdata page contains the following tabs:

  1. Masterdata Details
  2. Attributes

 

Masterdata Details

 

  1. Select the Category from the drop-down. For example, Default.
  2. Select the Masterdata Contract Type.

Note: In order to create user groups in ICM using SCIM, you must select SCIM Groups Mapping from the drop-down.

 

 

  1. Click Next. The Attributes page opens.

Attributes

 

 

  • Enter the masterdata Name (such as SCIM to ICM group) and the SCIM Group Name (such as SCIM to ICM group).
  • Click Save.

The SCIM Groups Mapping created is displayed as shown in the screenshot below:

 

 

 

To create User Group using SCIM:

  1. Click the Users tab on the OKTA Dashboard.
  2. Select Groups from the drop-down menu. The Groups page opens.
  3. Click Add Group.
  4. Enter Name. For example, SCIM to ICM group.

 

  1. Click Add Group. The group is added in SCIM.

Push Groups:

Push Group is used to create User Groups in ICM. You can push groups with members, but the member should have already been provisioned in ICM using Assignment either individually or group assignment.

 

 

  1. Click the Push Groups tab.
  2. Click the Push Groups drop-down.

 

  1. Search a group using the search field. For example,SCIM to ICM group.
  2. Select the desired group from the displayed records.
  3. Click Save. The SCIM to ICM group is now pushed to ICM.

 

Note: The difference between Groups and Push Groups is that Groups need to be assigned using Assignments, whereas Push Groups is only meant to push users (part of the selected group) to be provisioned in ICM in one go. These groups are not assigned in the Assignments tab.

 

  1. The members of the group SCIM to ICM group are pushed to ICM. For example, the user of the group SCIM to ICM group Michael Smith is pushed to ICM.

Note: Users need to be assigned through assignment to be pushed by Push Groups.

 

 

 

 

 

 

Managing ICM User Group members using SCIM

To deprovision a user using SCIM, you first need to remove the user from the Push Groups. For example, let us remove the user Michael Smith from Push GroupsSCIM to ICM group.

  1. Go to the Push Groups tab.
  2. Click the Push Groups. For example, SCIM to ICM group.

 

  1. Click Manage People. The SCIM to ICM group opens.

 

 

 

  1. Click the remove icon for the user to be removed. For example, Michael Smith.

 

  1. Click Save. The user is removed from the Push Group - SCIM to ICM group and consequently gets deprovisioned from the User Groups in ICM.