You do not have permission to edit this page, for the following reason:
You can view and copy the source of this page:
Return to System for Cross Domain Identity Management.
ICM is now providing support for System for Cross-domain Identity Management (SCIM), which is an open standard protocol to automate the provisioning and deprovisioning of users. This framework allows exchange of user identity and user group information between identity providers (such as OKTA) and service providers (such as ICM – SaaS-based application). As a single system is used to manage permissions and groups, and data is transferred automatically, the risk of error is considerably reduced. This makes user management simpler and easier for customers.
OKTA integrates various applications into its service, and you simply deploy these pre-integrated applications to your users as necessary. For example, OKTA uses the SCIM application to provision users or user groups in ICM.
To provision or deprovision ICM users, the OKTA Administrator first needs to create and configure an application which supports the SCIM protocol.
Note: ICM only supports SCIM 2.0 version.
The OKTA Administrator uses the OKTA Dashboard to configure the SCIM application.
Note: ICM supports the SCIM 2.0 App (Header Auth) version to provision and deprovision users through OKTA.
To configure SCIM to ICM application, the OKTA Administrator performs the following steps:
Note: Ensure that the Enable API Integration box is checked.
To allow Provisioning of SCIM application i.e. from OKTA to SCIM, the Administrator enables functionalities such as Create Users, Update User Attributes, and Deactivate Users. After enabling the functionalities, you can provision/deprovision users in ICM from OKTA using the SCIM protocol (for example, SCIM to ICM application as mentioned in Step 5).
To add a user in OKTA:
You can provision users by adding users individually or by user group in ICM:
Note: A user needs to be added to the OKTA global directory to be provisioned in ICM.
To add a user to SCIM to ICM Assignments:
Note: As per the ICM SCIM implementation, when a user gets provisioned, ICM first verifies if the user is already present or not.
The user is assigned and provisioned in ICM.
Group assignment in SCIM is a convenient way to get multiple assignments. Using SCIM Group, users are provisioned to ICM in one go. You can create User Groups in ICM using Add Group functionality of SCIM.
You can provision multiple users in ICM by using a group assignment provided they are already assigned and displayed in the Assignments tab.
Note: Do not use the same group for Assignment and Push Groups.
To add already assigned members to a group SCIM to ICM group:
To map ICM attributes with SCIM attributes, you must create the Client App Entity Mapping.
The Create Masterdata page contains the following tabs:
Note: In order to map the SCIM attribute name with ICM attribute name, you must select Client App Entity Mapping from the drop-down.
Provide relevant attribute values in the respective fields:
Note:
The Client App Entity Mapping created is displayed as shown in the screenshot below:
The value of the SCIM attribute name is automatically updated in ICM as shown in the screenshot below:
You can deprovision users in ICM using the Assignments tab.
You can deprovision user either individually or by removing the user from the group which was used as assignment.
To deprovision an assigned user from SCIM:
The user Michael Smith is unassigned from SCIM to ICM and subsequently deprovisioned from ICM.
Note: You can reprovision the user only in ICM only if the External identifier value in ICM is matching with the value of SCIM External identifier.
To create user groups in ICM using SCIM, you must create the masterdata SCIM Groups Mapping.
The SCIM Groups Mapping masterdata is created to define the mapping before enabling the group Push from SCIM to ICM, for example, to push the Group SCIM Admins from SCIM to ICM as Local Admins. If the mapping is not present, the Group SCIM Admins will be created as Group SCIM Admins in ICM, and a masterdata record will also be created in SCIM Groups Mapping masterdata if the masterdata is available.
Note: The SCIM Groups Mapping masterdata is optional.
The Create Masterdata page contains the following tabs:
Note: In order to create user groups in ICM using SCIM, you must select SCIM Groups Mapping from the drop-down.
The SCIM Groups Mapping created is displayed as shown in the screenshot below:
To create User Group using SCIM:
Push Groups:
Push Group is used to create User Groups in ICM. You can push groups with members, but the member should have already been provisioned in ICM using Assignment either individually or group assignment.
Note: The difference between Groups and Push Groups is that Groups need to be assigned using Assignments, whereas Push Groups is only meant to push users (part of the selected group) to be provisioned in ICM in one go. These groups are not assigned in the Assignments tab.
Note: Users need to be assigned through assignment to be pushed by Push Groups.
To deprovision a user using SCIM, you first need to remove the user from the Push Groups. For example, let us remove the user Michael Smith from Push GroupsSCIM to ICM group.
You do not have permission to edit this page, for the following reason:
You are not allowed to execute the action you have requested.
You can view and copy the source of this page:
Return to System for Cross Domain Identity Management.
