====== SCIM 2.0 Integration ====== Access Anywhere supports system-to-system user provisioning for authentication systems connected using SAML protocol. Access Anywhere implements the SCIM 2.0 profile, allowing Identity Providers to automatically provision users into Access Anywhere. == last updated on June 22, 2023 == ===== Getting Started ===== Access Anywhere's SCIM 2.0 connection is available to Authentication Systems utilising SAML. Integrating SCIM 2.0 is not a mandatory requirement of using the SAML Authentication System, however integrating it can provide: * Automatic user provisioning into Access Anywhere * Automatic user information updates * Account deactivation These operations have been tested with Okta, Azure AD FS and OneLogin. Many Identity Providers support SCIM 2.0, and this document provides the setup process for a few identity providers. ===== Enabling the SCIM 2.0 Server ===== To enable the SCIM support, you must first enable the SCIM Server on Access Anywhere. As the Org Admin, navigate to **Auth Systems** and click the Edit Pencil next to the SAML authentication system you want to set this up for. Under the section **SCIM 2.0 - Server Configuration**, select **Yes** to the option **Enable SCIM 2.0 Server**. You should make a local copy of the **Tenant URL** and **Secret Token** for later use. Finally save the settings on this screen. Your SCIM server is now enabled. ===== SCIM Attributes and SAML Assertions ===== It is important to ensure that the attributes that SCIM uses to provision the accounts in Access Anywhere matches the attributes you're setting up in the SAML assertion. Your IdP will be passing a SCIM Username and send it across to Access Anywhere. We will use that field for both the 'Unique User Attribute' and 'User Login' fields. For the SAML assertion logins to work with those scim provisioned users you'll need to ensure that the same attribute used for SCIM Username is used in the SAML attribute section for those two fields (Unique and Login). The tenant URL created by Access Anywhere ends with a slash ('/'). When your IDP uses this tenant URL to compose SCIM requests to Access Anywhere, the IDP it will add more text, for example: "/Users/" to the tenant URL. If your IDP includes a leading slash as in our example, the resulting URL will contain two consecutive slashes and Access Anywhere will not process the SCIM request as expected. If your IDP uses a leading slash, remove the trailing slash from the tenant URL when you save it in your IDP's SCIM settings so the resulting URLs will not contain double slashes. ===== Azure Active Directory ===== In Azure AD, navigate to the **Enterprise Applications**, and select the application which represents your SAML connection to Access Anywhere. ===== Okta ===== From your SAML connection, edit the **App Settings** under **General**. In the **Provisioning** section select **SCIM** Save those settings A **Provisioning** tab should appear. Click **Edit** on the settings In the **SCIM connector base URL** enter the Tenant URL value. In **Unique identifier field for users** input **user.login** Supported Provisioning Actions select: - Import New Users and Profile Updates - Push New Users - Push Profile Updates - Push Groups Authentication Mode set HTTP Hader In the Authorization field input the Token Click Test then Save From the **Provisioning** menu, click **Integration**