SCIM 2.0 Integration
Access Anywhere supports system-to-system user provisioning for authentication systems connected using SAML protocol. Access Anywhere implements the SCIM 2.0 profile, allowing Identity Providers to automatically provision users into Access Anywhere.
last updated on June 22, 2023
Getting Started
Access Anywhere's SCIM 2.0 connection is available to Authentication Systems utilising SAML.
Integrating SCIM 2.0 is not a mandatory requirement of using the SAML Authentication System, however integrating it can provide:
- Automatic user provisioning into Access Anywhere
- Automatic user information updates
- Account deactivation
These operations have been tested with Okta, Azure AD FS and OneLogin.
Many Identity Providers support SCIM 2.0, and this document provides the setup process for a few identity providers.
Enabling the SCIM 2.0 Server
To enable the SCIM support, you must first enable the SCIM Server on Access Anywhere.
As the Org Admin, navigate to Auth Systems and click the Edit Pencil next to the SAML authentication system you want to set this up for.
Under the section SCIM 2.0 - Server Configuration, select Yes to the option Enable SCIM 2.0 Server.
You should make a local copy of the Tenant URL and Secret Token for later use.
Finally save the settings on this screen.
Your SCIM server is now enabled.
SCIM Attributes and SAML Assertions
It is important to ensure that the attributes that SCIM uses to provision the accounts in Access Anywhere matches the attributes you're setting up in the SAML assertion.
Your IdP will be passing a SCIM Username and send it across to Access Anywhere. We will use that field for both the 'Unique User Attribute' and 'User Login' fields. For the SAML assertion logins to work with those scim provisioned users you'll need to ensure that the same attribute used for SCIM Username is used in the SAML attribute section for those two fields (Unique and Login).
The tenant URL created by Access Anywhere ends with a slash ('/'). When your IDP uses this tenant URL to compose SCIM requests to Access Anywhere, the IDP it will add more text, for example: “/Users/” to the tenant URL. If your IDP includes a leading slash as in our example, the resulting URL will contain two consecutive slashes and Access Anywhere will not process the SCIM request as expected. If your IDP uses a leading slash, remove the trailing slash from the tenant URL when you save it in your IDP's SCIM settings so the resulting URLs will not contain double slashes.
Azure Active Directory
In Azure AD, navigate to the Enterprise Applications, and select the application which represents your SAML connection to Access Anywhere.
Okta
From your SAML connection, edit the App Settings under General.
In the Provisioning section select SCIM
Save those settings
A Provisioning tab should appear.
Click Edit on the settings
In the SCIM connector base URL enter the Tenant URL value.
In Unique identifier field for users input user.login
Supported Provisioning Actions select: - Import New Users and Profile Updates - Push New Users - Push Profile Updates - Push Groups
Authentication Mode set HTTP Hader
In the Authorization field input the Token
Click Test then Save
From the Provisioning menu, click Integration