SCIM Provisioning is an Enterprise feature that allows team administrators to use Identity Providers to provision and deprovision users and groups into Parsec.
Table of contents
Benefits
Setting up SCIM
Okta
Azure
FAQs
Benefits
SCIM provisioning allows companies to manage user identities in the cloud efficiently and easily allowing centralized addition and removal of users and groups within their organization.
- Lower costs
- Reduced risk
- Streamlined workflows
For Parsec, SCIM Provisioning streamlines the way for you to create, assign, unassign, and remove users and groups.
Setting up SCIM
Okta
- If Okta is not already configured as the SAML Identity Provider (IdP) for your Parsec tenant, follow the steps here before you proceed.
- On the 'Domain & SAML' tab, click the 'Enable SCIM' toggle.
- Copy the SCIM key and tenant URL, you will need these later. Click 'OK'.
- Please note, you have 10 seconds to copy the SCIM key before it is hidden. Generating a new key will revoke the previous auth token.
- In the Okta Admin Portal, navigate to the application you configured as your Parsec tenant's SAML IdP. On the 'General' tab, click 'Edit' next to 'App Settings'.
- Click the 'Enable SCIM provisioning' checkbox.
- Click the 'Provisioning' tab.
- Paste the Tenant URL in the 'SCIM connector base URL'.
- Set 'Unique identifier field for users' to 'email'.
- Select appropriate 'Supported provisioning actions'.
- When selecting your "Supported provisioning actions", you may choose to select "Import Groups" experience the full provisioning functionality. If you check this box, you may find that you encounter a 400 Bad Request error upon saving your configuration. If that is the case, you'll need to open a support ticket with Okta to request that the SELECTIVE_APP_IMPORT_PLATFORM feature is enabled.
- Set 'Authentication Mode' to 'HTTP Header'
- Paste the SCIM key in the 'Authorization' header.
- Click 'Test Connector Configuration'
- Click 'Save'.
- Before we enable automatic provisioning, we need to verify domain ownership.
- On the 'Domain & SAML' tab of the Teams admin panel, type in your domain name then click 'Add Domain'
- Click 'Copy Text Record'. You will need to add this record to your public DNS.
- Below is an example DNS record. Please note your interface may not look like the one below, but the values will be the same.
- Click 'Verify'.
- In the Okta application, click the 'Push Groups' tab. Click 'Push Groups' then 'Find groups by name'.
- Search for target group(s) by name.
- You can choose whether or not group members are pushed to Parsec immediately.
- If there is already a group in Parsec that matches a group name in Okta, you will have the option to link the groups.
- If there is not a group in Parsec that matches a group name in Okta, select 'Create Group'.
- Click 'Save' or 'Save & Add Another'.
- Click the 'Provisioning' tab.
- Enable 'Create Users', 'Update User Attributes' and 'Deactivate Users'.
- Click 'Save'.
- (Optional) If Okta users were already assigned to the application prior to configuring SCIM provisioning, you can link them by clicking 'Provision User'.
Azure
- If Azure Active Directory (AAD) is not already configured as the SAML Identity Provider (IdP) for your Parsec tenant, follow the steps here before you proceed.
- On the 'Domain & SAML' tab, click the 'Enable SCIM' toggle.
- Copy the SCIM key and tenant URL, you will need these later. Click 'OK'.
- Please note, you have 10 seconds to copy the SCIM key before it is hidden. Generating a new key will revoke the previous auth token.
- In the Azure Portal, navigate to the enterprise application you configured as your Parsec tenant's SAML IdP. Click the 'Provisioning' tab, then 'Get started'.
- Under 'Provisioning Mode' select 'Automatic'.
- Paste the Tenant URL and the SCIM key.
- Click 'Test Connection'.
- Click 'Save'.
- Click 'Provision Azure Active Directory Groups'
- Ensure 'Create', 'Update' and 'Delete' are enabled.
- Under 'Attribute Mappings' ensure 'displayName' and 'members' are present. Delete all other attribute mappings.
- Click 'Save'
- Click 'Provision Azure Active Directory Users'
- Ensure 'Create', 'Read' and 'Delete' are enabled.
- Under 'Attribute Mappings' ensure 'userPrincipalName', 'Switch(...)' and 'displayName' are present. All other attribute mappings can be deleted.
- Click 'userPrincipalName'.
- Under 'Source attribute', make sure the value matches the Name ID value you selected when configuring AAD as the SAML IdP.
- Common values:
- 'userPrincipalName' = 'user.userPrincipalName'
- 'mail' = 'user.mail'
- 'otherMails' = 'user.otherEmail'
- Common values:
- Click 'OK', then 'Save'. Next we need to verify domain ownership.
- At this point, SCIM provisioning is configured, but AAD is not synchronizing users yet. We will come back to enable this after verifying domain ownership.
- On the 'Domain & SAML' tab, type in your domain name then click 'Add Domain'
- Click 'Copy Text Record'. You will need to add this record to your public DNS.
- Below is an example DNS record. Please note your interface may not look like the one below, but the values will be the same.
- Click 'Verify'.
- Back in the Azure Portal, navigate to the SAML IdP enterprise application, click the 'Provisioning' tab, then 'Edit provisioning'.
- Set 'Provisioning Status' to 'On'. Click 'Save'.
- On the 'Provisioning' tab, click 'Start Provisioning'.
Google SSO
Coming Soon!
FAQs
- I have a different Identity Provider than one supported currently, what should I do?
- We are working to support more IDPs in the future. Please let us know by opening an enhancement request.
- I currently have Parsec for Teams, can I use SCIM Provisioning?
- No, SCIM Provisioning is enabled for Enterprise plans only. Please contact your account executive to upgrade.
- Is SCIM required to use SAML for authentication?
- No. SAML Authentication does not require SCIM Provisioning to be enabled.
- Is it possible to automatically confirm user accounts?
- Yes, it is possible for users managed through SCIM. Please see our article on Auto-Confirm User Accounts for information on how to set this up.