SCIM configuration
Once the SCIM configuration has been activated on an account provider. It can be further configured to allow a Provisioning Client to be set up. The following configuration areas are available:
- General
- Security
General
Basic settings regarding the Service Provider can be found and configured here.
Endpoint
This is the main entry endpoint for the Service Provider APIs scoped to the current account provider. A Provisioning Client that would like to connect, will require knowing this endpoint.
Emergency Brake
The emergency brake flag allows the Service Provider (in this case The Identity Hub) to temporarily disable all SCIM endpoints for this account provider.
When this flag is enabled, Provisioning Clients that are communicating with the APIs will get a response 503 SERVICE UNAVAILABLE
.
Status: 503 SERVICE UNAVAILABLE
"SCIM e-brake enabled"
Endpoint configuration
This section allows you to configure whether you allow any connecting Provisioning Client to be able to perform DELETE
against the provided resource User
and Group
.
Synchronize SCIM store
When a Provisioning Client pushes information towards the Service Provider, the account provider configuration determines whether this information is pushed to the account. Consider the following example:
When an account provider's claim mappings would not have a claim mapping that maps a given role to a destination claim, then this role will also not be pushed to the account when provided by SCIM.
If an admin would later on decide to add the missing role claim mapping to the account provider configuration, this will not impact accounts that were created/updated before this change (just like with a logon).
However, it is possible to trigger a synchronization which will synchronize all users, that have been previously received by a SCIM Provisioning Client, and process them based on the most recent account provider configuration. In this case, this will cause the given role to now be pushed to the account.
Security
Security related settings can be found and configured here.
Long-lived access tokens
The Identity Hub supports long-lived Bearer
access tokens. They can be generated manually by an admin in the UI and can be used to configure in the Provisioning Client.
Column | Description |
---|---|
Issued | When was this token issued. |
Not After | When does this token expire. |
Last used | When was the last time a SCIM client used this access token. |
Actions | Extend or delete an access token. |
SCIM provisioning clients will need to supply such a Bearer
token in the HTTP Authorization Header
as follows:
Bearer ZXhhbXBsZQ==
Newly created access tokens are by default valid for 24 months. Once they expire, a Provisioning Client will no longer be able to communicate with the secured SCIM APIs, and calls from Provisioning Clients will result in 401 UNAUTHORIZED
.
When requesting a new access token, previous access tokens will be invalidated within a default grace period of 24 hours, allowing for rollover configuration.
Access tokens that are about to expire or have recently expired (by default 30 days before and after the Not After) can be extended:
- If no active access token exist, the expiring token will be extended for another 24 months.
- If an active access token exists, only the most recent expiring token can be extended for another grace period of 24 hours.