Skip to main content
Search our knowledge base

How do I configure SCIM provisioning?

Maxine
  • Updated

Simplify user and group management in Unity Cloud with SCIM provisioning, which automates account synchronization from your Identity Provider (IdP) like Okta. This guide provides step-by-step instructions to configure SCIM, including generating a SCIM URL in Unity Cloud, setting up API integration in your IdP, and mapping attributes. Note key limitations, such as one-way syncing and account deletion instead of deactivation. SCIM ensures efficient provisioning and de-provisioning, helping organizations manage access seamlessly. Refer to the Unity SCIM Documentation for more information.

Introduction:

System for Cross-domain Identity Management (SCIM) is a standardized protocol that simplifies the automation of user and group provisioning between your Identity Provider (IdP) and Unity Cloud. By enabling SCIM, organizations can streamline user management tasks, such as synchronizing users and groups or automatically deleting accounts when users leave the organization.

This guide provides step-by-step instructions to configure SCIM provisioning for Unity Cloud using an Identity Provider (IdP) such as Okta or any other IDP that supports the Basic Authentication method.

Prerequisites:

Before you begin, ensure the following:

  1. You have administrative access to both Unity Cloud and your IdP (e.g., Okta).
  2. You have an active Unity Enterprise or Industry subscription.
  3. You have already configured single sign-on (SSO) for your organization. See, 'How do I enable SSO for my Unity organization?'.
  4. Your domains are validated.
  5. Unity Cloud's SCIM feature is enabled for your organization.
  6. Your IdP supports SCIM provisioning (e.g., Okta).

Resolution:

1. Generate the SCIM URL in Unity Cloud

Unity Cloud provides a SCIM URL and requires a token for authentication. Follow these steps to retrieve them:

  1. Navigate to the Unity Cloud dashboard and log in with administrative credentials.
  2. Go to Administration > SSO > SCIM Provisioning (Beta) to confirm access to the feature before proceeding.
  3. The SCIM base connector URL is displayed in the SCIM Provisioning section. Copy it for use in your IdP configuration.

2. Configure SCIM provisioning in your IdP

For Okta:

  1. In the Okta admin console, navigate to Applications > Unity Cloud (or create a new application if Unity Cloud is not listed).
  2. In the Provisioning tab, click Integration > Configure API Integration.
  3. Paste the SCIM URL from Unity Cloud into the Base URL field.
  4. Click Test API Credentials to verify the SCIM integration. If successful, you can proceed.
  5. Set up user and group mappings in Okta. Ensure attributes align with Unity Cloud's requirements.
  6. Save the configuration and enable automatic provisioning.

Important limitations

  • Deletion of accounts: Unity ID supports deleting accounts, but not deactivating accounts. Unity treats deactivation requests as deletion requests. To avoid losing user information on Unity's side, avoid attempting to temporarily deprovision a user who might want to reactivate their account later. Otherwise, you may have to recreate the account after deprovisioning.
  • One-way syncing, from your IdP to Unity: Unity doesn't support syncing from Unity to your IdP. If you sync data from Unity to your IdP, review all synced data. This data includes these users:
    • Users who have created their account directly in Unity ID.
    • Users who utilize single sign-on (SSO) and whom you provision through SCIM and just-in-time (JIT).

Troubleshooting

If you encounter issues during setup:

  1. Verify that the SCIM URL is correct.
  2. Check your IdP’s attribute mappings to ensure they match Unity Cloud’s requirements.
  3. Consult the SCIM documentation for additional details: Unity SCIM Documentation.

Related articles