Provisioning users from your IdP using SCIM integration

You can set up a SCIM integration to provision users from your identity provider (IdP) to your Absolute account.

If you have enabled Single Sign-on using any of the following SAML 2.0 identity providers An online service or website that creates, maintains, and manages identity information and authenticates users on the Internet using security tokens. (IdP), you can enable SCIM integration:

Absolute's SCIM integration solution supports the SCIM 2.0 protocol only.
Absolute has tested and validated SCIM integration using the IdPs listed above. If you are using another IdP, you should be able to enable SCIM integration with any IdP that supports the SCIM 2.0 protocol.

Note that if your IdP uses endpoints or HTTP methods (for example, HEAD) that are not specified in the SCIM 2.0 protocol, SCIM integration will not work.

The System for Cross-domain Identity Management (SCIM) specification is an open standard that streamlines identity management in cloud environments and enables automated user provisioning across domains in a secure and efficient way.

Absolute's SCIM Integration feature allows user updates in your IdP to automatically sync to your Absolute account. When SCIM integration is enabled, the following user information is synced from your IdP:

  • First and last name
  • Email
  • User status
  • IdP group

To set up SCIM integration, you need to complete the following key tasks:

  1. Create an API token to authenticate the integration
  2. Configure SCIM integration in the Secure Endpoint Console
  3. Set up the integration in your IdP by completing the following actions:
    1. Add Absolute as a new SCIM application and configure it
    2. Enable SCIM integration in your IdP
    3. Assign IdP groups to the Absolute SCIM application
  4. Verify that user information is successfully synchronized

We highly recommend that you review the following sections before setting up SCIM integration.

Every user needs to be assigned a user role, and a group of devices that they have access to. To automate this process when SCIM integration is enabled, you can map IdP groups to a user role and static group during setup.

There are two types of mappings that you can configure:

The System Administrator user role is excluded from the mapping process. To assign this role to a synced user, go to User Management. Learn more

Mapping

Details

Custom mapping

Maps one or more IdP groups to a role and one or more device groups

You can add multiple custom mappings, but an IdP group can be included in only one custom mapping.

For example:

Mapping

IdP groups

Role

Device group
1

Group A

Administrator

All active devices
2

Group C

Power User

Northern region devices
3

Group B

Group E

Guest User

Southern region devices
4

Group D

Group F

 Power User Southern region devices

Default mapping

A setting that does one of the following:

  • Assigns a user role and device groups to all new users when no custom mappings exist

    -or-

  • Assigns a user role and device groups to new users that do not belong to one of the IdP groups included in a custom mapping

By default, this mapping is set to the Guest User role and the All active devices group, but you can change these settings.

With the exception of System Administrators, any changes you make to a user's role or device groups in User Management will be replaced on the next sync from your IdP. Also note that if a user belongs to multiple custom mapped IdP groups, their role and device groups are determined by the mapping for the IdP group sent in the most recent sync.

It's important to understand what happens to your existing Absolute users when you enable the integration:

  • For users that belong to a custom mapped IdP group, the custom mapping is applied, so depending on the user role and device groups mapped to the IdP group, their permissions and assigned devices may change.
  • For users that do not belong to a custom mapped IdP group, or if no custom mappings exist, their assigned user role and device groups remain unchanged. If you subsequently update their group in your IdP, the default mapping is applied.
  • System Administrators are excluded from the mapping process. After a user is upgraded to System Administrator, any mapping that would normally apply to the user is ignored. Learn more

Data synchronizations are automatically triggered when a user or group is updated in your IdP.

The frequency and timing of each sync is controlled by your IdP. Syncs may occur in near real time as user or group actions occur, or they may be scheduled. For more information, refer to IdP documentation.

The date and time when the last sync occurred shows on the Authentication settings page under SCIM integration.

Syncs are not triggered when you edit a custom mapping in the Secure Endpoint Console. For these mapping changes to take effect, you need to log in to your IdP and update the custom mapped IdP group, which will trigger a sync.

Depending on the user actions included in the latest sync, the following events may be logged in Event History:

  • User created
  • User updated
  • User deleted

Absolute's SCIM integration feature can automatically sync the following actions performed in your IdP:

Password actions are not synced.

Action in IdP

Actions in Absolute
User actions

For a user action to be synced, the user, or their IdP group, must be assigned to the Absolute SCIM application in your IdP. Note that depending on your IdP, users that belong to a subgroup may not be not synced.

New user created
  • User is added to the Users page in User Management
  • Invitation email is sent to the user
  • User created event is logged to Event History

If the new user belongs to a custom mapped IdP group, the custom mapping's role and device groups are assigned to the user. Otherwise, the default mapping's role and device groups are assigned.

The user's language, locale, time zone, and session timeout settings are not synced from your IdP, but default settings are applied to each user when their user profile is created in Absolute. Learn more

User first and/or last name updated
  • User's name is updated in User management
  • User updated event is logged to Event History

User activated/enabled
  • User status is set to Active
  • User updated event is logged to Event History
User deactivated/disabled/soft deleted
  • User status is set to Suspended
  • User updated event is logged to Event History

User deleted
  • User account is deleted from User Management
  • User deleted event is logged to Event History
Group actions

For a group action to be synced, the IdP group must be assigned to the Absolute SCIM application in your IdP.
User removed from a synced IdP group An IdP group that has been assigned to the Absolute SCIM application in your IdP, which enables user information to be synced from your IdP to your Absolute account. Applies to SCIM integration only.
User moved from one IdP group to another

IdP group deleted, or it is unassigned from the Absolute SCIM application

Deleted IdP groups are not synced from OneLogin or PingOne.

IdP group name updated

This action is not synced from OneLogin or PingOne.
  • The group's name in its custom mapping (if applicable) is updated.

After SCIM integration is enabled:

  • New users are added via your IdP
  • The following user information for all users is managed solely in your IdP:
    • First and last name
    • User status
  • The following tasks are no longer available in User Management:
    • Inviting users
    • Editing a user's name
    • Changing the status of a user (for example, suspending a user)
  • For all users except System Administrators, any changes you make to their device groups or role are overwritten on the next sync. Instead, do one of the following:
    • Log in to your IdP and move the user to the IdP group that is mapped to the desired device groups and role
    • Create a custom mapping for the user's IdP group
      Example

      A custom mapping does not exist for a particular user's IdP group, so the default mapping was applied to the new user. The user is currently a Guest User. You want to assign the Power User role to this user, so you add a new custom mapping that maps the user's IdP group to the Power User role and the desired device groups.

You can delete a user directly in the Secure Endpoint Console, but if you fail to also delete the user in your IdP, the user will be re-added on the next sync from your IdP.

After SCIM integration is enabled, System Administrators are managed using both User Management and your IdP.

User Management tasks

The following tasks are performed in User Management:

  • Assigning the System Administrator role to a synced user

    After you upgrade a user to the System Administrator role, any mapping that would normally apply to the user is ignored.

  • Downgrading a System Administrator to a role with fewer permissions

    Note that after the new role is assigned to the user, any mapping that applies to the user is now enforced because the user is no longer a System Administrator. As a result, the role change may be overwritten on the next sync.

  • Deleting a System Administrator

    If the user still exists in the IdP, they are re-added on the next sync, but they are assigned the role and device groups that apply to their mapped IdP group.

IdP tasks

The following tasks are performed in your IdP:

  • Adding a new user that you want to assign the System Administrator role to in User Management
  • Disabling or deactivating a System Administrator
  • Enabling or activating a System Administrator
  • Updating a System Administrator's name