Setting up and managing SCIM integration

You can set up a SCIM integration to provision users from your identity provider (IdP) to your Absolute account.

Learn more about SCIM integration

To set up SCIM integration, you need to add configurations in both Absolute and your chosen IdP.

Before you set up SCIM integration, ensure the following requirements are met:

  • Single Sign-On is enabled using one of the supported IdPs
  • Your user role is assigned Manage permissions for both Authentication and SCIM integration

Before you get started, we suggest that you complete the following tasks:

  • If you want to map users to a custom role that doesn't already exist, create the custom role now.
  • If you want to map users to a device group that doesn't already exist, create the static or smart group now.

To authenticate the API calls from your IdP, you need to generate an API token.

The SCIM API token can only be used to authenticate SCIM integration. It cannot be used to authenticate requests using the Absolute API.

To generate an API token:

  1. Log in to the Secure Endpoint Console as a user with the Manage permission for SCIM integration and API Credentials. The System Administrator role is the only Default role with this permission.
  2. On the navigation bar, click Settings > API management.
  3. Complete the steps to generate an API token.

    Both symmetric and asymmetric encryption are supported. Ensure that you grant the token the Perform permission for SCIM integration. No other permission is required.

    You will receive an email when this token is about to expire. To ensure that the integration is not interrupted, update the token's expiration date before it expires.

  4. Make note of the location of the file containing the token ID and secret key. You'll need this information in a later task.
  5. Go to the next Step.

Set up the integration in the Secure Endpoint Console by mapping group names in your IdP to roles and device groups in Absolute.

To set up SCIM integration in the Secure Endpoint Console:

  1. Log in to the Secure Endpoint Console as a user with the Manage permission for SCIM integration. The System Administrator role is the only Default role with this permission.
  2. On the navigation bar, click Settings > Authentication settings.
  3. In the Single Sign-On area, ensure that Single Sign-On is enabled.
  4. In the SCIM integration area, click Set up SCIM... to open the Set up SCIM integration dialog.
  5. Under SCIM connector base URL, click Copy, and paste the URL in a text file. We suggest pasting it in the file you created in the previous task that contains the API token information.

    You will need this information when you configure your IdP in the next section.

    If you have not yet generated an API token for this integration, click Create and manage token under Access token.

  6. Under User Mapping, do the following:
    1. To add a custom mapping:
      1. Under Custom mapping, click ADD.
      2. Click the IdP Groups field and enter the name of each group in your IdP that you want to map to a specific role in Absolute. Press Enter after each group name, ensuring that the name exactly matches the group name in your IdP. You can add up to 1000 group names (5000 character maximum).
      3. Click the Role field and select the role to assign to the IdP groups. All existing roles, except the System Administrator role, are available for selection. If you need to create a custom role, go to User Management.

        The System Administrator role is not available for selection as it is excluded from the mapping process. To assign this role to a user, go to User Management.

      4. Click the Device Group field and select each Absolute device group that you want to assign to the IdP groups. You can select up to 25 device groups. To grant access to all devices in your account, select All active devices.

        Both static and smart groups are available for selection.

    2. To add additional custom mappings, click ADD and repeat step 6a.
    3. To remove a custom mapping, click its icon.
    4. To update the default mapping:
      1. Click the Role field and select the role to assign to new users that do not belong to a custom mapped IdP group. By default, the field is set to Guest User. All existing roles, except the System Administrator role, are available for selection. If you need to create a custom role, go to User Management.
      2. Click the Device Group field and select each Absolute device group that you want to assign to new users that do not belong to a custom mapped IdP group. You can select up to 25 device groups. To grant access to all devices in your account, select All active devices.

        Both static and smart groups are available for selection.

  7. Click Save. The Set up SCIM integration dialog closes and SCIM integration is enabled in Absolute.
  8. Go to the next Step.

Set up and enable SCIM integration in your IdP, adding the API token information and the Absolute SCIM connector base URL to the configuration.

To set up SCIM integration in your IdP:

  1. Log in to your identity provider as a user role with permission to set up SCIM integration.

  2. Complete the steps to add Absolute as a new SCIM application. For detailed instructions, refer to IdP documentation.

    During this process, ensure that you:

    • Select SCIM version 2.0.
    • Enter the token ID from the generated SCIM API token in the applicable field. Depending on the IdP, you may also need to enter the secret key.
    • Enter the SCIM connector base URL you copied in Step 2 as the SCIM endpoint URL.

    • Map user attributes as follows:

      IdP attribute

      Absolute attribute

      First name or Given name

      First Name

      Last name or Family name or Surname

      Last Name

      Username

      Email

      Email

      Email

      If you're configuring Microsoft Entra ID, ensure that you do the following in the Mappings section:

      • Delete the objectId mapping for the Group object.
      • Delete all mappings for the Users object, except for the following:
        • userPrincipalName
        • Switch([IsSoftDeleted], , "False", "True", "True", "False")
        • givenName
        • surname
    • Assign the applicable IdP groups to the Absolute SCIM application.

      At a minimum, ensure that you assign all custom mapped IdP groups, but you can also assign other IdP groups and individual users. The default mapping is applied to users that are not covered by a custom mapping.

  3. Go to the next Step.

In the Secure Endpoint Console, you need to verify that users were successfully synced.

To verify the integration:

  1. Wait for the first sync to occur. To know if the first sync is complete:
    1. On the navigation bar, click Settings > Authentication settings.
    2. In the SCIM integration section, check if the message Waiting for initial sync has changed to Last synced <date and time>.

    If the sync doesn't occur, review the events in your IdP's provisioning log files, if available. For more information, see IdP documentation. Alternatively, you can troubleshoot the integration.

  2. On the navigation bar, click > User management > Users.
  3. Review the list of users to confirm that all synced users are assigned the appropriate role and device group. If there's an issue, you may need to update the integration's custom mappings, or move users to another IdP group.
  4. During the initial sync, the following user preferences are automatically applied to new users:

    • Language is set to English (United States)

    • Time zone is set to (UTC-12:00) Etc/GMT+12

    The user preferences of existing users are not updated.

    When a new user first logs in to the Secure Endpoint Console, their user preferences are automatically set to the language, locale, and time zone set in their web browser. At any time, the user can update user preferences in their user profile.

After your users are provisioned from your IdP, you may need to update the SCIM integration settings, or change the status of the integration.

To edit the mappings configured in your SCIM integration:

  1. Log in to the Secure Endpoint Console as a user with the Manage permission for SCIM integration. The System Administrator role is the only Default role with this permission.

    If your user role is assigned View permissions for Authentication and SCIM integration, you can view, but not edit, SCIM integration settings.

  2. On the navigation bar, click Settings > Authentication settings.
  3. In the SCIM integration area, click Settings to open the Set up SCIM integration dialog.
  4. Update the custom and default mappings, as required.

    If you delete a custom mapping, the user role and device groups assigned to each user by the custom mapping is retained.

  5. Click Save.

Your changes will take effect on the next sync.

You can disable SCIM integration at any time, but note the following:

  • The automatic synchronization of user information from your IdP stops.
  • The role and device groups assigned to each synced user by the SCIM integration are retained. To change the user's role or device group, edit their user profile.
  • To invite new users, update users and their status, and delete users, go to User Management.

To disable SCIM integration:

  1. Log in to the Secure Endpoint Console as a user with the Manage permission for SCIM integration. The System Administrator role is the only Default role with this permission.
  2. On the navigation bar, click Settings > Authentication settings.
  3. In the Single Sign-On area, ensure that Single Sign-On is enabled.
  4. In the SCIM integration area, click Disable SCIM.
  5. On the confirmation message, click OK.

    On the Authentication Settings page, the status indicator under SCIM Integration shows OFF.

If SCIM integration is configured in the Secure Endpoint Console, but the integration has been disabled, you can enable it.

To re-enable SCIM integration in the console:

  1. Log in to the Secure Endpoint Console as a user with the Manage permission for SCIM integration. The System Administrator role is the only Default role with this permission.
  2. On the navigation bar, click Settings > Authentication settings.
  3. In the SCIM integration area, click Enable SCIM.
  4. On the confirmation message, click OK.

    On the Authentication Settings page, the status indicator under SCIM Integration shows ON.

If you encounter issues, review the events in your IdP's provisioning log files , if available. For more information, see IdP documentation.

The following guidelines may also help you resolve issues with the integration.

Troubleshooting a new integration

If synced users fail to be added to the Users page in User management, do the following:

  • Check that the first sync has occurred:
    • Review the synchronization schedule in your IdP documentation.
    • Check if you can trigger the first sync.
  • Check the configurations in both systems. For example, verify that:
    • SCIM integration is enabled.
    • The SCIM connector base URL and secret key are entered correctly in your IdP.
    • The IdP group names were entered correctly in Step 2.
    • Your user role can manage the roles that you selected in the custom and default mapping. Learn more
Troubleshooting an existing integration

If syncs suddenly stop, verify that:

  • SSO and SCIM integration are still enabled in Absolute and your IdP.
  • The API token has not expired. You can view expiration dates in API Management.

    Note that if the token is expired, you'll need to create a new API token. You can't update the expiry date of an expired token. You'll also need to add the new secret key to the SCIM configuration in your IdP.

If you need assistance, contact Absolute Technical Support.