This guide aims to help admin setup a SCIM connection between their company’s IDP and Smarp.
Although SCIM is a standard for user provisioning, its implementation is different from platform to platform. As a result, the latter part of this guide is platform-specific. At the moment, these IDPs are tested:
- Microsoft Azure Active Directory
SCIM can work independently with SSO. However, enabling SAML-based SSO to login to Smarp using the same credential is beneficial to both users and admins in terms of convenience and security. Please refer to this guide to set up SAML SSO with Smarp.
Complete the following steps to set up the SCIM integration:
- Generate new token on Smarp
- Setup SCIM application on IDP
- Test SCIM integration
Generate new token on Smarp
The generated token will be used to set up a connection between Smarp (as SCIM server) and the IDP (as SCIM client). Follow these instructions here to generate a token.
Setup SCIM application on IDP
On Microsoft Azure Active Directory
If you don’t already have SSO with Smarp, follow this step to create a new application on your Azure. Otherwise, skip to the next step.
- On your Azure Active Directory Portal, select “Enterprise Application” and add “New Application”
- Select “Non-gallery application” and give it a meaningful name.
- Click “Add”
In your, either newly created or Smarp SSO-enabled, application:
- Navigate to the “Provisioning” blade
- Switch “Provisioning Mode” to “Automatic”
- Fill in the “Admin Credentials” as following
- Tenant URL: https://<your-subdomain>.smarpshare.com/api/scim/v2
- Secret Token: the Token acquired before from Smarp
- Click “Test Connection”
- In Mappings, disable the “Synchronize Azure Active Directory Groups to customappsso” since Smarp doesn’t support Group provisioning yet.
- Update customappsso accordingly. At the moment, Smarp supports these attributes:
- userName: should be in the form of an email. It’s unique per user.
- name.firstName: display as the first name on Smarp
- name.lastName: display as the last name on Smarp
- active: for deprovisioning
- addresses[type eq "work"].country: to determine the user’s group on Smarp, matched by group name. See “Profiling”
- addresses[type eq "work"].locality: to determine the user’s team on Smarp, matched by team name. See “Profiling”
- addresses[type eq "work"].region: to determine the user’s team on Smarp, matched by team name. See “Profiling”
- organization: to determine the user’s team on Smarp, matched by team name. See “Profiling”
- division: to determine the user’s team on Smarp, matched by team name. See “Profiling”
- department: to determine the user’s team on Smarp, matched by team name. See “Profiling”
- Note: make sure that you have only the attributes that you want to be synced in the mappings. As Smarp always looks for ways to improve our SCIM support, new attributes might be taken into account which might cause undesirable sign effects.
- Change the scope according to your need:
- Sync all users and groups: will sync all users and groups in your IDP to Smarp. This is good for a case where Smarp is available company-wide.
- Otherwise, it’s advisable to choose “Sync only assigned users and groups”.
- Switch “Provisioning Status” to “On”.
- Save the app. The initial cycle will run shortly after that.
- If you chose “Sync only assigned users and groups” as the scope, you’ll need to navigate to “Users and groups” blade of the app to add users/groups to the app. These users and groups’ members will be synced to Smarp when the cycle is run.
Once a cycle is run, the process is logged in the “Provisioning logs” of the application.
Disclaimer: any “Group” mentioned in this section refers to Smarp Group, not Group as in SCIM schema.
Require the Group feature enabled first for the instance. If not, the value is simply ignored.
The Group is defined by the “country” attribute in SCIM schema. Please check the SCIM schema mappings in your IDP if you wish to have Group Profiling. See the instructions on how to set up SCIM on your specific IDP.
The value represents the name of a Group, which is case sensitive. The Group must exist before any user can be assigned to it. If it does not exist yet, an error will occur. To resolve, simply create a Group with the corresponding name and let the SCIM sync again.