This guide aims to help admin setup a SCIM connection between their company’s IDP and Smarp.
Although SCIM is a standard for user provisioning, its implementation is different from platform to platform. As a result, the latter part of this guide is platform-specific. At the moment, these IDPs are tested:
- Microsoft Azure Active Directory
SCIM can work independently with SSO. However, enabling SAML-based SSO to login to Smarp using the same credential is beneficial to both users and admins in terms of convenience and security. Please refer to this guide to setup SAML SSO with Smarp.
Complete the following steps to setup the SCIM integration:
- Generate new token on Smarp
- Setup SCIM application on IDP
- Test SCIM integration
Generate new token on Smarp
The generated token will be used to setup a connection between Smarp (as SCIM server) and the IDP (as SCIM client). Follow instructions here to generate a token.
Setup SCIM application on IDP
On Microsoft Azure Active Directory
If you don’t already have SSO with Smarp, follow this step to create a new application on your Azure. Otherwise, skip to the next step.
- On your Azure Active Directory Portal, select “Enterprise Application” and add “New Application”
- Select “Non-gallery application” and give it a meaningful name.
- Click “Add”
In your, either newly created or Smarp SSO-enabled, application:
- Navigate to the “Provisioning” blade
- Switch “Provisioning Mode” to “Automatic”
- Fill in the “Admin Credentials” as following
- Tenant URL: https://<your-subdomain>.smarpshare.com/api/scim/v2
- Secret Token: the Token acquired before from Smarp
- Click “Test Connection”
- In Mappings, disable the “Synchronize Azure Active Directory Groups to customappsso” since Smarp doesn’t support Group provisioning yet.
- Update customappsso accordingly. At the moment, Smarp supports these attributes:
- userName: should be in the form of an email. It’s unique per user.
- name.firstName: display as first name on Smarp
- name.lastName: display as last name on Smarp
- active: for deprovisioning
- country: to determine the user’s group on Smarp, matched by group name. See “Profiling”.
- Change the scope according to your need:
- Sync all users and groups: will sync all users and groups in your IDP to Smarp. This is good for a case where Smarp is available company-wide.
- Otherwise, it’s advisable to choose “Sync only assigned users and groups”.
- Switch “Provisioning Status” to “On”.
- Save the app. The initial cycle will run shortly after that.
- If you chose “Sync only assigned users and groups” as the scope, you’ll need to navigate to “Users and groups” blade of the app to add users/groups to the app. These users and groups’ members will be synced to Smarp when the cycle is run.
Once a cycle is run, the process is logged in the “Provisioning logs” of the application.
Disclaimer: any “Group” mentioned in this section refers to Smarp Group, not Group as in SCIM schema.
Require the Group feature enabled first for the instance. If not, the value is simply ignored.
The Group is defined by the “country” attribute in SCIM schema. Please check the SCIM schema mappings in your IDP if you wish to have Group Profiling. See the instructions on how to setup SCIM on your specific IDP.
The value represents the name of a Group, which is case sensitive. The Group must exist before any user can be assigned to it. If it does not exist yet, an error will occur. To resolve, simply create a Group with the corresponding name and let the SCIM sync again.