Skip to content

SCIM

Satori integrates with identity providers to manage users and groups via the SCIM protocol.

SCIM - A System for Cross-domain Identity Management is a protocol for user management across multiple applications. It allows an IT or Operations team to easily provision (add), de-provision (deactivate), and update user data across multiple applications at once.

Screenshot

Setting Up SCIM in Satori

To set up the SCIM integration in the Satori Management Console, perform the following steps:

  1. Go to the Satori management console and select the Settings from the kabab menu.
  2. Now, select the Integration view and click on the SCIM Integration tile.
  3. Click the Generate Access Token button.
  4. Do not close the "Satori SCIM Integration" dialog. (Once you create the IDP application you must enter the "Provisioning URL and SCIM access token" in the IDP application settings.) Screenshot
  5. Now select your IDP and continue the integration process accordingly.

Note: If you want to enable your SSO login to access Satori then refer to the following section in the SSO documentation Satori SSO Documentation. You can use the same app that you created for the SSO integration for your SCIM integration.

Okta Integration - Step 1

To integrate Okta with Satori you can use an existing Okta application or create a new one. To create an integration between Okta and Satori perform the following steps:

  1. Create a new Okta application by following the Adding Okta application instructions with Admin Dashboard.

  2. Now that you have successfully created your Okta (SAML) application now you must configure it to integration with Satori utilizing the SCIM protocol.

  3. Now click the General Tab and press the Edit button in the App Settings section.
  4. Enable SCIM provisioning and the Save button.
  5. Now go to the Provisioning Tab and click the Edit button.
  6. Enter the Provisioning URL for Satori into the SCIM connector bass URL input field.
  7. Enter the value userName into the unique identifier field for users input field.
  8. Now checkbox the following options: Push New Users, Push Profile Updates and Push Groups
  9. Now, select the HTTP Header list item in the Authentication Mode drop menu.
  10. Copy the Satori SCIM access token into the Authorization input field.
  11. Now press the Test Connector Configuration button.
  12. Once you have successfully verified the connection click Save.
  13. Test and verify the Connector Configuration ensuring that the provising features were detected correctly.

Screenshot

Okta Integration - Step 2

Now that you have successfully created the SCIM to Satori integration you need to enable user and group provisioning in Okta.

  1. Select the Provisioning Tab in the application that you just created.
  2. Click the Edit button and enable the Create Users, Update User Attributes and Deactivate Users provisioning options.
  3. Click Save.

Syncing Okta Users with Satori

To synchronize Okta users with Satori, perform the following steps:

  1. Select the Assignments tab
  2. Select the Assign to People option from the Assign drop menu list.
  3. Assign the relevant users in the popup dialog. Scroll to the bottom of the dialog and Save and Go Back.
  4. Click DONE

Existing Users

If you have existing users, then perform the following steps:

  1. Select the Assignments tab
  2. Click the Provision User button.
  3. Click the OK button.

Note: When assigning a group in the newly created Okta application, its members are synced to Satori but the group entity is not. To sync the group to Satori, follow the next set of steps.

Syncing Okta Groups with Satori

To synchronize Okta groups with Satori, perform the following steps:

  1. Select the Push Groups tab.
  2. Select the Find Groups by Name option from the Push Groups drop menu list.
  3. Now enter the name of the Okta group that you want to sync with Satori.
  4. Now select the Create Group option from the Create Group menu button.
  5. Click the Save button.
  6. Go to the Satori Management Console and click the Kebab menu from the right side of the application header.
  7. Now select the Integrations tab in the Satori Settings
  8. Your Satori SCIM integration should now appear as an active integration tile in Satori.

Screenshot

Note: Okta limitation: Using the same Okta group for assignments and for group push is not supported.

Using the same Okta group for assignments and for group push is not supported

OneLogin Integration - Step 1

To integrate OneLogin with Satori you can use an existing OneLogin application or create a new one. To create an integration between OneLogin and Satori perform the following steps:

  1. To add an app to your company app catalog, go to Applications > Applications and click the Add App button.
  2. Now search for SCIM Provisioner with SAML (SCIM v2 Enterprise).
  3. Provide the display name for your new application.
  4. Click SAVE
  5. Now select the Configuration view. (For new and existing apps)
  6. Refer to the section called Setting Up SCIM in Satori and copy the relevant values as they appear in task number four.
  7. Enter the Provisioning URL in the SCIM Base URL input field
  8. Enter the SCIM access token in the SCIM Bearer Token input field.
  9. Click the Enable button
  10. The Onelogin API Connection should now become Enabled.
  11. Click Save

OneLogin User Integration - Step 2

Once you have created your OneLogin application you must now enable the workflow provisioning.

  1. Select the Provisioning view
  2. Check the Enable Provisioning checkbox.
  3. Click Save

Note: You have now configured the OneLogin application to support individual users.

OneLogin Group (Role) Integration - Step 3

Now you will configure groups for you application:

  1. Select the Parameters view.
  2. Select the Groups option in the SCIM Provisioner with SAML table.
  3. Click the Include in user provisioning checkbox.
  4. Click Save in the popup dialog.
  5. Now click Save in the OneLogin application.
  6. Select the Rules view and click the Add Rule button.
  7. Provide a new mapping name.
  8. Go to the Actions section and select the Set Groups in drop menu item.
  9. Check the Map from OneLogin radio button.
  10. Select Role from the For Each drop menu list.
  11. Now enter .* in the corresponding input field.
  12. Click Save.
  13. Click Save in the OneLogin application.

Note: You have now configured the OneLogin application to support group provisioning.

Syncing OneLogin Users with Satori

To synchronize OneLogin users with Satori, perform the following steps:

  1. Click on the Users drop menu from the OneLogin application header and select the Users drop menu list item.
  2. Now click on a specific user from the list.
  3. Click the Applications view.
  4. Click the Plus button.
  5. Select the relevant application from the drop menu list.
  6. Click the Continue button.
  7. Click Save.
  8. Now click the Save User button

Note: You must repeat this procedure for each user that you want to add to Satori.

Syncing OneLogin Roles with Satori Groups

To synchronize OneLogin roles (groups) with Satori, perform the following steps:

  1. Click on the Users drop menu from the OneLogin application header and select the Roles drop menu list item.
  2. Now click on a specific role from the list.
  3. Click the Applications view.
  4. Click the Plus button.
  5. Select the relevant application.
  6. Click Save.

Note: You must add users to a OneLogin role in order to enable the provisioning of this role.

Note: Renaming a role in OneLogin will not rename the group in Satori. A new group with a new name will be created in Satori and the relevant users will be assigned to it, and removed from the old group. The old group should be manually removed from Satori.

Important Note: If you delete groups from OneLogin you must manually remove them from Satori.

Provisioning Failure State

When failed provisioning states occur or for updating group names or when there are unsynchronized resources, perform the following:

Click the Reapply entitlement mapping drop menu item from the More Actions drop menu list to refresh the app state.

Satori Management App Attribute Mapping

Application attributes contain descriptive information about the individual users. Each attribute has a label and one or more values associated with it.

Note: Satori automatically provisions the following attributes:

  • First Name
  • Last Name
  • Email Address
  • Manager ID
  • Groups