Introduction

Getting started

Walkthrough Guides

CafeX Apps

Workflows

Using CafeX Collaborate App

Reporting

Managing CafeX

Integrating CafeX

Security

Managing CafeX

Setting up SCIM

Modified on Tue, 5 Sep, 2023 at 11:25 AM

As an administrator, you use SCIM (System for Cross-domain Identity Management) to transfer user identity information from your identity domain to CafeX, automatically.


By using SCIM, you provision members of your organization to use CafeX from your identity management system and automatically create their identities in CafeX and assign them roles. 


Typically, you use SAML and SCIM together to provision and enable SSO for the members and groups of your organization. See also: Setting up SAML.


CafeX has to associates SCIM, SAML, and CafeX records for individuals, using an attribute mapping you specify, for your identity management system and organizational configuration.


Provisioning CafeX


As an administrator, to provision people from your identity management system so that they can use CafeX:

  1. For your identity management system follow their documentation to connect to CafeX.
  2. When you need to provide CafeX application connection details enter the following:
    • CafeX SCIM endpoint URL—https://auth.cafex.com/scim/v2/
    • CafeX SCIM token—See: Generating a SCIM token BELOW
  3. Your identity management system requires the mapping of attributes to CafeX.
     

These are specific for each application.


CafeX SCIM attributes attributes


CafeX requires the following attributes:


Profile field

SCIM attribute

Attribute type

Required

User name

userName

String

yes

CafeX active

active

True or False

no-default to True

Display name

displayName

String

yes

Email address

emails[type eq “work”].value

String

yes

First or Given name

name.givenName

String

no

Family or surname

name.familyName

String

no

Identity provider ID

externalId

String

yes—Unique identifier from identity provider

CafeX role

roles[primary eq “True”].value

OWNER,
ADMIN
 or STANDARD

no—defaults to STANDARD

Provisioning guides

CafeX provides SCIM integration for the following Identity management systems:

  • Microsoft Azure AD
  • Okta
  • OneLogin
  • PingFederate

Generating a SCIM token

  1. Open profile menu > Tenant settings
  2. Click SCIM provisioning
  3. Click Add
  4. Enter a label to identify the connection—for example: Connection from AAD
  5. CafeX generates a SCIM token, you can only view this once, so take a copy.

Microsoft Azure AD

As an administrator, to provision CafeX for Microsoft Azure AD:

  1. In your Azure portal, create a non-gallery enterprise application for CafeX provisioning—See: Integrate your SCIM endpoint with Azure AD.
  2. Use the CafeX SCIM endpoint URL, and SCIM token.
  3. Provide the following attribute mappings:

Microsoft Azure AD attribute

CafeX SCIM attribute

userPrincipleName

userName

Switch([IsSoftDeleted]], , “False”, “True”, “True”, “False”)

active

userPrincipleName

displayName

mail

emails[type eq “work”].value

givenName

name.givenName

surname

name.familyName

userPrincipleName

externalId
 Important: This mappings has to be the same as the SAML Unique User Identifier.

SingleAppRoleAssignment([appRoleAssignments])

roles[primary eq “True”].value

If you need to assign CafeX application roles in Microsoft Azure AD, you have to add them to your application definition, see: Add app roles and get them from a token.


For example, this manifest defines the 3 CafeX application roles: STANDARD, ADMIN, OWNER:

"appRoles": [{
    "allowedMemberTypes": ["User"],
    "description": "STANDARD",
    "displayName": "STANDARD",
    "id": "ccc32650-8ee3-47d0-a5b7-fe8fcde90d19",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "value": null
},
{
    "allowedMemberTypes": ["User"],
    "description": "ADMIN",
    "displayName": "ADMIN",
    "id": "aa3aa483-5fe7-4585-b068-58fb8df4af6e",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "value": null
},
{
"allowedMemberTypes": ["User"],
    "description": "OWNER",
    "displayName": "OWNER",
    "id": "e5d16b85-a820-4b12-a79f-d5015a838164",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "value": null
}]

Important: The role of CafeX administrators updates to match the roles the manifest defines. It is possible an administrator’s role changes and they loses access to their tenant settings in CafeX.

Okta

As an administrator, to provision CafeX for Okta:

  1. Follow the Okta provisioning guide—See: Connect your SCIM service with a new Okta integration.
  2. Provide the following attribute mappings:


Okta attribute

CafeX SCIM attribute

Configured in Sign On settings

Username
 userName

userfirstName

Given name
 givenName

userlastName

Family name
 familyName

useremail

Primary email
 email

useremail

Display name
 displayName

(“STANDARD”)

roles

OneLogin

As an administrator, to provision CafeX for OneLogin:

  1. Follow the OneLogin provisioning guide—See: Creating a SCIM App.
  2. Use the following SCIM JSON Template:
{
    "schemas": [ 
        "urn:ietf:params:scim:schemas:core:2.0:User" 
    ],
    "userName": "{$user.email}",
    "externalId": "{$user.email}",
    "name": {
        "givenName": "{$user.firstname}",
        "familyName": "{$user.lastname}"
    },
    "displayName": "{$user.email}"
}

PingFederate


As an administrator, to provision CafeX for PingFederate:

  1. Follow the PingFederate provisioning guide—See: Define a provisioning target
  2. When providing the Authentication Method, select Basic
    Set the username to: scim
     Set the password to: CafeX SCIM token - See ABOVE.
  3. Provide the following attribute mappings:


Field name

attribute

Username

– sAMAccountName

Family name

– sn

Given Name

– givenName

Middle name

– middleName

Honorific suffix

– generationQualifier

Title

– title

Email

– mail

Phone number

– telephoneNumber

 




Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article