As an administrator, you use SCIM (System for Cross-domain Identity Management) to transfer user identity information from your identity domain to CafeX, automatically.
By using SCIM, you provision members of your organization to use CafeX from your identity management system and automatically create their identities in CafeX and assign them roles.
Typically, you use SAML and SCIM together to provision and enable SSO for the members and groups of your organization. See also: Setting up SAML.
CafeX has to associates SCIM, SAML, and CafeX records for individuals, using an attribute mapping you specify, for your identity management system and organizational configuration.
Provisioning CafeX
As an administrator, to provision people from your identity management system so that they can use CafeX:
- For your identity management system follow their documentation to connect to CafeX.
- When you need to provide CafeX application connection details enter the following:
- CafeX SCIM endpoint URL—
https://auth.cafex.com/scim/v2/ - CafeX SCIM token—See: Generating a SCIM token BELOW
- CafeX SCIM endpoint URL—
- Your identity management system requires the mapping of attributes to CafeX.
These are specific for each application.
CafeX SCIM attributes attributes
- CafeX requires the following attributes:
| Profile field | SCIM attribute | Attribute type | Required |
|---|---|---|---|
| User name | userName | String | yes |
| CafeX active | active | True or False | no-default to True |
| Display name | displayName | String | yes |
| Email address | emails[type eq “work”].value | String | yes |
| First or Given name | name.givenName | String | no |
| Family or surname | name.familyName | String | no |
| Identity provider ID | externalId | String | yes—Unique identifier from identity provider |
| CafeX role | roles[primary eq “True”].value | OWNER, ADMIN or STANDARD | no—defaults to STANDARD |
Provisioning guides
CafeX provides SCIM integration for the following Identity management systems:
- Microsoft Azure AD
- Okta
- OneLogin
- PingFederate
Generating a SCIM token
- Open profile menu > Tenant settings
- Click SCIM provisioning
- Click Add
- Enter a label to identify the connection—for example: Connection from AAD
- CafeX generates a SCIM token, you can only view this once, so take a copy.
Microsoft Azure AD
As an administrator, to provision CafeX for Microsoft Azure AD:
- In your Azure portal, create a non-gallery enterprise application for CafeX provisioning—See: Integrate your SCIM endpoint with Azure AD.
- Use the CafeX SCIM endpoint URL, and SCIM token.
- Provide the following attribute mappings:
| Microsoft Azure AD attribute | CafeX SCIM attribute |
|---|---|
| userPrincipleName | userName |
| Switch([IsSoftDeleted]], , “False”, “True”, “True”, “False”) | active |
| userPrincipleName | displayName |
| emails[type eq “work”].value | |
| givenName | name.givenName |
| surname | name.familyName |
| userPrincipleName | externalId Important: This mappings has to be the same as the SAML Unique User Identifier. |
| SingleAppRoleAssignment([appRoleAssignments]) | roles[primary eq “True”].value |
If you need to assign CafeX application roles in Microsoft Azure AD, you have to add them to your application definition, see: Add app roles and get them from a token.
For example, this manifest defines the 3 CafeX application roles: STANDARD, ADMIN, OWNER:
"appRoles": [{
"allowedMemberTypes": ["User"],
"description": "STANDARD",
"displayName": "STANDARD",
"id": "ccc32650-8ee3-47d0-a5b7-fe8fcde90d19",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": null
},
{
"allowedMemberTypes": ["User"],
"description": "ADMIN",
"displayName": "ADMIN",
"id": "aa3aa483-5fe7-4585-b068-58fb8df4af6e",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": null
},
{
"allowedMemberTypes": ["User"],
"description": "OWNER",
"displayName": "OWNER",
"id": "e5d16b85-a820-4b12-a79f-d5015a838164",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": null
}]Important: The role of CafeX administrators updates to match the roles the manifest defines. It is possible an administrator’s role changes and they loses access to their tenant settings in CafeX.
Okta
As an administrator, to provision CafeX for Okta:
- Follow the Okta provisioning guide—See: Connect your SCIM service with a new Okta integration.
- Provide the following attribute mappings:
| Okta attribute | CafeX SCIM attribute |
|---|---|
| Configured in Sign On settings | Username userName |
| userfirstName | Given name givenName |
| userlastName | Family name familyName |
| useremail | Primary email |
| useremail | Display name displayName |
| (“STANDARD”) | roles |
OneLogin
As an administrator, to provision CafeX for OneLogin:
- Follow the OneLogin provisioning guide—See: Creating a SCIM App.
- Use the following SCIM JSON Template:
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "{$user.email}",
"externalId": "{$user.email}",
"name": {
"givenName": "{$user.firstname}",
"familyName": "{$user.lastname}"
},
"displayName": "{$user.email}"
}PingFederate
As an administrator, to provision CafeX for PingFederate:
- Follow the PingFederate provisioning guide—See: Define a provisioning target
- When providing the Authentication Method, select Basic
Set the username to: scim
Set the password to: CafeX SCIM token - See ABOVE. - Provide the following attribute mappings:
| Field name | attribute |
|---|---|
| Username | – sAMAccountName |
| Family name | – sn |
| Given Name | – givenName |
| Middle name | – middleName |
| Honorific suffix | – generationQualifier |
| Title | – title |
| Phone number | – telephoneNumber |
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article