Introduction

Quick Start

Applications

Tables

User Management

App Creation

Preparing for CafeX

Getting you going with CafeX

Reporting

Integrating CafeX

Auditing

CafeX Virtual Storage Bucket

Managing CafeX

Workspace Creation

Using CafeX meetings

Using CafeX Conversations

Managing CafeX

Setting up SCIM

Modified on Wed, 01 Feb 2023 at 08:24 AM

As an administrator, you use SCIM (System for Cross-domain Identity Management) to transfer user identity information from your identity domain to CafeX, automatically.

By using SCIM, you provision members of your organization to use CafeX from your identity management system and automatically create their identities in CafeX and assign them roles. 

Typically, you use SAML and SCIM together to provision and enable SSO for the members and groups of your organization. See also: Setting up SAML.

CafeX has to associates SCIM, SAML, and CafeX records for individuals, using an attribute mapping you specify, for your identity management system and organizational configuration.

Provisioning CafeX

As an administrator, to provision people from your identity management system so that they can use CafeX:

  1. For your identity management system follow their documentation to connect to CafeX.
  2. When you need to provide CafeX application connection details enter the following:
    • CafeX SCIM endpoint URL—https://auth.cafex.com/scim/v2/
    • CafeX SCIM token—See: Generating a SCIM token BELOW
  3. Your identity management system requires the mapping of attributes to CafeX.
    These are specific for each application.

CafeX SCIM attributes attributes

  1. CafeX requires the following attributes:
Profile fieldSCIM attributeAttribute typeRequired
User nameuserNameStringyes
CafeX activeactiveTrue or Falseno-default to True
Display namedisplayNameStringyes
Email addressemails[type eq “work”].valueStringyes
First or Given namename.givenNameStringno
Family or surnamename.familyNameStringno
Identity provider IDexternalIdStringyes—Unique identifier from identity provider
CafeX roleroles[primary eq “True”].valueOWNER,
ADMIN
or STANDARD
no—defaults to STANDARD

Provisioning guides

CafeX provides SCIM integration for the following Identity management systems:

  • Microsoft Azure AD
  • Okta
  • OneLogin
  • PingFederate

Generating a SCIM token

  1. Open profile menu > Tenant settings
  2. Click SCIM provisioning
  3. Click Add
  4. Enter a label to identify the connection—for example: Connection from AAD
  5. CafeX generates a SCIM token, you can only view this once, so take a copy.

Microsoft Azure AD

As an administrator, to provision CafeX for Microsoft Azure AD:

  1. In your Azure portal, create a non-gallery enterprise application for CafeX provisioning—See: Integrate your SCIM endpoint with Azure AD.
  2. Use the CafeX SCIM endpoint URL, and SCIM token.
  3. Provide the following attribute mappings:
Microsoft Azure AD attributeCafeX SCIM attribute
userPrincipleNameuserName
Switch([IsSoftDeleted]], , “False”, “True”, “True”, “False”)active
userPrincipleNamedisplayName
mailemails[type eq “work”].value
givenNamename.givenName
surnamename.familyName
userPrincipleNameexternalId
Important: This mappings has to be the same as the SAML Unique User Identifier.
SingleAppRoleAssignment([appRoleAssignments])roles[primary eq “True”].value

If you need to assign CafeX application roles in Microsoft Azure AD, you have to add them to your application definition, see: Add app roles and get them from a token.

For example, this manifest defines the 3 CafeX application roles: STANDARD, ADMIN, OWNER:

"appRoles": [{
    "allowedMemberTypes": ["User"],
    "description": "STANDARD",
    "displayName": "STANDARD",
    "id": "ccc32650-8ee3-47d0-a5b7-fe8fcde90d19",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "value": null
},
{
    "allowedMemberTypes": ["User"],
    "description": "ADMIN",
    "displayName": "ADMIN",
    "id": "aa3aa483-5fe7-4585-b068-58fb8df4af6e",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "value": null
},
{
"allowedMemberTypes": ["User"],
    "description": "OWNER",
    "displayName": "OWNER",
    "id": "e5d16b85-a820-4b12-a79f-d5015a838164",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "value": null
}]

Important: The role of CafeX administrators updates to match the roles the manifest defines. It is possible an administrator’s role changes and they loses access to their tenant settings in CafeX.

Okta

As an administrator, to provision CafeX for Okta:

  1. Follow the Okta provisioning guide—See: Connect your SCIM service with a new Okta integration.
  2. Provide the following attribute mappings:
Okta attributeCafeX SCIM attribute
Configured in Sign On settingsUsername
userName
userfirstNameGiven name
givenName
userlastNameFamily name
familyName
useremailPrimary email
email
useremailDisplay name
displayName
(“STANDARD”)roles

OneLogin

As an administrator, to provision CafeX for OneLogin:

  1. Follow the OneLogin provisioning guide—See: Creating a SCIM App.
  2. Use the following SCIM JSON Template:
{
    "schemas": [ 
        "urn:ietf:params:scim:schemas:core:2.0:User" 
    ],
    "userName": "{$user.email}",
    "externalId": "{$user.email}",
    "name": {
        "givenName": "{$user.firstname}",
        "familyName": "{$user.lastname}"
    },
    "displayName": "{$user.email}"
}

PingFederate

As an administrator, to provision CafeX for PingFederate:

  1. Follow the PingFederate provisioning guide—See: Define a provisioning target
  2. When providing the Authentication Method, select Basic
    Set the username to: scim
    Set the password to: CafeX SCIM token - See ABOVE.
  3. Provide the following attribute mappings:
Field nameattribute
Username– sAMAccountName
Family name– sn
Given Name– givenName
Middle name– middleName
Honorific suffix– generationQualifier
Title– title
Email– mail
Phone number– telephoneNumber

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article