Setting up SCIM

TABLE OF CONTENTS

• Provisioning Users in CafeX
• CafeX SCIM Attributes
• Generating a SCIM Token
• Supported Identity Providers
  • Microsoft Azure AD
  • Okta
  • OneLogin
  • PingFederate

As an administrator, you can use SCIM (System for Cross-domain Identity Management) to automatically transfer user identity information from your identity provider (IdP) to CafeX.

By using SCIM, you can provision members of your organization to use CafeX from your identity management system, automatically create their identities in CafeX, and assign them roles. 

Preview Draft

SCIM is commonly used alongside SAML to enable single sign-on (SSO) and manage user access. For details, see: Setting up SAML.

CafeX associates SCIM, SAML, and CafeX records for individuals by using attribute mappings you define for your identity management system and organizational configuration.

Provisioning Users in CafeX

To provision users from your identity management system so that they can use CafeX:

1. Follow your identity provider’s documentation to configure SCIM provisioning to CafeX.
2. When prompted to provide CafeX application connection details, enter the following:
   • CafeX SCIM endpoint URL: https://auth.cafex.com/scim/v2/
   • CafeX SCIM token: See: Generating a SCIM token.
3. Map SCIM attributes to CafeX user fields according to the table below.

   
   

Note: Attribute names and formats vary between providers—refer to your IdP-specific instructions in the sections below. 

CafeX SCIM Attributes

CafeX requires the following attributes:

Generating a SCIM Token

To generate a SCIM token:

1. Click the three-dot menu in the page header and select Tenant settings.
2. Under Management, click SCIM provisioning. The SCIM Provisioning Token page opens.
3. Click Add.
4. Enter a label to identify the connection, for example: Connection from AAD.
5. CafeX generates a SCIM token. You can only view this once, so take a copy.

Supported Identity Providers

CafeX provides SCIM integration for the following identity management systems:

• Microsoft Azure AD
• Okta
• OneLogin
• PingFederate

Microsoft Azure AD

To configure SCIM provisioning with Azure AD:

1. In the Azure portal, create a non-gallery enterprise application for CafeX provisioning. See: Integrate your SCIM endpoint with Azure AD.
2. Use the following:

   • SCIM endpoint URL: https://auth.cafex.com/scim/v2/

   • SCIM token: From Generating a SCIM token.

3. Provide the following attribute mappings:
   
   

   Microsoft Azure AD Attribute	CafeX SCIM Attribute
   userPrincipleName	userName
   Switch([IsSoftDeleted]], , “False”, “True”, “True”, “False”)	active
   userPrincipleName	displayName
   mail	emails[type eq “work”].value
   givenName	name.givenName
   surname	name.familyName
   userPrincipleName	externalId Important: This mapping must match SAML Unique User Identifier.
   SingleAppRoleAssignment([appRoleAssignments])	roles[primary eq “True”].value

Note: If you want to assign CafeX application roles in Microsoft Azure AD, you have to add them to your application definition. See: Add app roles to your token and receive them in a token.

For example, the following manifest defines the three available CafeX application roles: STANDARD, ADMIN, and OWNER:

"appRoles": [{

    "allowedMemberTypes": ["User"],

    "description": "STANDARD",

    "displayName": "STANDARD",

    "id": "ccc32650-8ee3-47d0-a5b7-fe8fcde90d19",

    "isEnabled": true,

    "lang": null,

    "origin": "Application",

    "value": null

},

{

    "allowedMemberTypes": ["User"],

    "description": "ADMIN",

    "displayName": "ADMIN",

    "id": "aa3aa483-5fe7-4585-b068-58fb8df4af6e",

    "isEnabled": true,

    "lang": null,

    "origin": "Application",

    "value": null

},

{

"allowedMemberTypes": ["User"],

    "description": "OWNER",

    "displayName": "OWNER",

    "id": "e5d16b85-a820-4b12-a79f-d5015a838164",

    "isEnabled": true,

    "lang": null,

    "origin": "Application",

    "value": null

}]

Important: The role of CafeX administrators updates to match the roles the manifest defines. Admins may lose access to tenant settings if their role changes.

Okta

To configure SCIM provisioning with Okta:

1. Follow the Okta provisioning guide: Connect your SCIM service with a new Okta integration.
2. Use the following attribute mappings:
   
   

   Okta Attribute	CafeX SCIM Attribute
   Configured in Sign On settings	Username  userName
   userfirstName	Given name  givenName
   userlastName	Family name  familyName
   useremail	Primary email  email
   useremail	Display name  displayName
   (“STANDARD”)	roles

OneLogin

To configure SCIM provisioning with OneLogin:

1. Follow the OneLogin provisioning guide: Creating a SCIM App.
2. Use the following SCIM JSON Template:

{

    "schemas": [ 

        "urn:ietf:params:scim:schemas:core:2.0:User" 

    ],

    "userName": "{$user.email}",

    "externalId": "{$user.email}",

    "name": {

        "givenName": "{$user.firstname}",

        "familyName": "{$user.lastname}"

    },

    "displayName": "{$user.email}"

}

PingFederate

To configure SCIM provisioning with PingFederate:

1. Follow the PingFederate provisioning guide: Define a provisioning target.
2. Use the following settings:

   • Authentication method: Basic

   • Username: scim

   • Password: SCIM token from Generating a SCIM token.

3. Provide the following attribute mappings:
   
   

   Field name	attribute
   Username	sAMAccountName
   Family name	sn
   Given Name	givenName
   Middle name	middleName
   Honorific suffix	generationQualifier
   Title	title
   Email	mail
   Phone number	telephoneNumber