Provision Users with SCIM

This guide is designed to help enterprise administrators setup SCIM on their existing SSO config.

You can provision and manage users on enterprise-enabled Poggio workspaces through System for Cross-domain Identity Management (SCIM) API standard.

Overview

Poggio supports the SCIM 2.0 standard.

With SCIM, you can:

  • Automatically provision and de-provision users to your Poggio enterprise. (Users are always provisioned to the default workspace of the SAML config in use.)

  • Sync users’ names to Poggio.

Poggio supports provisioning users from your identity provider (IdP.)

Poggio does not support:

  • Group provisioning (Poggio currently does not have a concept of groups)

  • Importing users from Poggio

  • Password syncs

Prerequisites

Step 1: Generate a SCIM API Key

In the enterprise settings page, enterprise admins have the ability to generate a SCIM key.

This key grants access to the Poggio SCIM endpoints for that enterprise.

Step 2: Configure the IdP

Okta

  1. Under the “General” settings, Enable “Provisioning” for the Poggio Okta app:

  2. Under the “Provisioning” settings, enter the following information on the “Integrations” tab:

    • SCIM connector base URL: https://api.poggio.io/scim/v2/

    • Unique identifier field for users: userName

    • Supported provisioning actions:

      • Check Push New Users

      • Check Push Profile Updates

    • Authentication Mode: HTTP Header

    • Authorization: <paste the SCIM key from the enterprise settings>

  3. Under the “Provisioning” settings, setup the following on the “To App” tab:

    • Create User: check Enable

    • Update User Attributes: check Enable

    • Deactivate Users: check Enable

Step 3: Trigger a Sync

Also found on the "To App" provisioning page is a Poggio Attribute Mappings section. You can trigger a sync to ensure that users’ names are propagated. Poggio supports two fields (all others are ignored):

  • userName: this represents the email of the user.

  • displayName: this is typically the users’ full name.

    • Poggio also supports name.formatted for the same information if displayName is not present.

Last updated