Configure SCIM Connector for the Cloud Identity Engine
As part of the Cloud Identity Engine, Directory Sync connects to your directory to obtain user
and group information for user identification and enforcement for group-based and
user-based Security policy.
Configuring the System for Cross-Domain Identity Management (SCIM) protocol for Directory Sync in the
Cloud Identity Engine allows you to customize what attributes Directory Sync
collects from your directory. You can add or remove attributes in your directory
portal to customize which attributes you want to share with the Cloud Identity
Engine for user and group identification.
The SCIM gallery app doesn’t support the userType attribute.
Configuring your directory to use
the SCIM Connector with the Cloud Identity Engine requires completing
all necessary steps in both the Cloud Identity Engine and in the
portal for your specific SCIM client. If you encounter any issues with
the SCIM Connector setup, learn how to Troubleshoot Cloud Identity Engine Issues.
Set up SCIM Connector in the Cloud Identity Engine app and complete the
predeployment steps for your SCIM client.
Complete the predeployment steps for your SCIM client.
—Configure a PingFederate
server to use the SCIM Connector. Be sure to complete the
predeployment steps in the PingFederate portal to Configure PingFederate for SCIM Connector.
Okta
—Configure an Okta Directory to use
the SCIM Connector. Be sure to complete the predeployment steps
in the Okta Administrator Dashboard to Configure Okta Directory for SCIM Connector.
In the portal for your SCIM client, obtain the necessary
information you must enter to configure the SCIM Connector in the
Cloud Identity Engine.
Enter the necessary information in the Cloud Identity
Engine to configure your directory to use SCIM with Directory Sync.
Enter the
Directory ID
and
Directory
Name
you copied from your directory portal in the Cloud
Identity Engine in the previous step.
Copy the
Base URL
and save it in a secure
location.
Click
Generate Bearer Token
then copy the token
that the Cloud Identity Engine generates for your
Authorization Method
and save it in a secure
location.
Before continuing to the next step and
submitting the changes, make sure to save the token in a location
where you can easily retrieve it to enter it in your SCIM client
directory portal. If you submit the changes in the Cloud Identity
Engine app before you generate and save the token, you must generate
a new token in the Cloud Identity Engine app and enter the new token
in the directory portal.
Click
Submit
to commit your changes.
You must click
Submit
to create the configuration in the Cloud Identity Engine app before
continuing the configuration in the IdP, then return to the Cloud
Identity Engine app and complete a full sync of the entire
directory before the configuration is complete.
Select the check box and click
OK
to confirm your
acknowledgment of the postconfiguration requirements then return to the portal
for your SCIM client to complete the postconfiguration steps.
You can now use the SCIM Connector to collect attributes from your directory.
To learn which attributes the SCIM Collector collects, see the Cloud Identity Engine
Attributes.
Configure Azure Active Directory for SCIM Connector
You must also complete the required steps in the Azure Active Directory (AD) Portal to complete
the SCIM Connector configuration. For more information, refer to the
documentation for the Azure AD SCIM Connector.
Complete the predeployment steps to add a new application in the Azure
Portal then obtain the necessary information to configure SCIM for Directory
Sync.
Azure Active Directory (AD) SCIM provisioning requires that the group
attribute
displayName
is unique. If more than one
group uses the
displayName
attribute, the initial
sync is not successful and the data for the duplicate group names might
only be partially retrievable. If you do not use the duplicate groups in
Security policy, then you can proceed. If you use the duplicate group
names in Security policy, you must resolve the issue by modifying the
displayName
attribute in your Azure Active
Directory (AD) to ensure that it’s unique.
Return to the Cloud Identity Engine app to continue the SCIM
Connector setup.
You must complete the setup in the Cloud Identity Engine
before you can successfully
Test
Connection
in the Azure Portal.
After you submit the SCIM Connector configuration in the Cloud
Identity Engine app, continue to the next step.
Configure your Azure Active Directory (AD) to use SCIM Connector to connect
to the Cloud Identity Engine.
Log in to the Azure Active Directory (AD) Portal.
Select
Enterprise Applications
then select
the
Palo Alto Networks SCIM Connector
application.
Select
Provisioning
and click
Get
Started
.
Select
Automatic
as the
Provisioning Mode
.
Enter the following information from the previous step in the
fields as indicated in the following table:
Copy from Cloud Identity Engine
Enter in Azure Portal
Base URL
Tenant URL
Authorization Method
token
Secret Token
Save
your changes.
(Optional but recommended) Click
Test
Connection
to confirm that the Azure Active
Directory (AD) can successfully communicate with the Cloud Identity
Engine app.
You must complete the setup in the Cloud Identity Engine
before you can successfully
Test
Connection
in the Azure Portal.
Manage the users, groups, and attributes that the Azure Active Directory
(AD) provisions to the Cloud Identity Engine app.
In the Azure Portal, select
Provisioning
Edit Provisioning
.
Select
Mappings
then select whether you want
to edit the attributes when you
Provision Active
Directory Groups
or
Provision Active
Directory Users
.
Delete
any attributes that you don’t want to
provide to the Cloud Identity Engine app.
(Optional) Click
Add new mapping
to add a
new mapping that you want Azure Active Directory (AD) to use to
identify users for the Cloud Identity Engine.
(Optional) By default, the Cloud Identity Engine only synchronizes
the users and groups you assign to this app in the Azure Portal. You
can optionally synchronize all users and groups (
Settings
Sync all users and groups
).
Save
your changes when they are complete.
Allow Azure Active Directory (AD) to provide the information to the Cloud
Identity Engine and verify that the Cloud Identity Engine uses SCIM to
obtain the Azure Active Directory (AD) information.
In the Azure Portal, verify you’ve completed all the provisioning
steps in the documentation for the Azure AD SCIM
Connector.
Select the name of the app that you configured in the first step
then select
Manage
Provisioning
Start Provisioning
to begin providing attributes to the Cloud Identity
Engine.
Wait until the sync is complete (
Initial cycle
completed
) then
View provisioning
details
.
Verify that the synchronization was successful by confirming the
timestamps (
to complete a full synchronization of your Azure
Active Directory with Directory Sync for the Cloud Identity
Engine.
You must successfully complete a full sync in the Cloud
Identity Engine app to complete the SCIM Connector setup.
Configure PingFederate for SCIM Connector
Complete the following steps to configure
the Cloud Identity Engine to use the SCIM Connector to connect to
your PingFederate server. Be sure to complete all the steps in the PingFederate SCIM Connector documentation
as well.
Set up the directory for SCIM Connector.
Log in to the PingFederate Portal and select
Data
Stores
then click
Add New Data Store
.
Enter a
Data Store Name
and select
Directory
(LDAP)
as the
Type
.
Enter the
Hostname(s)
(including the
port number).
Enter a valid email address as the
User DN
.
Click
Test Connection
to verify
the connection is successful.
If the connection test is not successful, verify that the hostname and email address are
valid. Some directories, such as PingDirectory, format the User
DN as
cn=administrator
. In this case,
select
Use LDAPS
and use a different port
number, such as 1636, instead of the default port number of
389.
Copy and edit the
System ID
then paste
the edited value in the Cloud Identity Engine app as the
Directory
ID
.
You must edit the
System ID
to remove
the
LDAP-
that precedes the
Directory
ID
value before entering the value as the
Directory
ID
in the Cloud Identity Engine app.
Copy and edit the
User
value
and edit the edited value in the Cloud Identity Engine app as the
Directory
Name
.
For the
Directory Name
, use the
domain name that follows the username in the
User
column
(for the example below, the
Directory Name
is
the value after
Administrator@
).
Provision the SCIM connection.
Select
SP Connections
Create Connection
.
Select
Do not use a template for this connection
.
Select
Outbound provisioning
.
Select
SCIM Connector
.
If the SCIM Connector option isn’t available, confirm that you completed all substeps in the
previous step correctly.
Select
General Info
and enter
a
Partner’s Entity ID (Connection ID)
and
a
Connection Name
.
(Optional but recommended) To decrease the amount
of time necessary for the initial sync, select
Outbound
Provisioning
Configure Provisioning
Manage Channels
Channel Configuration
Channel Info
and increase the
value for
Max Threads
.
The range is recommended range is 1–5; for optimal sync
time, Palo Alto Networks recommends 5 as the value for
Max Threads
.
Specify the information from the Cloud Identity Engine
for the SCIM connection provisioning.
Select
Outbound Provisioning
Configure Provisioning
.
Select the
SP Connections Target
tab
and enter the
Base URL
that you copied from
the Cloud Identity Engine.
Select
Applications
SP Connections
SP Connection
Configure Channels
Manage Channels
.
Select
OAuth 2 Bearer Token
as the
Authentication
Method
and enter the
Bearer Token
that
you copied from the Cloud Identity Engine as the
Access
Token
.
Select
Common Name
as the
Group
Name Source
.
Select
Use patch for group updates
.
Configure the channels for the SCIM connection.
Select
Configure Channels
and
Create
a channel.
Enter a
Name
for the channel and select the
directory you want to configure in the Cloud Identity Engine as the
Active Data Store
.
Select
Source Location
and
enter the
Base DN
for your directory.
Enter the
Group DN
for the
source of the user and group mappings or create a filter that specifies
which entries to use. For example,
Group DN:CN=Chicago,OU=Illinois,DC=example,DC=com
syncs
all users and groups in the Chicago group.
If you use a Group DN and your directory contains
nested groups, select
Nested Search
.
Retention of nested group hierarchies from PingFederate servers through the SCIM Connector is
not available. If your directory contains nested groups and you
want to sync all of the child users and groups, you must select
the method you want to use to ensure the Cloud Identity Engine
correctly collects all users and groups in the parent group.
Add the parent group as a member of a different group
and use that container group as the Group DN. For
example, configure the parent group in a directory with
the name
root
in an OU with the
name
location
and use the value
CN=root,OU=location,DC=paloaltonetworks,DC=com
for the Group DN.
Add a filter that includes all members of the parent
group (for example,
(objectClass=user),(objectClass=group)
includes all users and groups in the Base DN
DC=paloaltonetworks,DC=com
).
Select
Attribute Mapping
and
Edit
the
userName*
to
userPrincipalName
.
Save
the connection and continue the
configuration in the Cloud Identity Engine.
Complete the postdeployment steps to configure the PingFederate server for
the SCIM Connector.
In the Cloud Identity Engine, verify the app populates the
SCIM Change Timestamp
then complete a
full sync (
Actions
Full Sync
).
Configure Okta Directory for SCIM Connector
You must also complete the required steps in the Okta Administrator Dashboard to
complete the SCIM Connector configuration. For more information, refer to the
documentation for the Okta Directory.
and optionally enter
any other information (such as an
App Logo
or
App Visibility
) then click
Next
.
Enter the
Single-sign on URL
where you want
to redirect users to sign in and the
Audience URI (SP
Entity ID)
then click
Next
.
Select the option that best reflects your use of the SCIM Connector
app integration and click
Finish
.
Configure the Okta SCIM Connector app integration.
Select
General
(if it is not already
selected) and
Edit
the
App
Settings
.
Select
SCIM
as the
Provisioning
method and
Save
your changes.
Configure provisioning for the Okta SCIM Connector app integration.
Select
Provisioning
and
Edit
the SCIM Connection settings.
Enter the
Base URL
you copied from the Cloud
Identity Engine app in Step 3.b as the
SCIM connector base URL
.
Enter
userName
as the
Unique
identifier field for users
.
Select the
Supported provisioning actions
you want to use to allow users to authenticate.
Select
HTTP Header
as the
Authentication Mode
.
Enter the
Bearer Token
you copied from the
Cloud Identity Engine app in Step 3.c and
Save
your changes.
Select
Provisioning
and
Edit
the settings.
Select at least one of the options for
Provisioning to
App
and
Save
your
changes.
Assign the users and groups that you want to use the Okta SCIM Connector
app integration.
Select
Assignments
Assign
Assign to People
to assign the users you want to use Okta SCIM.
Select the users for whom you want to
Assign
this app.
Review and edit the information as needed then click
Save and Go Back
.
Verify the users you added display on the
Assignments
tab.
Select
Push Groups
then
Find
groups by name
to assign groups to this app.
Select the group you want to assign to this app then click
Save and add another
. Repeat as needed
until all the groups you want to assign to this app have been
selected then click
Save
.
Verify the configuration.
Select
Reports
System Log
.
Verify that log results display to confirm that the SCIM Connector
can successfully communicate with your directory. If no results
populate, the SCIM Connector cannot communicate with your directory;
verify the configuration and make any needed changes, then check the
log results again.
Verify that this step is complete before
continuing to the next step. Until the log results display in
the Okta Administrator Dashboard, a full sync cannot
successfully complete for the directory in the Cloud Identity
Engine app.
In the Cloud Identity Engine app, select
Directories
and verify that the timestamp
displays in the
SCIM Change Timestamp
column
for the Okta SCIM directory.
Select
Actions
Full Sync
for the directory.
The configuration is not complete until
you have successfully completed a full sync for the
entire directory.
If the number of users and groups doesn’t display, refer to Troubleshoot Cloud Identity Engine Issues.
Verify that this step is complete before continuing to the next step. Until the log results display in the Okta Administrator Dashboard, a full sync cannot successfully complete for the directory in the Cloud Identity Engine app.
