: Configure SCIM Connector for the Cloud Identity Engine
Focus
Focus

Configure SCIM Connector for the Cloud Identity Engine

Table of Contents

Configure SCIM Connector for the Cloud Identity Engine

As part of the Cloud Identity Engine, Directory Sync connects to your directory to obtain user and group information for user identification and enforcement for group-based and user-based Security policy.
Configuring the System for Cross-Domain Identity Management (SCIM) protocol for Directory Sync in the Cloud Identity Engine allows you to customize what attributes Directory Sync collects from your directory. You can add or remove attributes in your directory portal to customize which attributes you want to share with the Cloud Identity Engine for user and group identification.
The SCIM gallery app does not support the userType attribute.
Configuring your directory to use the SCIM Connector with the Cloud Identity Engine requires completing all necessary steps in both the Cloud Identity Engine and in the portal for your specific SCIM client. If you encounter any issues with the SCIM Connector setup, learn how to Troubleshoot Cloud Identity Engine Issues.
  1. Set up SCIM Connector in the Cloud Identity Engine app and complete the predeployment steps for your SCIM client.
    1. In the Cloud Identity Engine app, select
      Directory Sync
      Directories
      Cloud Directory
      Set Up
      SCIM
      .
    2. Select the
      SCIM Client
      you want to use:
  2. In the portal for your SCIM client, obtain the necessary information you must enter to configure the SCIM Connector in the Cloud Identity Engine.
  3. Enter the necessary information in the Cloud Identity Engine to configure your directory to use SCIM with Directory Sync.
    1. Enter the
      Directory ID
      (up to 40 alphanumeric characters, including hyphens) and
      Directory Name
      (up to 50 lowercase alphanumeric characters including periods, hyphens, and underscores) that you copied from your directory portal.
      • For the
        Directory ID
        in the Cloud Identity Engine:
        • For Azure, use the
          Tenant ID
          .
        • For Ping, use the
          System ID
          .
        • For Okta, use the
          Directory Name
          .
          For Okta, Palo Alto Networks recommends using the Directory Name, but you can enter any name (up to 40 alphanumeric characters, including hyphens).
      • For the
        Directory Name
        in the Cloud Identity Engine:
        • For Azure, use the
          Primary Domain
          .
        • For Ping, use the
          User
          .
        • For Okta, use the
          Okta Domain
          .
    2. Copy the
      Base URL
      and save it in a secure location.
    3. Click
      Generate Bearer Token
      then copy the token that the Cloud Identity Engine generates for your
      Authorization Method
      and save it in a secure location.
      Before continuing to the next step and submitting the changes, make sure to save the token in a location where you can easily retrieve it to enter it in your SCIM client directory portal. If you submit the changes in the Cloud Identity Engine app before you generate and save the token, you must generate a new token in the Cloud Identity Engine app and enter the new token in the directory portal.
    4. Click
      Submit
      to commit your changes.
      You must click
      Submit
      to create the configuration in the Cloud Identity Engine app before continuing the configuration in the IdP, then return to the Cloud Identity Engine app and complete a full sync of the entire directory before the configuration is complete.
  4. Select the check box and click
    OK
    to confirm your acknowledgment of the postconfiguration requirements then return to the portal for your SCIM client to complete the postconfiguration steps.
    After completing the steps in both the Cloud Identity Engine app and your directory portal, you can now use the SCIM Connector to collect attributes from your directory. To learn which attributes the SCIM Collector collects, see the Cloud Identity Engine Attributes.

Configure Azure Active Directory for SCIM Connector

You must also complete the required steps in the Azure Active Directory (AD) Portal to complete the SCIM Connector configuration. For more information, refer to the documentation for the Azure AD SCIM Connector.
  1. Complete the predeployment steps to add a new application in the Azure Portal then obtain the necessary information to configure SCIM for Directory Sync.
    Azure Active Directory (AD) SCIM provisioning requires that the group attribute
    displayName
    is unique. If more than one group uses the
    displayName
    attribute, the initial sync isn't successful and the data for the duplicate group names might only be partially retrievable. If you don't use the duplicate groups in Security policy, then you can proceed. If you use the duplicate group names in Security policy, you must resolve the issue by modifying the
    displayName
    attribute in your Azure Active Directory (AD) to ensure that it’s unique.
    1. Log in to the Azure Portal.
    2. Select
      Overview
      (if it isn’t already selected), copy the
      Tenant ID
      , and save it in a secure location.
    3. Copy the
      Primary domain
      and save it in a secure location.
    4. Select
      Enterprise applications
      All applications
      New application
      .
    5. To
      Search application
      (s), enter
      Palo Alto Networks SCIM Connector
      .
    6. Select
      Palo Alto Networks SCIM Connector
      and
      Create
      the application.
      If you encounter an error when creating the application, refer to Troubleshoot Cloud Identity Engine Issues.
    7. Return to the Cloud Identity Engine app to continue the SCIM Connector setup.
      You must complete the setup in the Cloud Identity Engine before you can successfully
      Test Connection
      in the Azure Portal.
    8. After you submit the SCIM Connector configuration in the Cloud Identity Engine app, continue to the next step.
  2. Configure your Azure Active Directory (AD) to use SCIM Connector to connect to the Cloud Identity Engine.
    1. Log in to the Azure Active Directory (AD) Portal.
    2. Select
      Enterprise Applications
      then select the
      Palo Alto Networks SCIM Connector
      application.
    3. Select
      Provisioning
      and click
      Get Started
      .
    4. Select
      Automatic
      as the
      Provisioning Mode
      .
    5. Enter the following information from steps 3.b and 3.c in the fields as indicated in the following table:
      Copy from Cloud Identity Engine
      Enter in Azure Portal
      Base URL
      Tenant URL
      Authorization Method Bearer token
      Secret Token
    6. Save
      your changes.
    7. (Optional but recommended) Click
      Test Connection
      to confirm that the Azure Active Directory (AD) can successfully communicate with the Cloud Identity Engine app.
      You must complete the setup in the Cloud Identity Engine before you can successfully
      Test Connection
      in the Azure Portal.
  3. Manage the users, groups, and attributes that the Azure Active Directory (AD) provisions to the Cloud Identity Engine app.
    1. In the Azure Portal, select
      Provisioning
      Edit Provisioning
      .
    2. Select
      Mappings
      then select whether you want to edit the attributes when you
      Provision Active Directory Groups
      or
      Provision Active Directory Users
      .
      For optimal performance, Palo Alto Networks strongly recommends provisioning only the groups that you want to use the SCIM connector. If you are using Prisma Access with the Cloud Identity Engine, make sure that you provision any groups that you use in your security policy to ensure it applies your security policy correctly.
    3. Delete
      any attributes that you don’t want to provide to the Cloud Identity Engine app.
    4. (Optional) Click
      Add new mapping
      to add a new mapping that you want Azure Active Directory (AD) to use to identify users for the Cloud Identity Engine.
    5. (Optional) By default, the Cloud Identity Engine only synchronizes the users and groups you assign to this app in the Azure Portal. You can optionally synchronize all users and groups (
      Settings
      Sync all users and groups
      ).
    6. Save
      your changes when they are complete.
  4. Allow Azure Active Directory (AD) to provide the information to the Cloud Identity Engine and verify that the Cloud Identity Engine uses SCIM to obtain the Azure Active Directory (AD) information.
    1. In the Azure Portal, verify you’ve completed all the provisioning steps in the documentation for the Azure AD SCIM Connector.
    2. Select the name of the app that you configured in the first step then select
      Manage
      Provisioning
      Start Provisioning
      to begin providing attributes to the Cloud Identity Engine.
    3. Wait until the sync is complete (
      Initial cycle completed
      ) then
      View provisioning details
      .
    4. Verify that the synchronization was successful by confirming the timestamps (
      Completed
      and
      Steady state achieved
      ) and verifying that the number of
      Users
      and
      Groups
      displays.
      If the number of users and groups does not display, refer to Troubleshoot Cloud Identity Engine Issues.
    5. In the Cloud Identity Engine app, verify that the
      SCIM Change Timestamp
      for your Azure SCIM directory populates on the
      Directories
      page.
    6. Select
      Actions
      Full Sync
      to complete a full synchronization of your Azure Active Directory with Directory Sync for the Cloud Identity Engine.
      You must successfully complete a full sync in the Cloud Identity Engine app to complete the SCIM Connector setup.

Configure PingFederate for SCIM Connector

Complete the following steps to configure the Cloud Identity Engine to use the SCIM Connector to connect to your PingFederate server. Be sure to complete all the steps in the PingFederate SCIM Connector documentation as well.
  1. Set up the directory for SCIM Connector.
    1. Log in to the PingFederate Portal and select
      Data Stores
      then click
      Add New Data Store
      .
    2. Enter a
      Data Store Name
      and select
      Directory (LDAP)
      as the
      Type
      .
    3. Enter the
      Hostname(s)
      (including the port number).
    4. Enter a valid email address as the
      User DN
      .
    5. Click
      Test Connection
      to verify the connection is successful.
      If the connection test isn't successful, verify that the hostname and email address are valid. Some directories, such as PingDirectory, format the User DN as
      cn=administrator
      . In this case, select
      Use LDAPS
      and use a different port number, such as 1636, instead of the default port number of 389.
    6. Copy and edit the
      System ID
      then paste the edited value in the Cloud Identity Engine app as the
      Directory ID
      .
      You must edit the
      System ID
      to remove the
      LDAP-
      that precedes the
      Directory ID
      value before entering the value as the
      Directory ID
      in the Cloud Identity Engine app.
    7. Copy and edit the
      User
      value and edit the edited value in the Cloud Identity Engine app as the
      Directory Name
      .
      For the
      Directory Name
      , use the domain name that follows the username in the
      User
      column (for the example below, the
      Directory Name
      is the value after
      Administrator@
      ).
  2. Provision the SCIM connection.
    1. Select
      SP Connections
      Create Connection
      .
    2. Select
      Do not use a template for this connection
      .
    3. Select
      Outbound provisioning
      .
    4. Select
      SCIM Connector
      .
      If the SCIM Connector option isn’t available, confirm that you completed all substeps in the previous step correctly.
    5. Select
      General Info
      and enter a
      Partner’s Entity ID (Connection ID)
      and a
      Connection Name
      .
    6. (Optional but recommended) To decrease the amount of time necessary for the initial sync, select
      Outbound Provisioning
      Configure Provisioning
      Manage Channels
      Channel Configuration
      Channel Info
      and increase the value for
      Max Threads
      .
      The range is recommended range is 1–5; for optimal sync time, Palo Alto Networks recommends 5 as the value for
      Max Threads
      .
  3. Specify the information from the Cloud Identity Engine for the SCIM connection provisioning.
    1. Select
      Outbound Provisioning
      Configure Provisioning
      .
    2. Select the
      SP Connections Target
      tab and enter the
      Base URL
      that you copied from the Cloud Identity Engine.
    3. Select
      Applications
      SP Connections
      SP Connection
      Configure Channels
      Manage Channels
      .
    4. Select
      OAuth 2 Bearer Token
      as the
      Authentication Method
      and enter the
      Bearer Token
      that you copied from the Cloud Identity Engine as the
      Access Token
      .
    5. Select
      Common Name
      as the
      Group Name Source
      .
    6. Select
      Use patch for group updates
      .
  4. Configure the channels for the SCIM connection.
    1. Select
      Configure Channels
      and
      Create
      a channel.
    2. Enter a
      Name
      for the channel and select the directory you want to configure in the Cloud Identity Engine as the
      Active Data Store
      .
    3. Select
      Source Location
      and enter the
      Base DN
      for your directory.
    4. Enter the
      Group DN
      for the source of the user and group mappings or create a filter that specifies which entries to use. For example,
      Group DN:CN=Chicago,OU=Illinois,DC=example,DC=com
      syncs all users and groups in the Chicago group.
    5. If you use a Group DN and your directory contains nested groups, select
      Nested Search
      .
      Retention of nested group hierarchies from PingFederate servers through the SCIM Connector is not available. If your directory contains nested groups and you want to sync all of the child users and groups, you must select the method you want to use to ensure the Cloud Identity Engine correctly collects all users and groups in the parent group.
      • Add the parent group as a member of a different group and use that container group as the Group DN. For example, configure the parent group in a directory with the name
        root
        in an OU with the name
        location
        and use the value
        CN=root,OU=location,DC=paloaltonetworks,DC=com
        for the Group DN.
      • Add a filter that includes all members of the parent group (for example,
        (objectClass=user),(objectClass=group)
        includes all users and groups in the Base DN
        DC=paloaltonetworks,DC=com
        ).
    6. Select
      Attribute Mapping
      and
      Edit
      the
      userName*
      to
      userPrincipalName
      .
    7. Save
      the connection and continue the configuration in the Cloud Identity Engine.
  5. Complete the postdeployment steps to configure the PingFederate server for the SCIM Connector.
    1. Verify that you’ve completed all of the provisioning steps.
    2. In the PingFederate Portal, either commit a directory change or enter the following command:
      pingfederate/bin/provmgr.sh --reset-all -c [channel number] command.
      To determine the channel number, use the
      ./provmgr.sh --show-channels
      command.
    3. In the Cloud Identity Engine, verify the app populates the
      SCIM Change Timestamp
      then complete a full sync (
      Actions
      Full Sync
      ).

Configure Okta Directory for SCIM Connector

You must also complete the required steps in the Okta Administrator Dashboard to complete the SCIM Connector configuration. For more information, refer to the documentation for the Okta Directory.
The SCIM Connector for Okta directory supports the following capabilities:
  • Create users
  • Update user attributes
  • Deactivate users
  • Import users
  • Import groups
  • Sync password
  • Group push
  1. Log in to your Okta Administrator Dashboard and add the integration using the Okta Integration Network.
    1. Log in to the Okta Administrator Dashboard, select
      Applications
      , and click
      Browse App Catalog
      .
    2. Enter
      Palo Alto Networks SCIM
      as the search query.
    3. Select the app and click
      Add Integration
      .
    4. Optionally change any settings, such as the
      Application Label
      , then click
      Done
      .
    5. Copy your Okta domain name.
  2. Configure the Okta integration to communicate with the Cloud Identity Engine.
    1. Select
      Provisioning
      .
    2. Click
      Configure API Integration
      .
    3. Select
      Enable API integration
      .
    4. Enter the URL you copied in step 3.b as the
      Base URL
      .
    5. Enter the token you copied in step 3.c as the
      API Token
      .
    6. Click
      Test API Credentials
      to verify the Okta directory can successfully communicate with the Palo Alto Networks SCIM integration then click
      Save
      .
      If the test is not successful, verify that you successfully submitted your configuration in the Cloud Identity Engine app in step 3.d.
  3. Assign the Okta integration to the users you want to include in your Security policy.
    1. Edit
      the settings to assign
      Provisioning to App
      .
    2. Enable
      all the options and
      Save
      your changes.
    3. Select the
      Push Groups
      tab then click the
      Find Groups
      button to
      Find groups by name
      .
    4. Type the name of a group to
      Push groups by name
      .
    5. Select the group and
      Save
      your changes.
  4. Verify the configuration.
    1. In the Cloud Identity Engine app, select
      Directories
      and verify that the timestamp displays in the
      SCIM Change Timestamp
      column for the Okta SCIM directory.
    2. Select
      Actions
      Full Sync
      for the directory.
      The configuration isn’t complete until you’ve successfully completed a full sync for the entire directory.

Configure a Custom Okta App Integration for SCIM Connector

Palo Alto Networks strongly recommends using the Okta gallery app to Configure Okta Directory for SCIM Connector. If you want to use a custom Okta app integration, complete the following steps.
  1. Log in to your Okta Administrator Dashboard and Create an app integration.
    1. Select
      SAML 2.0
      as the
      Sign-in method
      and click
      Next
      .
    2. Enter a unique
      App Name
      and optionally enter any other information (such as an
      App Logo
      or
      App Visibility
      ) then click
      Next
      .
    3. Enter the
      Single-sign on URL
      where you want to redirect users to sign in and the
      Audience URI (SP Entity ID)
      then click
      Next
      .
    4. Select the option that best reflects your use of the SCIM Connector app integration and click
      Finish
      .
  2. Configure the Okta SCIM Connector app integration.
    1. Select
      General
      (if it is not already selected) and
      Edit
      the
      App Settings
      .
    2. Select
      SCIM
      as the
      Provisioning
      method and
      Save
      your changes.
  3. Configure provisioning for the Okta SCIM Connector app integration.
    1. Select
      Provisioning
      and
      Edit
      the SCIM Connection settings.
    2. Enter the
      Base URL
      you copied from the Cloud Identity Engine app in Step 3.b as the
      SCIM connector base URL
      .
    3. Enter
      userName
      as the
      Unique identifier field for users
      .
    4. Select the
      Supported provisioning actions
      you want to use to allow users to authenticate.
    5. Select
      HTTP Header
      as the
      Authentication Mode
      .
    6. Enter the
      Bearer Token
      you copied from the Cloud Identity Engine app in Step 3.c and
      Save
      your changes.
    7. Select
      Provisioning
      and
      Edit
      the settings.
    8. Select at least one of the options for
      Provisioning to App
      and
      Save
      your changes.
  4. Assign the users and groups that you want to use the Okta SCIM Connector app integration.
    1. Select
      Assignments
      Assign
      Assign to People
      to assign the users you want to use Okta SCIM.
    2. Select the users for whom you want to
      Assign
      this app.
    3. Review and edit the information as needed then click
      Save and Go Back
      .
    4. Verify the users you added display on the
      Assignments
      tab.
    5. Select
      Push Groups
      then
      Find groups by name
      to assign groups to this app.
    6. Select the group you want to assign to this app then click
      Save and add another
      . Repeat as needed until all the groups you want to assign to this app have been selected then click
      Save
      .
  5. Verify the configuration.
    1. Select
      Reports
      System Log
      .
    2. Verify that log results display to confirm that the SCIM Connector can successfully communicate with your directory. If no results populate, the SCIM Connector cannot communicate with your directory; verify the configuration and make any needed changes, then check the log results again.
      Verify that this step is complete before continuing to the next step. Until the log results display in the Okta Administrator Dashboard, a full sync cannot successfully complete for the directory in the Cloud Identity Engine app.
    3. In the Cloud Identity Engine app, select
      Directories
      and verify that the timestamp displays in the
      SCIM Change Timestamp
      column for the Okta SCIM directory.
    4. Select
      Actions
      Full Sync
      for the directory.
      The configuration is not complete until you have successfully completed a full sync for the entire directory.

Recommended For You