Configure SCIM Connector for the Cloud Identity Engine
Table of Contents
Expand all | Collapse all
- Get Help
Configure SCIM Connector for the Cloud Identity Engine
As part of the Cloud Identity Engine, Directory Sync connects to your directory to
obtain user and group information for user identification and enforcement for
group-based and user-based Security policy.
Configuring the System for Cross-Domain Identity Management (SCIM) protocol for Directory Sync in the
Cloud Identity Engine allows you to customize what attributes Directory Sync
collects from your directory. You can add or remove attributes in your directory
portal to customize which attributes you want to share with the Cloud Identity
Engine for user and group identification.
The SCIM gallery app does not support the userType
attribute.
Configuring your directory to use the SCIM Connector with the Cloud Identity Engine
requires completing all necessary steps in both the Cloud Identity Engine and in the
portal for your specific SCIM client. If you encounter any issues with the SCIM
Connector setup, learn how to Troubleshoot Cloud Identity Engine Issues.
- Set up SCIM Connector in the Cloud Identity Engine app and complete the predeployment steps for your SCIM client.
- Complete the predeployment steps for your SCIM client.
- In the Cloud Identity Engine app, select.Directory SyncDirectoriesCloud DirectorySet UpSCIM
- Select theSCIM Clientyou want to use:
- Azure AD—Configure an Azure Active Directory to use the SCIM Connector. Be sure to complete the predeployment steps in the Azure Portal to Configure Azure Active Directory for SCIM Connector.
- PingFederate—Configure a PingFederate server to use the SCIM Connector. Be sure to complete the predeployment steps in the PingFederate portal to Configure PingFederate for SCIM Connector.
- Okta—Configure an Okta Directory to use the SCIM Connector. Be sure to complete the predeployment steps in the Okta Administrator Dashboard to Configure Okta Directory for SCIM Connector.
- In the portal for your SCIM client, obtain the necessary information you must enter to configure the SCIM Connector in the Cloud Identity Engine.
- Enter the necessary information in the Cloud Identity Engine to configure your directory to use SCIM with Directory Sync.
- Enter theDirectory ID(up to 40 alphanumeric characters, including hyphens) andDirectory Name(up to 50 lowercase alphanumeric characters including periods, hyphens, and underscores) that you copied from your directory portal.
- For theDirectory IDin the Cloud Identity Engine:
- For Azure, use theTenant ID.
- For Ping, use theSystem ID.
- For Okta, use theDirectory Name.For Okta, Palo Alto Networks recommends using the Directory Name, but you can enter any name (up to 40 alphanumeric characters, including hyphens).
- For theDirectory Namein the Cloud Identity Engine:
- For Azure, use thePrimary Domain.
- For Ping, use theUser.
- For Okta, use theOkta Domain.
- Copy theBase URLand save it in a secure location.
- ClickGenerate Bearer Tokenthen copy the token that the Cloud Identity Engine generates for yourAuthorization Methodand save it in a secure location.Before continuing to the next step and submitting the changes, make sure to save the token in a location where you can easily retrieve it to enter it in your SCIM client directory portal. If you submit the changes in the Cloud Identity Engine app before you generate and save the token, you must generate a new token in the Cloud Identity Engine app and enter the new token in the directory portal.
- ClickSubmitto commit your changes.You must clickSubmitto create the configuration in the Cloud Identity Engine app before continuing the configuration in the IdP, then return to the Cloud Identity Engine app and complete a full sync of the entire directory before the configuration is complete.
- Select the check box and clickOKto confirm your acknowledgment of the postconfiguration requirements then return to the portal for your SCIM client to complete the postconfiguration steps.After completing the steps in both the Cloud Identity Engine app and your directory portal, you can now use the SCIM Connector to collect attributes from your directory. To learn which attributes the SCIM Collector collects, see the Cloud Identity Engine Attributes.
Configure Azure Active Directory for SCIM Connector
You must also complete the required steps in the Azure Active Directory (AD)
Portal to complete the SCIM Connector configuration. For more information, refer
to the documentation for the Azure AD SCIM Connector.
- Complete the predeployment steps to add a new application in the Azure Portal then obtain the necessary information to configure SCIM for Directory Sync.Azure Active Directory (AD) SCIM provisioning requires that the group attributedisplayNameis unique. If more than one group uses thedisplayNameattribute, the initial sync isn't successful and the data for the duplicate group names might only be partially retrievable. If you don't use the duplicate groups in Security policy, then you can proceed. If you use the duplicate group names in Security policy, you must resolve the issue by modifying thedisplayNameattribute in your Azure Active Directory (AD) to ensure that it’s unique.
- Log in to the Azure Portal.
- SelectOverview(if it isn’t already selected), copy theTenant ID, and save it in a secure location.
- Copy thePrimary domainand save it in a secure location.
- Select.Enterprise applicationsAll applicationsNew application
- ToSearch application(s), enterPalo Alto Networks SCIM Connector.
- SelectPalo Alto Networks SCIM ConnectorandCreatethe application.If you encounter an error when creating the application, refer to Troubleshoot Cloud Identity Engine Issues.
- Return to the Cloud Identity Engine app to continue the SCIM Connector setup.You must complete the setup in the Cloud Identity Engine before you can successfullyTest Connectionin the Azure Portal.
- After you submit the SCIM Connector configuration in the Cloud Identity Engine app, continue to the next step.
- Configure your Azure Active Directory (AD) to use SCIM Connector to connect to the Cloud Identity Engine.
- Log in to the Azure Active Directory (AD) Portal.
- SelectEnterprise Applicationsthen select thePalo Alto Networks SCIM Connectorapplication.
- SelectProvisioningand clickGet Started.
- SelectAutomaticas theProvisioning Mode.
- Saveyour changes.
- (Optional but recommended) ClickTest Connectionto confirm that the Azure Active Directory (AD) can successfully communicate with the Cloud Identity Engine app.You must complete the setup in the Cloud Identity Engine before you can successfullyTest Connectionin the Azure Portal.
- Manage the users, groups, and attributes that the Azure Active Directory (AD) provisions to the Cloud Identity Engine app.
- In the Azure Portal, select.ProvisioningEdit Provisioning
- SelectMappingsthen select whether you want to edit the attributes when youProvision Active Directory GroupsorProvision Active Directory Users.For optimal performance, Palo Alto Networks strongly recommends provisioning only the groups that you want to use the SCIM connector. If you are using Prisma Access with the Cloud Identity Engine, make sure that you provision any groups that you use in your security policy to ensure it applies your security policy correctly.
- Deleteany attributes that you don’t want to provide to the Cloud Identity Engine app.
- (Optional) ClickAdd new mappingto add a new mapping that you want Azure Active Directory (AD) to use to identify users for the Cloud Identity Engine.
- (Optional) By default, the Cloud Identity Engine only synchronizes the users and groups you assign to this app in the Azure Portal. You can optionally synchronize all users and groups ().SettingsSync all users and groups
- Saveyour changes when they are complete.
- Allow Azure Active Directory (AD) to provide the information to the Cloud Identity Engine and verify that the Cloud Identity Engine uses SCIM to obtain the Azure Active Directory (AD) information.
- In the Azure Portal, verify you’ve completed all the provisioning steps in the documentation for the Azure AD SCIM Connector.
- Select the name of the app that you configured in the first step then selectto begin providing attributes to the Cloud Identity Engine.ManageProvisioningStart Provisioning
- Wait until the sync is complete (Initial cycle completed) thenView provisioning details.
- Verify that the synchronization was successful by confirming the timestamps (CompletedandSteady state achieved) and verifying that the number ofUsersandGroupsdisplays.If the number of users and groups does not display, refer to Troubleshoot Cloud Identity Engine Issues.
- In the Cloud Identity Engine app, verify that theSCIM Change Timestampfor your Azure SCIM directory populates on theDirectoriespage.
- Selectto complete a full synchronization of your Azure Active Directory with Directory Sync for the Cloud Identity Engine.ActionsFull SyncYou must successfully complete a full sync in the Cloud Identity Engine app to complete the SCIM Connector setup.
Configure PingFederate for SCIM Connector
Complete the following steps to configure the Cloud Identity Engine to use the
SCIM Connector to connect to your PingFederate server. Be sure to complete all
the steps in the PingFederate SCIM Connector
documentation as well.
- Set up the directory for SCIM Connector.
- Log in to the PingFederate Portal and selectData Storesthen clickAdd New Data Store.
- Enter aData Store Nameand selectDirectory (LDAP)as theType.
- Enter theHostname(s)(including the port number).
- Enter a valid email address as theUser DN.
- ClickTest Connectionto verify the connection is successful.If the connection test isn't successful, verify that the hostname and email address are valid. Some directories, such as PingDirectory, format the User DN ascn=administrator. In this case, selectUse LDAPSand use a different port number, such as 1636, instead of the default port number of 389.
- Copy and edit theSystem IDthen paste the edited value in the Cloud Identity Engine app as theDirectory ID.You must edit theSystem IDto remove theLDAP-that precedes theDirectory IDvalue before entering the value as theDirectory IDin the Cloud Identity Engine app.
- Copy and edit theUservalue and edit the edited value in the Cloud Identity Engine app as theDirectory Name.For theDirectory Name, use the domain name that follows the username in theUsercolumn (for the example below, theDirectory Nameis the value afterAdministrator@).
- Provision the SCIM connection.
- Select.SP ConnectionsCreate Connection
- SelectDo not use a template for this connection.
- SelectOutbound provisioning.
- SelectSCIM Connector.If the SCIM Connector option isn’t available, confirm that you completed all substeps in the previous step correctly.
- SelectGeneral Infoand enter aPartner’s Entity ID (Connection ID)and aConnection Name.
- (Optional but recommended) To decrease the amount of time necessary for the initial sync, selectand increase the value forOutbound ProvisioningConfigure ProvisioningManage ChannelsChannel ConfigurationChannel InfoMax Threads.The range is recommended range is 1–5; for optimal sync time, Palo Alto Networks recommends 5 as the value forMax Threads.
- Specify the information from the Cloud Identity Engine for the SCIM connection provisioning.
- Select.Outbound ProvisioningConfigure Provisioning
- Select theSP Connections Targettab and enter theBase URLthat you copied from the Cloud Identity Engine.
- Select.ApplicationsSP ConnectionsSP ConnectionConfigure ChannelsManage Channels
- SelectOAuth 2 Bearer Tokenas theAuthentication Methodand enter theBearer Tokenthat you copied from the Cloud Identity Engine as theAccess Token.
- SelectCommon Nameas theGroup Name Source.
- SelectUse patch for group updates.
- Configure the channels for the SCIM connection.
- SelectConfigure ChannelsandCreatea channel.
- Enter aNamefor the channel and select the directory you want to configure in the Cloud Identity Engine as theActive Data Store.
- SelectSource Locationand enter theBase DNfor your directory.
- Enter theGroup DNfor the source of the user and group mappings or create a filter that specifies which entries to use. For example,Group DN:CN=Chicago,OU=Illinois,DC=example,DC=comsyncs all users and groups in the Chicago group.
- If you use a Group DN and your directory contains nested groups, selectNested Search.Retention of nested group hierarchies from PingFederate servers through the SCIM Connector is not available. If your directory contains nested groups and you want to sync all of the child users and groups, you must select the method you want to use to ensure the Cloud Identity Engine correctly collects all users and groups in the parent group.
- Add the parent group as a member of a different group and use that container group as the Group DN. For example, configure the parent group in a directory with the namerootin an OU with the namelocationand use the valueCN=root,OU=location,DC=paloaltonetworks,DC=comfor the Group DN.
- Add a filter that includes all members of the parent group (for example,(objectClass=user),(objectClass=group)includes all users and groups in the Base DNDC=paloaltonetworks,DC=com).
- SelectAttribute MappingandEdittheuserName*touserPrincipalName.
- Savethe connection and continue the configuration in the Cloud Identity Engine.
- Complete the postdeployment steps to configure the PingFederate server for the SCIM Connector.
- Verify that you’ve completed all of the provisioning steps.
- In the PingFederate Portal, either commit a directory change or enter the following command:pingfederate/bin/provmgr.sh --reset-all -c [channel number] command.To determine the channel number, use the./provmgr.sh --show-channelscommand.
- In the Cloud Identity Engine, verify the app populates theSCIM Change Timestampthen complete a full sync ().ActionsFull Sync
Configure Okta Directory for SCIM Connector
You must also complete the required steps in the Okta Administrator Dashboard to
complete the SCIM Connector configuration. For more information, refer to the
documentation for the Okta Directory.
The SCIM Connector for Okta directory supports the following capabilities:
- Create users
- Update user attributes
- Deactivate users
- Import users
- Import groups
- Sync password
- Group push
- Log in to your Okta Administrator Dashboard and add the integration using the Okta Integration Network.
- Log in to the Okta Administrator Dashboard, selectApplications, and clickBrowse App Catalog.
- EnterPalo Alto Networks SCIMas the search query.
- Select the app and clickAdd Integration.
- Optionally change any settings, such as theApplication Label, then clickDone.
- Copy your Okta domain name.
- Configure the Okta integration to communicate with the Cloud Identity Engine.
- SelectProvisioning.
- ClickConfigure API Integration.
- SelectEnable API integration.
- Enter the URL you copied in step 3.b as theBase URL.
- Enter the token you copied in step 3.c as theAPI Token.
- ClickTest API Credentialsto verify the Okta directory can successfully communicate with the Palo Alto Networks SCIM integration then clickSave.If the test is not successful, verify that you successfully submitted your configuration in the Cloud Identity Engine app in step 3.d.
- Assign the Okta integration to the users you want to include in your Security policy.
- Editthe settings to assignProvisioning to App.
- Enableall the options andSaveyour changes.
- Select thePush Groupstab then click theFind Groupsbutton toFind groups by name.
- Type the name of a group toPush groups by name.
- Select the group andSaveyour changes.
- Verify the configuration.
- In the Cloud Identity Engine app, selectDirectoriesand verify that the timestamp displays in theSCIM Change Timestampcolumn for the Okta SCIM directory.
- Selectfor the directory.ActionsFull SyncThe configuration isn’t complete until you’ve successfully completed a full sync for the entire directory.
Configure a Custom Okta App Integration for SCIM
Connector
Palo Alto Networks strongly recommends using the Okta gallery app to Configure Okta Directory for SCIM Connector. If you
want to use a custom Okta app integration, complete the following steps.
- Log in to your Okta Administrator Dashboard and Create an app integration.
- SelectSAML 2.0as theSign-in methodand clickNext.
- Enter a uniqueApp Nameand optionally enter any other information (such as anApp LogoorApp Visibility) then clickNext.
- Enter theSingle-sign on URLwhere you want to redirect users to sign in and theAudience URI (SP Entity ID)then clickNext.
- Select the option that best reflects your use of the SCIM Connector app integration and clickFinish.
- Configure the Okta SCIM Connector app integration.
- SelectGeneral(if it is not already selected) andEdittheApp Settings.
- SelectSCIMas theProvisioningmethod andSaveyour changes.
- Configure provisioning for the Okta SCIM Connector app integration.
- SelectProvisioningandEditthe SCIM Connection settings.
- Enter theBase URLyou copied from the Cloud Identity Engine app in Step 3.b as theSCIM connector base URL.
- EnteruserNameas theUnique identifier field for users.
- Select theSupported provisioning actionsyou want to use to allow users to authenticate.
- SelectHTTP Headeras theAuthentication Mode.
- Enter theBearer Tokenyou copied from the Cloud Identity Engine app in Step 3.c andSaveyour changes.
- SelectProvisioningandEditthe settings.
- Select at least one of the options forProvisioning to AppandSaveyour changes.
- Assign the users and groups that you want to use the Okta SCIM Connector app integration.
- Selectto assign the users you want to use Okta SCIM.AssignmentsAssignAssign to People
- Select the users for whom you want toAssignthis app.
- Review and edit the information as needed then clickSave and Go Back.
- Verify the users you added display on theAssignmentstab.
- SelectPush GroupsthenFind groups by nameto assign groups to this app.
- Select the group you want to assign to this app then clickSave and add another. Repeat as needed until all the groups you want to assign to this app have been selected then clickSave.
- Verify the configuration.
- Select.ReportsSystem Log
- Verify that log results display to confirm that the SCIM Connector can successfully communicate with your directory. If no results populate, the SCIM Connector cannot communicate with your directory; verify the configuration and make any needed changes, then check the log results again.Verify that this step is complete before continuing to the next step. Until the log results display in the Okta Administrator Dashboard, a full sync cannot successfully complete for the directory in the Cloud Identity Engine app.
- In the Cloud Identity Engine app, selectDirectoriesand verify that the timestamp displays in theSCIM Change Timestampcolumn for the Okta SCIM directory.
- Selectfor the directory.ActionsFull SyncThe configuration is not complete until you have successfully completed a full sync for the entire directory.