Configure SCIM Connector for the Cloud Identity Engine
As part of the Cloud Identity Engine, Directory Sync connects to your directory to
obtain user and group information for user identification and enforcement for
group-based and user-based Security policy.
Configuring the System for Cross-Domain Identity Management (SCIM) protocol for Directory Sync in the
Cloud Identity Engine allows you to customize what attributes Directory Sync
collects from your directory. You can add or remove attributes in your directory
portal to customize which attributes you want to share with the Cloud Identity
Engine for user and group identification.
The SCIM gallery app does not support the userType
attribute.
Configuring your directory to use the SCIM Connector with the Cloud Identity Engine
requires completing all necessary steps in both the Cloud Identity Engine and in the
portal for your specific SCIM client. If you encounter any issues with the SCIM
Connector setup, learn how to Troubleshoot Cloud Identity Engine Issues.
Set up SCIM Connector in the Cloud Identity Engine app and complete the
predeployment steps for your SCIM client.
Complete the predeployment steps for your SCIM client.
—Configure a PingFederate
server to use the SCIM Connector. Be sure to complete the
predeployment steps in the PingFederate portal to Configure PingFederate for SCIM Connector.
Okta
—Configure an Okta Directory to use
the SCIM Connector. Be sure to complete the predeployment steps
in the Okta Administrator Dashboard to Configure Okta Directory for SCIM Connector.
In the portal for your SCIM client, obtain the necessary information you must
enter to configure the SCIM Connector in the Cloud Identity Engine.
Enter the necessary information in the Cloud Identity Engine to configure your
directory to use SCIM with Directory Sync.
Enter the
Directory ID
and
Directory
Name
you copied from your directory portal.
For the
Directory ID
in the Cloud
Identity Engine:
For Azure, use the
Tenant ID
.
For Ping, use the
System ID
.
For Okta, use the
Directory Name
.
Palo Alto Networks
recommends using the directory name; however, you
can use any name for the Directory ID.
For the
Directory Name
in the Cloud
Identity Engine:
For Azure, use the
Primary
Domain
.
For Ping, use the
User
.
For Okta, use the
Okta Domain
.
Copy the
Base URL
and save it in a secure
location.
Click
Generate Bearer Token
then copy the token
that the Cloud Identity Engine generates for your
Authorization Method
and save it in a secure
location.
Before continuing to the next step and
submitting the changes, make sure to save the token in a location
where you can easily retrieve it to enter it in your SCIM client
directory portal. If you submit the changes in the Cloud Identity
Engine app before you generate and save the token, you must generate
a new token in the Cloud Identity Engine app and enter the new token
in the directory portal.
Click
Submit
to commit your changes.
You must click
Submit
to create the configuration in the Cloud Identity Engine app before
continuing the configuration in the IdP, then return to the Cloud
Identity Engine app and complete a full sync of the entire
directory before the configuration is complete.
Select the check box and click
OK
to confirm your
acknowledgment of the postconfiguration requirements then return to the portal
for your SCIM client to complete the postconfiguration steps.
After completing the steps in both the Cloud Identity Engine app and your
directory portal, you can now use the SCIM Connector to collect attributes
from your directory. To learn which attributes the SCIM Collector collects,
see the Cloud Identity Engine
Attributes.
Configure Azure Active Directory for SCIM Connector
You must also complete the required steps in the Azure Active Directory (AD)
Portal to complete the SCIM Connector configuration. For more information, refer
to the documentation for the Azure AD SCIM Connector.
Complete the predeployment steps to add a new application in the Azure
Portal then obtain the necessary information to configure SCIM for Directory
Sync.
Azure Active Directory (AD) SCIM provisioning requires that the group
attribute
displayName
is unique. If more than one
group uses the
displayName
attribute, the initial
sync isn't successful and the data for the duplicate group names might
only be partially retrievable. If you don't use the duplicate groups in
Security policy, then you can proceed. If you use the duplicate group
names in Security policy, you must resolve the issue by modifying the
displayName
attribute in your Azure Active
Directory (AD) to ensure that it’s unique.
Return to the Cloud Identity Engine app to continue the SCIM
Connector setup.
You must complete the setup in the Cloud Identity Engine
before you can successfully
Test
Connection
in the Azure Portal.
After you submit the SCIM Connector configuration in the Cloud
Identity Engine app, continue to the next step.
Configure your Azure Active Directory (AD) to use SCIM Connector to connect
to the Cloud Identity Engine.
Log in to the Azure Active Directory (AD) Portal.
Select
Enterprise Applications
then select
the
Palo Alto Networks SCIM Connector
application.
Select
Provisioning
and click
Get
Started
.
Select
Automatic
as the
Provisioning Mode
.
Enter the following information from steps 3.2 and 3.3 in the
fields as indicated in the following table:
Copy from Cloud Identity Engine
Enter in Azure Portal
Base URL
Tenant URL
Authorization Method Bearer
token
Secret Token
Save
your changes.
(Optional but recommended) Click
Test
Connection
to confirm that the Azure Active
Directory (AD) can successfully communicate with the Cloud Identity
Engine app.
You must complete the setup in the Cloud Identity Engine
before you can successfully
Test
Connection
in the Azure Portal.
Manage the users, groups, and attributes that the Azure Active Directory
(AD) provisions to the Cloud Identity Engine app.
In the Azure Portal, select
Provisioning
Edit Provisioning
.
Select
Mappings
then select whether you want
to edit the attributes when you
Provision Active
Directory Groups
or
Provision Active
Directory Users
.
For optimal performance, Palo Alto
Networks strongly recommends provisioning only the groups that
you want to use the SCIM connector. If you are using Prisma
Access with the Cloud Identity Engine, make sure that you
provision any groups that you use in your security policy to
ensure it applies your security policy correctly.
Delete
any attributes that you don’t want to
provide to the Cloud Identity Engine app.
(Optional) Click
Add new mapping
to add a
new mapping that you want Azure Active Directory (AD) to use to
identify users for the Cloud Identity Engine.
(Optional) By default, the Cloud Identity Engine only synchronizes
the users and groups you assign to this app in the Azure Portal. You
can optionally synchronize all users and groups (
Settings
Sync all users and groups
).
Save
your changes when they are complete.
Allow Azure Active Directory (AD) to provide the information to the Cloud
Identity Engine and verify that the Cloud Identity Engine uses SCIM to
obtain the Azure Active Directory (AD) information.
In the Azure Portal, verify you’ve completed all the provisioning
steps in the documentation for the Azure AD SCIM
Connector.
Select the name of the app that you configured in the first step
then select
Manage
Provisioning
Start Provisioning
to begin providing attributes to the Cloud Identity
Engine.
Wait until the sync is complete (
Initial cycle
completed
) then
View provisioning
details
.
Verify that the synchronization was successful by confirming the
timestamps (
to complete a full synchronization of your Azure
Active Directory with Directory Sync for the Cloud Identity
Engine.
You must successfully complete a full sync in the Cloud
Identity Engine app to complete the SCIM Connector setup.
Configure PingFederate for SCIM Connector
Complete the following steps to configure the Cloud Identity Engine to use the
SCIM Connector to connect to your PingFederate server. Be sure to complete all
the steps in the PingFederate SCIM Connector
documentation as well.
Set up the directory for SCIM Connector.
Log in to the PingFederate Portal and select
Data
Stores
then click
Add New Data
Store
.
Enter a
Data Store Name
and select
Directory (LDAP)
as the
Type
.
Enter the
Hostname(s)
(including the port
number).
Enter a valid email address as the
User
DN
.
Click
Test Connection
to verify the
connection is successful.
If the connection test isn't successful, verify that the
hostname and email address are valid. Some directories, such as
PingDirectory, format the User DN as
cn=administrator
. In this case,
select
Use LDAPS
and use a different port
number, such as 1636, instead of the default port number of
389.
Copy and edit the
System ID
then paste the
edited value in the Cloud Identity Engine app as the
Directory ID
.
You must edit the
System ID
to remove
the
LDAP-
that precedes the
Directory ID
value before entering
the value as the
Directory ID
in the
Cloud Identity Engine app.
Copy and edit the
User
value and edit the
edited value in the Cloud Identity Engine app as the
Directory Name
.
For the
Directory Name
, use the domain
name that follows the username in the
User
column (for the example below,
the
Directory Name
is the value after
Administrator@
).
Provision the SCIM connection.
Select
SP Connections
Create Connection
.
Select
Do not use a template for this
connection
.
Select
Outbound provisioning
.
Select
SCIM Connector
.
If the SCIM Connector option isn’t available, confirm that you
completed all substeps in the previous step correctly.
Select
General Info
and enter a
Partner’s Entity ID (Connection ID)
and a
Connection Name
.
(Optional but recommended) To decrease the amount of time necessary
for the initial sync, select
Outbound Provisioning
Configure Provisioning
Manage Channels
Channel Configuration
Channel Info
and increase the value for
Max
Threads
.
The range is recommended range is 1–5; for optimal sync time,
Palo Alto Networks recommends 5 as the value for
Max
Threads
.
Specify the information from the Cloud Identity Engine for the SCIM
connection provisioning.
Select
Outbound Provisioning
Configure Provisioning
.
Select the
SP Connections Target
tab and
enter the
Base URL
that you copied from the
Cloud Identity Engine.
Select
Applications
SP Connections
SP Connection
Configure Channels
Manage Channels
.
Select
OAuth 2 Bearer Token
as the
Authentication Method
and enter the
Bearer Token
that you copied from the
Cloud Identity Engine as the
Access
Token
.
Select
Common Name
as the
Group
Name Source
.
Select
Use patch for group updates
.
Configure the channels for the SCIM connection.
Select
Configure Channels
and
Create
a channel.
Enter a
Name
for the channel and select the
directory you want to configure in the Cloud Identity Engine as the
Active Data Store
.
Select
Source Location
and enter the
Base DN
for your directory.
Enter the
Group DN
for the source of the
user and group mappings or create a filter that specifies which
entries to use. For example,
Group
DN:CN=Chicago,OU=Illinois,DC=example,DC=com
syncs
all users and groups in the Chicago group.
If you use a Group DN and your directory contains nested groups,
select
Nested Search
.
Retention of nested group hierarchies from PingFederate
servers through the SCIM Connector is not available. If your
directory contains nested groups and you want to sync all of the
child users and groups, you must select the method you want to
use to ensure the Cloud Identity Engine correctly collects all
users and groups in the parent group.
Add the parent group as a member of a different group
and use that container group as the Group DN. For
example, configure the parent group in a directory with
the name
root
in an OU with the
name
location
and use the value
CN=root,OU=location,DC=paloaltonetworks,DC=com
for the Group DN.
Add a filter that includes all members of the parent
group (for example,
(objectClass=user),(objectClass=group)
includes all users and groups in the Base DN
DC=paloaltonetworks,DC=com
).
Select
Attribute Mapping
and
Edit
the
userName*
to
userPrincipalName
.
Save
the connection and continue the
configuration in the Cloud Identity Engine.
Complete the postdeployment steps to configure the PingFederate server for
the SCIM Connector.
In the Cloud Identity Engine, verify the app populates the
SCIM Change Timestamp
then complete a
full sync (
Actions
Full Sync
).
Configure Okta Directory for SCIM Connector
You must also complete the required steps in the Okta Administrator Dashboard to
complete the SCIM Connector configuration. For more information, refer to the
documentation for the Okta Directory.
The SCIM Connector for Okta directory supports the following capabilities:
Create users
Update user attributes
Deactivate users
Import users
Import groups
Sync password
Group push
Log in to your Okta Administrator Dashboard and add the integration using
the Okta Integration Network.
Log in to the Okta Administrator Dashboard, select
to verify the
Okta directory can successfully communicate with the Palo Alto
Networks SCIM integration then click
Save
.
If the test is not successful, verify
that you successfully submitted your configuration in the Cloud
Identity Engine app in step 3.4.
Assign the Okta integration to the users you want to include in your
Security policy.
Edit
the settings to assign
Provisioning to App
.
Enable
all the options and
Save
your changes.
Select the
Push Groups
tab then click the
Find Groups
button to
Find
groups by name
.
Type the name of a group to
Push groups by
name
.
Select the group and
Save
your
changes.
Verify the configuration.
In the Cloud Identity Engine app, select
Directories
and verify that the timestamp
displays in the
SCIM Change Timestamp
column
for the Okta SCIM directory.
Select
Actions
Full Sync
for the directory.
The configuration isn’t complete until
you’ve successfully completed a full sync for the
entire directory.
Configure a Custom Okta App Integration for SCIM
Connector
Palo Alto Networks strongly recommends using the Okta gallery app to Configure Okta Directory for SCIM Connector. If you
want to use a custom Okta app integration, complete the following steps.
and optionally enter
any other information (such as an
App Logo
or
App Visibility
) then click
Next
.
Enter the
Single-sign on URL
where you want
to redirect users to sign in and the
Audience URI (SP
Entity ID)
then click
Next
.
Select the option that best reflects your use of the SCIM Connector
app integration and click
Finish
.
Configure the Okta SCIM Connector app integration.
Select
General
(if it is not already
selected) and
Edit
the
App
Settings
.
Select
SCIM
as the
Provisioning
method and
Save
your changes.
Configure provisioning for the Okta SCIM Connector app integration.
Select
Provisioning
and
Edit
the SCIM Connection settings.
Enter the
Base URL
you copied from the Cloud
Identity Engine app in Step 3.2 as the
SCIM connector base URL
.
Enter
userName
as the
Unique
identifier field for users
.
Select the
Supported provisioning actions
you want to use to allow users to authenticate.
Select
HTTP Header
as the
Authentication Mode
.
Enter the
Bearer Token
you copied from the
Cloud Identity Engine app in Step 3.3 and
Save
your changes.
Select
Provisioning
and
Edit
the settings.
Select at least one of the options for
Provisioning to
App
and
Save
your
changes.
Assign the users and groups that you want to use the Okta SCIM Connector
app integration.
Select
Assignments
Assign
Assign to People
to assign the users you want to use Okta SCIM.
Select the users for whom you want to
Assign
this app.
Review and edit the information as needed then click
Save and Go Back
.
Verify the users you added display on the
Assignments
tab.
Select
Push Groups
then
Find
groups by name
to assign groups to this app.
Select the group you want to assign to this app then click
Save and add another
. Repeat as needed
until all the groups you want to assign to this app have been
selected then click
Save
.
Verify the configuration.
Select
Reports
System Log
.
Verify that log results display to confirm that the SCIM Connector
can successfully communicate with your directory. If no results
populate, the SCIM Connector cannot communicate with your directory;
verify the configuration and make any needed changes, then check the
log results again.
Verify that this step is complete before
continuing to the next step. Until the log results display in
the Okta Administrator Dashboard, a full sync cannot
successfully complete for the directory in the Cloud Identity
Engine app.
In the Cloud Identity Engine app, select
Directories
and verify that the timestamp
displays in the
SCIM Change Timestamp
column
for the Okta SCIM directory.
Select
Actions
Full Sync
for the directory.
The configuration is not complete until
you have successfully completed a full sync for the
entire directory.
After completing the steps in both the Cloud Identity Engine app and your directory portal, you can now use the SCIM Connector to collect attributes from your directory. To learn which attributes the SCIM Collector collects, see the Cloud Identity Engine Attributes.
If the number of users and groups does not display, refer to Troubleshoot Cloud Identity Engine Issues.
If the test is not successful, verify that you successfully submitted your configuration in the Cloud Identity Engine app in step 3.4.
Verify that this step is complete before continuing to the next step. Until the log results display in the Okta Administrator Dashboard, a full sync cannot successfully complete for the directory in the Cloud Identity Engine app.