SCIM (System for Cross-domain Identity Management)

The SCIM (System for Cross-domain Identity Management) is an open standard for automating the exchange of user identity information. SCIM lets you quickly integrate your users' profile information into Igloo Flex. SCIM settings are managed in the Admin Settings' SCIM Settings page. 

Details

SCIM uses a RESTful API with standard HTTP methods and JSON payloads. Users and groups have unique identifiers and conform to a defined schema, providing consistent identity data that can be mapped to Igloo Flex's profile fields. The major components of a SCIM workflow include: 

1. Provisioning: When a user is created or updated in the identity provider (IdP), a SCIM request is sent to Igloo Flex to create or update the corresponding user account.
2. Group Management: When groups and group memberships are created, updated, or deleted, a SCIM request is sent to Igloo Flex to create or update the groups or group memberships. 
3. Deprovisioning: When a user is removed from the IdP, a deactivation request is sent to Igloo Flex to terminate all their sessions and prevent them from logging in to the digital workplace. Depending on the IdP's configuration, a delete request is sent after a defined period of time to Igloo Flex to remove the user from the digital workplace permanently. 

SCIM and the Flex access model

In Igloo Flex, access to content is governed by the sites that contain the content. A site is assigned access permissions by group, which allows users within those groups to interact with the content according to their assigned role.

There are multiple models for handling groups and access permissions in Igloo Flex with SCIM: 

• You can design your groups in your IdP to match existing groups in Igloo Flex with assigned access permissions for particular sites. When those groups are synced, they will automatically be assigned access permissions. 
• You can use large, generic groups in your IdP. Once the groups are synced to Igloo Flex, you can use Bulk User Upload to change users' group memberships based on specific groups created in Igloo Flex. 

Regardless of which method you choose, when groups are synced from your IdP, one of these actions occurs:

• Group exists: If the group exists in Igloo Flex, it will be matched on name, and group membership will be updated with users in the IdP group. 
• Multiple groups exist with the same name: If multiple groups exist in the IdP with the same name, name uniqueness is enforced in Igloo Flex, and those groups will sync to a singular Igloo Flex group. 
• Group doesn't exist: If the group does not exist in Igloo Flex, it will be created as a new group in Igloo Flex. However, it will have no access permissions. A workplace administrator must assign site access permissions as necessary in the Site Manager. See Assign or edit access permissions for a site.
• Group removed from IdP: When a group is removed from the IdP, it is also removed in Igloo Flex. Any access permissions will be removed, and users will lose group membership. It doesn't remove users from the digital workplace.  

When individual users are provisioned from your IdP, one of these actions occurs: 

• User exists: If a user exists in Igloo Flex, any profile data or group membership changes will be synced to their profile in Igloo Flex. 
• User doesn't exist: If the user doesn't exist in Igloo Flex, they will be added to the Igloo Flex digital workplace. Their profile data will be synced the next time the user is provisioned from the IdP. The user will have no access permissions in Igloo Flex, and a workplace administrator must assign the user to groups in Igloo Flex to assign access permissions. See Add users to a group.
• User removed from IdP: When a user is removed from the IdP, Igloo Flex will take action based on the type of request sent from the IdP. In the example of Entra's deprovisioning process: 
  • Deactivate request is sent (1st step): The user will be deactivated in Igloo Flex, which means their sessions are terminated, and they cannot log in to the digital workplace. They should no longer appear in widgets and search results. A workplace administrator can reactivate their account if needed, or an Entra administrator can re-add them to the Entra app. See Activate or deactivate a user for instructions on reactivating a user. 
  • Delete request is sent after 30 days, or a configured time period (2nd step): The user will be permanently deleted from the digital workplace and cannot be reinstated to the digital workplace. 

SCIM and SSO SAML authentication

While SSO SAML authentication is not required to be configured in Igloo Flex to use SCIM, these two features work in tandem to provide a seamless and more secure experience for your users. SCIM will sync user profiles from your IdP, making it easy for users to log in with your organization's credentials. For administrators, it eliminates the need to manually update Igloo Flex accounts when passwords or profile information changes. For information on configuring SSO SAML authentication, see: 

• Set up SSO with Microsoft Azure
• Set up SSO with Okta

Configure SCIM

As a workplace administrator, you can configure your digital workplace to connect with specific IdPs via SCIM. For instructions, see: 

• Configure SCIM with Entra

Keep in mind when configuring SCIM: 

• Unsupported fields: Igloo Flex does not support syncing of the manager or reportTo fields. When syncing with Entra, these fields must be removed from any SCIM mappings before syncing. 
• Valid content syncing: When syncing values into fields in Igloo Flex, it is important to ensure that the values are in the correct format. See Profile field for information on valid field formats. 

Tasks

• Configure SCIM with Entra
• Activate or deactivate a user
• Set up SSO with Microsoft Azure
• Set up SSO with Okta