Documentation Index

Fetch the complete documentation index at: https://docs.senhasegura.io/llms.txt

Use this file to discover all available pages before exploring further.

About user provisioning with SCIM 2.0

Prev Next

In Cloud Security, you can use the integration with the SCIM 2.0 (System for Cross-domain Identity Management) protocol to automate user provisioning and management, avoiding manual processes and ensuring scalability of identity governance. By integrating your external Identity Provider (IdP) directly with the Cloud Security platform, the IdP acts as a central source of identity data, sending user creation, update, and deletion commands to the platform using secure access keys.

Functionalities

  • Source of truth: the external IdP acts as the single source of truth and any changes made to it are reflected on the platform.
  • Automatic provisioning and deprovisioning: new employees automatically receive access to the platform when they are added to the IdP. Similarly, if an employee leaves, their access to the platform is instantly revoked, mitigating security risks.
  • Attribute and permission synchronization: in addition to creating the user, SCIM allows you to map attributes and associate them with the correct roles within Cloud Security.

Applicability

SCIM integration is designed for medium to large-scale enterprise environments that need to centralize identity management. It is recommended if your organization:

  • Manages multiple employees and wants to automate user creation.
  • Uses IAM (Identity and Access Management) solutions.
  • Has compliance policies that require the immediate revocation of corporate access.
Attention

Group synchronization is not supported. The SCIM integration with Cloud Security operates exclusively at the individual user level. The platform does not synchronize entire user groups from your Identity Provider (IdP). To ensure the integration works correctly, you must disable group provisioning in your IdP settings and manage permissions through individual user role assignments.

How the integration works

The SCIM integration is based on one-way communication from your external IdP to the Cloud Security platform:

  1. Machine credentials: for the IdP to communicate securely with the platform, it is necessary to create a service account in Cloud Security. More information in How to create a service account.
  2. Principle of Least Privilege: an access key is generated for the service account, specifically receiving the SCIM Management role. This role ensures that the IdP has exclusive permission to handle identities, not having access to other areas of the platform. More information about the SCIM Management role in About service accounts.
  3. Provider configuration: with the API base URL and the access key, the administrator configures the SCIM connector directly in the IdP portal. More information in How to set up SCIM provisioning with Azure AD.
  4. Mapping and execution: after mapping which IdP attributes correspond to the platform fields, the provider takes control, sending standardized JSON packets (RFC 7643/7644) when there are changes in the user lifecycle.

Attribute mapping

Regardless of the Identity Provider (IdP) you choose to use, the SCIM integration requires specific user attributes to be successfully mapped and sent to the Cloud Security platform. The syntax for the source attributes and expressions will vary depending on your IdP, but the target attributes must exactly match the table below:

Target attribute Expected data
userName The unique identifier or username for the user.
active Boolean value indicating if the user profile is active or disabled.
displayName The full display name of the user.
preferredLanguage The user's preferred language code.
name.givenName The user's first name.
name.familyName The user's last name or surname.
externalId The unique ID of the user within the external IdP.
roles A multi-value string containing the roles assigned to the user, which must exactly match the internal roles of the platform.