Tags | Provisioning | OneLogin | SCIM |
This documentation is for Stack Overflow Enterprise. Free, Basic, and Business users can access their documentation here. Find your plan.
Overview
System for Cross-domain Identity Management (SCIM) is an open API for securely sharing user information between online systems. In Stack Overflow for Teams Enterprise (SOE), SCIM 2.0 support allows an Identity Provider (IdP) to automatically update Stack Overflow with the user's activation status and/or role. Unlike SAML 2.0, which passes user information only at login, SCIM 2.0 sends updates whenever they occur. This provides SOE near-real-time updates to user status and role as changes happen at the IdP.
This article covers integrating OneLogin and your SOE site with SCIM 2.0. For a better understanding of using SCIM 2.0 with SOE, read our SCIM 2.0 support article.
Create a SCIM 2.0 application in OneLogin
OneLogin has an article on creating a SCIM 2.0 application which we recommend reviewing before proceeding.
Using the Administration panel, navigate to Apps, then Add Apps.
Search for SCIM apps that support SCIM 2.0 and OAuth bearer tokens (such as SCIM Provisioner with SAML (SCIM v2)) and add that application. This will take you to an application creation wizard.
On the configuration page, set the Display Name with a descriptive name (such as SCIM SOE). Leave other settings at their defaults, or change them as needed for your application.
Click Save.
Set up user deactivation and reactivation
Click on your new SCIM 2.0 application and click the Configuration tab.
Check Enable API Integration and set the following parameters
SCIM Base Url Set to https://[your_site]/api/scim/v2.
SCIM Bearer Token Set to the Auth.SCIMAuthorizationToken value from your SOE site settings. You won't be able to see any previous token value, so create a new token if necessary. Be sure to save the new token value to a secure note or document.
SCIM JSON Template SCIM 2.0 requires a JSON template to pass the correct data to SOE. Specifics will vary by organization, but you can modify the following example template as required.
Example JSON template (no userType field)
{
"userName": "{$parameters.scimusername}",
"name": {
"familyName": "{$user.lastname}",
"givenName": "{$user.firstname}",
"formatted": "{$user.display_name}"
},
"emails": [
{
"value": "{$user.email}",
"type": "work",
"primary": true
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
]
}Click Enable. You should see an "Enabled" confirmation message.
Click Save.
On the Provisioning tab, check Enable provisioning.
Make changes to the fields on this page as required. To have OneLogin events deactivate SOE users, choose Suspend from the action drop-down. SOE does not support deletion of users via SCIM 2.0.
Click Save.
When users are deactivated or reactivated in OneLogin, and are assigned to the appropriate SCIM 2.0 app, the SCIM update should change their status in SOE as well.
Assign users to the SCIM 2.0 application
You can add users either directly or by role, both under the Users menu. Select a target user or role, then click through to the Applications tab. Add applications with the [+] icon.
Configure administrator/moderator promotion and demotion (optional)
You can use SCIM 2.0 to promote/demote users between administrator, moderator, and regular user roles. This requires enabling Allow Moderator Promotion via a userType property and/or Allow Admin Promotion via a userType property on the SCIM integration settings page in SOE.
User promotion is determined by the userType field in the SCIM 2.0 payload. SOE accepts the following userType values: Registered, Moderator, or Admin
NOTE: Site administrators users have moderator privileges, but moderators do not have admin privileges.
To set up user promotion and demotion in OneLogin:
Add a custom user field by selecting Users then Custom User Fields from the top navigation menu.
Click CREATE NEW USER FIELD. The
Shortnamemust be userType. We recommend setting the field'sNameto userType as well for consistency. The case of the characters must match that of the SCIM JSON template (for example: $user.custom_fields.userType).Modify the SCIM JSON template by clicking the Configuration tab. Add the
userTypefield to the payload. Click Save.
Below is an example template with the optional userType field.
Example JSON template with optional userType field
{
"userName": "{$parameters.scimusername}",
"name": {
"familyName": "{$user.lastname}",
"givenName": "{$user.firstname}",
"formatted": "{$user.display_name}"
},
"emails": [
{
"value": "{$user.email}",
"type": "work",
"primary": true
}
],
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userType": "{$user.custom_fields.userType}"
}Add the
userTypeparameter in the OneLogin application by clicking the Parameters tab, then Add parameter. Create a parameter with Name userType and Value userType (Custom). Enable both Include in SAML assertion and Include in User Provisioning. Click Save to update the application.Use one of the following methods to configure
userTypemapping in OneLogin.By custom field on the individual user profile at Users -> All Users. You can edit a user and set the
userTypefield under the "Custom Fields" section of the User Info tab. You may need to click Show Custom Fields to expand the options. You'll have to do this for every user you want to promote to moderator or administrator.By Application mapping under Users -> Mappings. You can configure field mappings for each application based on certain conditions. For example: you could define a mapping for admin or moderator permissions based on role membership. See OneLogin documentation for more information.
NOTE: Enabling SCIM 2.0 support does not disable user management options within SOE. This means a user may have an active status in the IdP, yet be deactivated in SOE through the admin user management settings. We recommend standardizing on a single provisioning workflow within your organization to avoid confusion.
If you need further support or have questions, contact your site administrator.