SCIM - Generic IP or Custom Implementation
1 Before You Start
- You must have a ProcedureFlow account with "Org Admin" role and a pricing plan that supports SCIM
- Decide the scope of the deployment, i.e. whether users only or users and groups will be provisioned.
2 Configure ProcedureFlow to Support Provisioning
- Sign into ProcedureFlow using your Org Admin account.
- Go to Administration > Developers > Personal Access Tokens and click New Access Token to create a new token to use for SCIM.
- Name the token, select an expiration, and assign the Read and write SCIM permission.
Note Be sure to create a token with long enough expiry or no expiry at all — when the token expires, the integration will fail until a new token is generated and configured.
- Click Create Token. The token will temporarily appear on the Personal Access Tokens screen. Copy the token to save elsewhere; you will need this for configuring your identity provider or custom implementation, and once you refresh this screen the token will no longer be available.
3 Create and Configure Your Generic/Custom IdP
There are three points of configuration to set up an identity provider with a typical SCIM API. This is no different for the ProcedureFlow SCIM API and are as follows:
- All IdPs require a SCIM endpoint URL. This is often referred to as SCIM base URL. Locate this field in your IdP's SCIM configuration page and enter
https://api.procedureflow.com/v1/scim/v2. - The IdP or custom integration should be configured with the API token created in step 2 above.
At this point, most IdPs will test that the integration works after configuring the SCIM API endpoint and token. If you are using a custom implementation, you can use the list users capability with providing a dummy user. We expect a
200 OKresponse with an empty list of users:
curl \<br> -H "Authorization: Bearer 2:pfpat_dxPhkx4i9uvSE" \<br> https://api.procedureflow.com/v1/scim/v2/Users?filter=userName+eq+%22user@example.com%22<br><br> // should return a 200 OK response with a payload like this:<br> {<br> "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],<br> "itemsPerPage": 100,<br> "totalResults": 0,<br> "startIndex": 1,<br> "resources": [] <br>} - Most IdPs will have a configuration section where you can specify which parts of the SCIM User and Group schemas are to be sent over to ProcedureFlow's SCIM endpoint.
4 Define Who Will Be in Scope for Provisioning
Most IdPs should allow you to configure which users and groups are in scope for provisioning. Most IdPs allow you to assign users via groups. Some IdPs differentiate between group assignment and group provisioning which is important to note. For example, Okta allows you to assign an entire group via assignment, which provisions all the users in the group without actually provisioning the group itself. Please read the documentation thoroughly to understand how assignment and provisioning works for your selected IdP.
Note It is recommended to start with a small group of users or a limited sized group. Before rolling out to a larger audience, verify that things are working as expected. Newly added users in the small test group should receive an email invite to join ProcedureFlow.