Using SCIM for user provisioning

SCIM is available for customers who want to leverage a SCIM connection for automatic user pre-provisioning and real-time user updates.

Specifications

SCIM API spec can be found here: Swagger UI

The SCIM API requires a Graphite-issued API key. See instructions for generating an API key >

Graphite’s SCIM API Spec conforms to the SCIM standard per RFC 7642, 7643, and 7644:

• RFC 7642: System for Cross-domain Identity Management: Definitions, Overview, Concepts, and Requirements

• RFC 7643: System for Cross-domain Identity Management: Core Schema

• RFC 7644: System for Cross-domain Identity Management: Protocol

Prerequisite

You must leverage Role Mapping in order to use SCIM. See details here >

Sample Okta Setup

In Okta, go to the Graphite Connect application > Provisioning > Integration

Integration Details

• The connector base URL is:

  • https://app.graphiteconnect.com/api/public/api/v1/scim/

• The unique identifier field for users is: userName

• Graphite SCIM implementation supports the following:

  • Import New Users and Profile Updates

  • Push New Users

  • Push Profile Updates

  • Push Groups

• Authorization is via HTTP Header.  See instructions for generating an API key to use as the Bearer token >

To App Details

On the Graphite Connection application > Provisioning > To App section, enable Create Users and Update User Attributes

Attribute Mapping

SCIM allows you to map attributes between Graphite and Okta. This will only be relevant if your configuration uses these attributes and will be done as part of the implementation process.

To update the mapping, visit https://app.graphiteconnect.com/admin/company 

The SAML attribute must match the attribute on the Okta side.

The SAML attributes must be in the enterprise extension field of the JSON payload. (i.e urn:ietf:params:scim:schemas:extension:enterprise:2.0:User)
 

For example:

{
   "userName": "test@graphiteconnect.com",
   "schemas": [
     "urn:ietf:params:scim:schemas:core:2.0:User",
     "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
   ],
   "name": {
     "formatted": "Test User",
   },
   "locale": "en-US",
   "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
     "manager": "manager@graphiteconnect.com",
     "SAMLAttribute2": "Some Value"
   },
   "externalId": "00u3dytr47lhO3R6R5d7"
}

User Invite Emails

By default Graphite will NOT send invite emails to users created/invited via SCIM. This behavior is configurable by Graphite Administrators in the Entities Admin utilities. 

Please contact your Implementation Manager or Customer Success Manager for assistance.