SCIM (System for Cross-domain Identity Management) is a method of synchronising data from your identity platform with Klaxon. In effect it allows you to automatically provision users, groups and associated properties such as location and mobile phone number. It also disables users when the corresponding user account is disabled in the identity platform. This integration means you don't have to update users directly in Klaxon.
We support any identity provider that supports SCIM2. This includes platforms such as Microsoft Azure Active Directory and Okta.
We have provided the details for Azure Active Directory, however, it should be a similar process for other identity providers. If you need help, please get in touch with our support team at support@klaxon.io.
Step 1: Azure Active Directory - Set up
1. Go to Azure portal - Azure Active Directory Tab
2. From there click on 'Enterprise applications' in the navigation panel
3. From the Enterprise application screen, click New application.
4. From Add an application screen, click 'Non-gallery application' button.
5. Type in "Klaxon" on the name field on the Add you own application screen and click Add button.
Note: Please make sure that the application you add supports "Automatic User Provisioning with SCIM" is display in this screen. You may require your provider to enable the option if it does not display.
6. Once the application is created, click 'Provisioning' from the left side panel
7. From the provisioning screen, click Get started button.
8. From the following screen, please complete the form with the following details.
IMPORTANT NOTE: to complete the form below, you will require details from Klaxon. Please open a new browser and logon to Klaxon using a Site Administrator role. Navigate to Configuration > Synchronisation on the left menu. Please use Endpoint URL and Token value from this screen when completing the form below.
Provisioning mode: select Automatic from the drop down and additional "Admin Credentials" fields will be displayed.
Tenant URL: Paste the 'Endpoint' URL from Klaxon Synchronisation screen
Secret Token: Paste the 'Token' value from Klaxon Synchronisation screen
Click 'Test Connection' button. You will get the following message following successful connection.
Troubleshoot: if you're getting errors please kindly pre-fix Secret Token value with the word 'Bearer' Eg. 'Bearer <copy-token>'
Notification Email: Optionally you can also insert an email address to receive any failure notification.
Click 'Save' button and the initial synchronisation should start shortly. You can view the status of the sync from the Provisioning page as below.
Additionally, user location and mobile number field can also be sync to Klaxon. We highly encourage these to be synced to improve user experience when setting up their user profile. Steps below will guide you through setting up these optional fields. Please make sure you have completed the steps above before continuing with these setup.
Location information is use for setting the location field in each user profile. If there is no such location defined in Klaxon when sync for the user, location field will be set to 'Default' location. A specific location can be specified by Klaxon administrator and user will be able to update the field manually as well.
1. On the provisioning, click 'Edit provisioning' button and click 'Provision Azure Active Directory Users' link under Mappings.
2.Creating custom attribute: please tick 'Show advanced options' and click 'Edit attribute list
for customappsso'
3. On Edit Attribute List screen, scroll to end table and append the following to table then click 'Add Attribute'
Name: paste the following text 'urn:ietf:params:scim:schemas:extension:klaxon:2.0:User:location' to the field
Type: Select 'String' from drop down option.
Click 'Save' button when complete. After saving, you will be brought back to Attribute Mapping page.
4. Create new Mapping: to create a new mapping click 'Add New Mapping' from the Attribute Mapping page and complete the following details on the side bar.
Mapping type: Direct
Source attribute: this is user field in your system that should be used as location, ie. 'city'
Target attribute: previously created location mapping: 'urn:ietf:params:scim:schemas:extension:klaxon:2.0:User:location'
Apply this mapping: Always
Click 'OK' button when complete.
Note: you can define custom mapping different from the above settings. The important information is to ensure the correct target attribute is used 'urn:ietf:params:scim:schemas:extension:klaxon:2.0:User:location'
If you also like to synchronise user phone number please use the same procedure as for location, the only difference is the target attribute name which needs to be: 'urn:ietf:params:scim:schemas:extension:klaxon:2.0:User:notificationPhoneNumber'