You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
EmpowerID SCIM Connector
About SCIM
The System for Cross-domain Identity Management (SCIM) specification is designed to help organizations more easily manage and exchange identity information across cloud-based applications and domain boundaries using REST API and JSON. The SCIM specification provides standard schemas representing users and groups with built-in extensibility for additional attributes and other identity-related objects. Identity objects in SCIM are accessed via REST API with endpoints and operations for getting, creating, updating, and deleting those objects. SCIM’s underlying principles are to make user data more secure and to simplify and automate the user identity lifecycle management process.
About the EmpowerID SCIM Connector
The EmpowerID SCIM Connector is an out-of-the-box solution that comprises an internal SCIM account store and a deployable SCIM microservice. The microservice is a .NET 6.0 template developed in Workflow Studio that can be used to connect with applications that use SCIM for identity transactions and those that do not. When applications do not support SCIM, organizations can extend the microservice to talk to those applications without having extensive knowledge of the EmpowerID connector framework. Simply extend the microservice for those applications and deploy it to Azure or IIS. EmpowerID takes care of the rest. Once the microservice is deployed, providing EmpowerID with the SCIM endpoint and the appropriate authentication information is all that is needed for EmpowerID to connect. All the standard features of EmpowerID’s connector technology operate under the hood to ensure the identities and associations between inventoried objects in those applications are accurately reflected in EmpowerID and any relevant back-end systems. The SCIM connector can take advantage of the full capabilities of EmpowerID, including the RBAC engine and the SSO framework, password synchronization, attribute flow, group membership management, provisioning, updating, and termination of accounts and groups, all with full auditing and reporting built-in.
Â
How does the SCIM Connector Work?
The SCIM connector is comprised of the SCIM account store, which you create in EmpowerID and the SCIM microservice, which you deploy to Azure or host in IIS. When you create the SCIM account store, you specify the endpoint and the authentication information (OAuth client and key or certificate) needed to secure the connection between EmpowerID and the microservice. When you create the SCIM account store, EmpowerID generates a resource system for it with configurable settings for your application’s endpoints and a corresponding security boundary with the standard SCIM schema. The schema can be extended as needed. After creating the account store, configuring the endpoints, and extending the schema as needed, simply turn on inventory and manage the identities as you would with those belonging to any other type of account store. Create, update, delete, assign and unassign users to and from groups as needed.
Â
Inventory Objects and their corresponding components in EmpowerID
Object in SCIM | Component in EmpowerID |
---|---|
User | Account |
Group | Group |
Â
Attribute Mapping
User Attribute Mapping
SCIM User Attribute | Corresponding EmpowerID Person Attribute |
---|---|
active | Status |
addresses[?(@.type=='work')].country | Country |
addresses[?(@.type=='work')].Locality | City |
addresses[?(@.type=='work')].postalCode | ZipCode |
addresses[?(@.type=='work')].region | State |
addresses[?(@.type=='work')].streetAddress | StreetAddress |
emails[?(@.type=='work')].value | |
externalId | EmailAlias |
name.familyName | LastName |
name.givenName | FirstName |
name.honorificSuffix | GenerationalSuffix |
name.middleName | MiddleName |
password | Password |
phoneNumbers[?(@.type=='fax')].value | Fax |
phoneNumbers[?(@.type=='home')].value | HomePhone |
phoneNumbers[?(@.type=='mobile')].value | MobileNumber |
phoneNumbers[?(@.type=='other')].value | Telephone |
phoneNumbers[?(@.type=='work')].value | BusinessPhone |
photos[?(@.type=='work')].value | PhotoUrl |
preferredLanguage | PreferredLanguage |
profileUrl | AboutMe |
title | Title |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.department | Department |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.EmployeeNumber | EmployeeID |
userName | Login |
userType | EmployeType |
Group Attribute Mapping
SCIM Group Attribute | Corresponding EmpowerID Group Attribute |
---|---|
Description | Description |
externalId | Alias |
members | Members |
Role Attribute Mapping
SCIM Role Attribute | Corresponding EmpowerID Role Attribute |
---|---|
Description | Description |
externalId | Alias |
FreindlyName | FriendlyName |
Name | Name |
ParentID | ParentPath |
Location Attribute Mapping
SCIM Location Attribute | Corresponding EmpowerID Location Attribute |
---|---|
Description | Description |
externalId | Alias |
FreindlyName | FriendlyName |
Name | Name |
ParentID | ParentPath |
Â
Â