Asset Intelligence and Management

AssetSonar Blogs Scim User Provisioning 820ed93288a0

[How-to] Implement User Provisioning via SCIM with AssetSonar and Okta

Implement User Provisioning via SCIM with AssetSonar and Okta

AssetSonar integrates with the SCIM protocol so you can manage the identity data of your employees on the cloud and seamlessly provision them access and user rights into the AssetSonar application from any identity provider.

1. What is SCIM?

SCIM, or System for Cross-domain Identity Management, is an open standard that automates user provisioning for your organization. It communicates user identity data of your employees from identity providers to service providers.

An identity provider (IdP) is a system that contains a robust directory of user identities and single, consistent login credentials for each of your employees. Okta is an example. A service provider (SP) is an enterprise SaaS application that requires these user identities so your employees can log into the application.

The SCIM protocol ensures that any changes made to user identities in the IdP, such as Okta are automatically synced in the SP i.e. AssetSonar.

2. Why use SCIM?

Managing the user lifecycle is crucial for businesses. As companies grow or experience turnover, their employee count keeps changing. They need a quick and easy way to add or delete user accounts in their company directories and simultaneously authorize or revoke employees’ access to various business applications.

Our integration with SCIM simplifies the user experience by automating your user provisioning processes. It automatically creates, updates, and deletes users in your AssetSonar account as you create, update, and delete them in IdP tools like Okta. Since data is communicated automatically, it saves your IT team valuable time and reduces the risk of error stemming from manual data entry.

Note: Our SCIM integration currently supports Okta only. Other IdP systems like OneLogin shall be supported soon.

AssetSonar’s SCIM integration with Okta offers various benefits. These include:

  1. Streamlined User Management: Integrating AssetSonar with Okta via SCIM simplifies the process of managing user accounts. When a new employee joins, their account can be automatically created in AssetSonar through Okta. This integration ensures that there’s no need for manual entry, reducing the likelihood of errors and saving time.
  2. Enhanced Security: By using SCIM with Okta, you can enforce consistent security policies across your organization. This setup allows for the centralized management of access rights, ensuring that employees only have access to the AssetSonar resources they need for their role. This minimizes the risk of unauthorized access.
  3. Improved Efficiency: With automated user provisioning, the time spent on administrative tasks is significantly reduced. IT teams no longer need to spend hours managing user access manually, contributing to overall operational efficiency through more focus on strategic tasks.
  4. Scalability: As your organization grows, managing users’ access to AssetSonar manually becomes increasingly challenging. SCIM integration with Okta makes it easier to scale your user management processes, accommodating growth without additional administrative burden.
  5. Consistency in User Data: SCIM ensures that user data is consistent across different systems. When a user’s information is updated in Okta, it automatically updates in AssetSonar too. This consistency is crucial for maintaining accurate records and efficient operations.
  6. Reduced IT Overhead: Automating user provisioning and de-provisioning through SCIM reduces the workload on your IT team. When an employee leaves the company, their access to AssetSonar can be automatically revoked, enhancing security and reducing administrative tasks.
  7. Compliance and Auditing: With automated and centralized user management, it becomes easier to comply with various regulatory requirements. You can easily track who has access to what in AssetSonar, which is essential for audits and compliance checks.
  8. Better User Experience: Employees benefit from a smoother onboarding and offboarding experience as their access to necessary tools like AssetSonar is automatically set up as soon as their account is created in Okta.

3. Use cases of SCIM-based user provisioning

There are four common use cases of user provisioning via SCIM in AssetSonar. Okta helps with them in the following way:

  1. Creating: New employees are automatically provisioned with their respective AssetSonar accounts when created in Okta.
  2. Reading: Data regarding employees and team resources can be queried from AssetSonar to match it against existing Okta resources.
  3. Updating: Any changes in the profile attributes of an employee in Okta can automatically be updated in AssetSonar.
  4. Deleting: An employee’s access to AssetSonar is de-provisioned when the employee is deleted in Okta. This is typically done when the employee is on leave or has left the organization.

4. [How-to] implement SCIM user provisioning with AssetSonar

Let’s walk you through some basic steps on how to implement SCIM-based user provisioning in AssetSonar!

Step 1: Add the AssetSonar application in Okta

Before you go ahead and enable the integration, you must first add the AssetSonar application to your Okta account.

The process is very simple.

  1. In your Okta account, go to Applications → Add Application → Type ‘AssetSonar’ in the search bar.
Add the AssetSonar application in Okta 1

2. This leads you to the AssetSonar application page. Click on ‘Add’.

Add the AssetSonar application in Okta 2

3. Configure the General settings. Add the name of your business as shown in the subdomain URL of your AssetSonar account. Hit ‘Done’.

Add the AssetSonar application in Okta 3

The AssetSonar application has now been added to your Okta account.

Add the AssetSonar application in Okta 4

You are now ready to enable the integration and deploy SCIM-based user provisioning.

Step 2: Enable the integration in AssetSonar

To enable the integration in your AssetSonar account, follow the pathway: Settings → Add Ons → User Provisioning via SCIM and select ‘Enabled’. Hit ‘Update’.

Add the AssetSonar application in Okta 5

This action reveals additional information shown below.

  1. SCIM Connector Base URL
  2. Connector Key

You will need to enter the two values in Step 3.

Step 3: Configure the integration in Okta

Navigate to your Okta account.

  1. Open the ‘Provisioning’ tab on the AssetSonar App page. Select ‘Integration’ from the sidebar and click ‘Edit’.
Configure the integration in Okta 1

2. Select ‘Enable API integration’. Copy the SCIM Connector Base URL and Connector Key from step 2 and paste it onto the Base URL and API Token fields respectively. Click on ‘Save’.

Configure the integration in Okta 2

This shall enable the integration on Okta’s end.

3. Now, in the Provisioning tab, select the ‘To App’ option in the sidebar and click ‘Edit’.

Configure the integration in Okta 3

4. Select the relevant attributes and changes you wish to sync and click ‘Save’.

Configure the integration in Okta 4

Provision settings are saved. You are now ready to create users in Okta and provide them access to AssetSonar.

5. Importing users to Custom Roles

If you want to map your users and their respective roles in a way that their hierarchy is reflected in AssetSonar, then you can do so by checking the ‘Import Users to Custom Roles’ option.

Importing users to Custom Roles 1

Once you have checked the setting, the following options would appear on the attribute and column mapping table:

Importing users to Custom Roles 2

Note: If the data values for Roles and Teams are not already specified in AssetSonar, the users belonging to these Roles and Teams will not get provisioned into AssetSonar. You will receive an email listing the users that could not be provisioned.

If a custom role imported from Okta via SCIM does not exist in AssetSonar, users belonging to that custom role can be provisioned to a default role in AssetSonar. You can set the Default Role using the option highlighted below:

Importing users to Custom Roles 3

Let’s say, you imported users belonging to the custom role Customer Success team from Okta via SCIM and this custom role is not present in AssetSonar, users belonging to this role will be provisioned as Administrators.

If you do not wish to provision these users as Administrators, you can also select the option ‘Provision to some role’ and provision these users to a custom role that already exists in AssetSonar.

6. Provisioning user(s)

In your Okta account, follow this pathway to provision users in AssetSonar via SCIM: AssetSonar → Assignments → Assign → Assign to People.

Provisioning user(s) 1

Click on ‘Assign’ for the user(s) you wish to provision for AssetSonar.

Provisioning user(s) 2

The following overlay appears. Select ‘Save and Go Back’.

Provisioning user(s) 3

Your users have been assigned. Click on ‘Done’.

Provisioning user(s) 4

If you traverse to the ‘Members’ tab in AssetSonar, you can see that the two users you assigned have been added in your AssetSonar account.

Provisioning user(s) 5

7. Updating user information

SCIM also updates any changes you make to the user profiles in Okta. Let’s say, you just changed the default email address of an employee, Michael Kelso, in Okta.

To edit the user profile in Okta, go to Directory → People → Username → Profile → Edit. Edit the username and primary email address of Michael Kelso and click on ‘Save’.

Updating user information 1

Notice that the default email address for Micheal Kelso has been changed in your AssetSonar account simultaneously.

Updating user information 2

8. Setting up Alerts for user syncs and updates

AssetSonar allows you to set up and receive alerts whenever users imported from Okta via SCIM are synced or updated. You can set these up from both “my Alerts” and “ServiceDesk Alerts”. Alerts that were previously sent through email are now grouped and can be managed through the Alerts section. Select the email alerts of your preference as shown:

Setting up Alerts for user syncs and updates 1

Moreover, the content of the email alerts can be switched to pre-generated templates that can be easily renamed or edited. The default template for email alerts is shown below.

Setting up Alerts for user syncs and updates 2

9. De-provisioning user(s)

You can also de-provision the access of your employees to AssetSonar. This may happen when an employee either leaves the IT team or the organization or is on a leave.

To de-provision a user, go to AssetSonar → Assignments in your Okta account. Click on the ‘x’ button next to the concerned user’s details.

De-provisioning user(s) 1

Click on ‘OK’.

De-provisioning user(s) 2

This shall unassign or de-provision the user from your AssetSonar account.

You can see that Jackie Burkhart no longer exists in the Member logs of your AssetSonar account.

De-provisioning user(s) 3

AssetSonar’s SCIM integration streamlines identity management and user provisioning of your employees with Okta.

We will soon be supporting other identity management platforms like One Login etc.

9. Custom attribute mapping for User Listings

AssetSonar detects basic attributes in Okta as they are. However, to map custom attributes and provision users based on these attributes, you need to carry out additional steps as mentioned.

Step 1: Create a custom attribute

In your Okta account, go to Applications → AssetSonar → Provisioning → To App. Scroll below to the AssetSonar Attribute Mappings section. Here, click on the ‘Go to Profile Editor’ button.

Custom attribute mapping for User Listings 1

On the Profile Editor page, click the ‘+Add Attribute’ button.

Custom attribute mapping for User Listings 2

Below, we’ll create and map the custom attribute for User Listing as an example.

Enter values as needed and hit ‘Save’.

Note: Values for External namespace:

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

Values entered for External name and External namespace fields should not have any space between them.

The custom attribute is now created as shown.

Custom attribute mapping for User Listings 4

Step 2: Map the custom attribute in AssetSonar

In your AssetSonar account, go to Settings → Add Ons → User Provisioning via SCIM. Select ‘Enable Custom Field Mappings in SCIM’ and update the setting.

Map the custom attribute in AssetSonar 1

Scroll below. In the User Listing field, paste the values of External namespace and External name from Step 1.

Note: You must paste the custom attribute value in the format — External namespace.External name. In this case, the value should look like ‘urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.userlisting’.

Hit ‘Update’ once done.

Step 3: Specify the custom attribute and provision user(s)

Now, go to Applications → AssetSonar → Assignments → Assign → Assign to People in your Okta account.

Assign the relevant users to the AssetSonar application.

Specify the custom attribute and provision user(s) 1

This action leads you to the following dialog box. Specify the User Listing and save changes.

Specify the custom attribute and provision user(s) 2

This shall provision the user and add them to the IT Support user listing in AssetSonar as illustrated.

Specify the custom attribute and provision user(s) 4
Specify the custom attribute and provision user(s) 3

Note: Before mapping user(s) to a User Listing, make sure that the latter has been created in AssetSonar.

10. Troubleshooting errors

Error 1: Member could not be updated

“Let’s say you had manually added a Member in AssetSonar. The same Member is also added to your IdP, Okta. You update details for the said Member in Okta. However, the Member information is not simultaneously updated in your AssetSonar account. ”

Solution: This usually happens when the Member has been added into the AssetSonar account manually, without SCIM-based user provisioning. To fix this, delete the manually added Member from your AssetSonar account. Provision the user using Okta as mentioned in Section 5. Now, all the changes made to the Member profile in Okta will simultaneously be updated in your AssetSonar account.

Note: Suppose, you had initially provisioned a Member from another IdP that uses SCIM protocol e.g. OneLogin and the Member’s details were later updated in Okta. In this case, the Member information will be automatically updated in AssetSonar because the Member has been provisioned using the SCIM protocol, no matter the IdP platform.

Read more: Guide to configuring secure LDAP for Azure AD Domain Services

About AssetSonar

AssetSonar is a powerful IT Asset Management solution supporting SCIM-based user provisioning. It is used by IT-intensive organizations and businesses all over the globe. Sign up today for a free 15-day trial.

For more assistance, drop us an email at support@ezo.io. You can also visit our blog for detailed support posts.

Join the Conversation: Twitter | Facebook

About AssetSonar 2

Was this helpful?

Thanks for your feedback!