Setting up SCIM provisioning

Overview

System for Cross-domain Identity Management (SCIM) specification is a standard protocol that can be used to create, retrieve, update, and deactivate users and groups between an identity provider and another another application. Verta supports SCIM to automatically provision users.

Below are the steps for setup SCIM provisioning. This example uses Active Directory, but the same steps can be applied for any identity provider that offers SCIM - for example with Okta.

Provisioning Verta Organizations and Teams

Organization and teams are used in Verta to help group users and manage access while facilitating collaboration. You can use SCIM to provision organizations and teams in Verta. SCIM only has a concept of “groups”, so there are two ways to map SCIM groups to organizations and teams in Verta.

  • You can specify an organization, and all SCIM groups that are provisioned will be provisioned as teams within that organization

  • You can format your group names to follow a naming convention that specifies what the group should represent.

For the second option, your groups should use the following naming conventions. We rely on these naming conventions to correctly configure your organizations and teams.

NameDescription

verta:system-admins

System admins of the Verta platform

verta:org:[ORG]:admins

Admins for the organization with the name specified in place of the [ORG] name

verta:org:[ORG]:members

Members of the organization with the name specified in place of the [ORG] name

verta:org:[ORG]:team:[TEAM]:members

Members of the team with the name specified in place of the [TEAM] name; the team will be created within the [ORG] organization

In each case, if the organization and/or team included in the name does not already exist, it will be created.

Configuring SCIM in Verta

Prerequisite: SCIM provisioning requires an account with an email address that will be used to authenticate requests and manage organizations/teams.

The following configuration will enable SCIM provisioning in Verta:

In auth--uacservice-config.yaml, set the following configuration:

authService:
  okta_scim:
    enable: true
    auth_token: "Bearer a_bearer_token"
    org_name: "TestOrg"   # Optional
    owner: scim_owner@yourdomain.com

If you wish to use the first method of group provisioning listed above (all teams created within a single organization), specify the name of that organization in the org_name field. If you wish to use the second option, using naming conventions to specify the organization and team, leave the org_name field blank.

Configuring SCIM in your IdP

You will need the following information in order to configure SCIM provisioning to Verta in your IDP:

  • The base URL: https://[your_base_verta_url]i/api/auth/scim/v2/

  • The bearer token that you defined in the Verta SCIM configuration

Refer to examples to show how to configure SCIM in Active Directory in Azure, and Okta:

Last updated