SCIM active directory integration

Learn how to connect to Collaboard's SCIM endpoint and sync your AD users with Collaboard.

Introduction and SCIM scope

SCIM, or System for Cross-domain Identity Management is an open standard designed to manage user identity information. SCIM provides a defined schema for representing users and groups, and a RESTful API to run CRUD operations on those user and group resources.

The goal of SCIM is to securely automate the exchange of user identity data between your company's cloud applications and any service providers, such as enterprise SaaS applications.

For detailed information regarding SCIM, please look at https://scim.cloud/ 

Our Auth API server supports the SCIM specification by providing a SCIM API. Using the SCIM API, the client application can get and modify all the information available in auth.

All the API methods require authentication in order to be used, and the authentication token will provide the context of the calling user.

Setup process in a nutshell

1. Your homework: you need to configure your AD user provisioning
   1. define groups/ members/ etc.
      1. Determine which groups will get a license and thus become subscription members and which groups will contain free users without a license.
      2. Please send this information along with the request to get an access token.
   2. create the provisioning application
2. Reach out to our support to get an access token to call our SCIM endpoint.
   1. We create a SCIM Manager user and assign the SCIM Manager role
   2. We create the access token that is tied to your SCIM Manager user. The token expires after 5 years. Treat with care!
   3. We will send the access token and the username for further reference.
3. You use the access token and the SCIM endpoint URL at your provisioning application to establish the connection with our SCIM endpoint.

Authenticating at the SCIM endpoint

Use the access token we provided as the bearer token in the Authorization header for the SCIM calls.

The SCIM endpoints are located under https://{AUTH_API_BASE_URL}/scim/v2
The public API endpoints are located under https://{COLLABOARD_PUBLIC_API_BASE_URL}/api/public/v2.0

Discovery

The discovery endpoints of the SCIM API can be found in the following urls:

ServiceProviderConfig

Specification compliance, authentication schemes, data models.
Endpoint: GET https://{AUTH_API_BASE_URL}/scim/v2/ServiceProviderConfig

ResourceTypes

Returns the types of resources available.
Endpoint: GET https://{AUTH_API_BASE_URL}/scim/v2/ResourceTypes

Supported Methods

The IBV.Auth SCIM API supports the following methods:

Users

Create

POST https://{AUTH_API_BASE_URL}/scim/v2/Users

Read

GET https://{AUTH_API_BASE_URL}/scim/v2/Users/{id}

Replace

PUT https://{AUTH_API_BASE_URL}/scim/v2/Users/{id}

Delete

DELETE https://{AUTH_API_BASE_URL}/scim/v2/Users/{id}

Update

PATCH https://{AUTH_API_BASE_URL}/scim/v2/Users/{id}

Search

GET https://{AUTH_API_BASE_URL}/scim/v2/Users?filter={attribute}{operator}{value}&startIndex=1&count=10

• Supported attributes: Username, FirstName, LastName, Email, PhoneNumber
• Supported operators: eq (equals), sw (starts with), ew (ends with), co (contains)
• Paging: Supported
• Sort: Not supported

Bulk

Not supported

Groups

Create

POST https://{AUTH_API_BASE_URL}/scim/v2/Groups

Read

GET https://{AUTH_API_BASE_URL}/scim/v2/Groups/{id}

Replace

PUT https://{AUTH_API_BASE_URL}/scim/v2/Groups/{id}

Delete

DELETE https://{AUTH_API_BASE_URL}/scim/v2/Groups/{id}

Update

PATCH https://{AUTH_API_BASE_URL}/scim/v2/Groups/{id}

Search

GET https://{AUTH_API_BASE_URL}/scim/v2/Groups?filter={attribute}{operator}{value}&startIndex=1&count=10

• Supported attributes: DisplayName
• Supported operators: eq (equals), sw (starts with), ew (ends with), co (contains)
• Paging: Supported
• Sort: Not supported

Bulk

Not supported