Help Center
News
Help Center
News
Sign in
Getting Started
General Settings
IT Settings
IT SettingsRoles, responsibilities and notificationsMicrosoft Entra ID SetupManaging audiencesHow to create a new user and how to change the password for loginSAML2 with SCIM2 Integration GUIDE
Risk Settings
Modules
Sharing & Group functions
Questionnaires
Features
How-To Guides & Tips
Get Help
Release Notes
Legal

SAML2 with SCIM2 Integration GUIDE

CONFIGURING SAML2 

PREREQUISITES 

  • A user with access to the Priverion Platform 
  • Your user must at least have IT Administrator role, or a Custom Role with IT Settings access 

SUPPORTED FEATURES

  • SP-initiated SSO

CONFIGURATION STEPS

  1. From the upper bar menu, click on the Settings icon button 
  2. On the opened menu, select IT Settings 

 

  1. Open the Identity & Access menu 
  2. Select the SAML2/OAuth2 suboption 
  3. Click on the Edit button in order to open the Authentication Configuration screen 

 

  1. Make sure the SAML option is selected 
  2. Select Custom or one of the prefilled options for Microsoft or Google 
  3. Make sure to configure with a comma separated list the Allowed domains for your case 

 

  1. Use any of the options provided by the platform to configure the necessary credentials, you can either: 
  2. Provide a metadata link on the Identity Provider Metadata URL and load the information automatically 
  3. Manually write the Identity Provider Login URL & Identity Provider Logout URL and upload a valid Certificate file on the Identity Provider X 509 Certificate section 
  4. Just write everything manually 

 

  1. Define the Name ID format from the list according to your provider  
  2. Configure the Group-Claims mapping according to your provider. Full Name, E-mail and Groups are mandatory 
  3. OPTIONAL. Configure the options for Sign all messages & Encrypt Name ID if your provider supports it 
  4. OPTION 1 (SCIM2 Activated). Activate SCIM2 support for Users & Groups provisioning if necessary, via the Enable SCIM2 option. See the CONFIGURING SCIM2 section below for further details
  5. OPTION 2 (SCIM2 Not Activated). If SCIM2 is not activated, the groups are expected to come on the configued Groups claim, See the MANUAL MAPPING OF GROUPS subsection below

MANUAL MAPPING OF GROUPS

This section is only mandatory if SCIM2 was not enabled when setting up SAML2.
Make sure to have properly defined the Groups claim.
Make sure to know the unique identifier/name of each group that you need to map to one or many Priverion Platform role

  1. From the upper bar menu, click on the Settings icon button
  2. On the opened menu, select IT Settings 
  3. Open the Identity & Access menu 
  4. Select the Role Mapping suboption 
  5. Click on the Edit button in order to open the Role Mapping Configuration screen 
  6. Select the Manual groups option, then click on the Create button and the Create Group option
  7. Add a Name for the group and on the Unique Identifier field make sure to add the group with the proper value that is going to be provisioned on the Group claim configured.
  8. Press the Save button in order to save the new group.
  9. Once the group is defined, it is possible to map it to any of the Priverion Platform groups via the dropdowns available for each role.
  10. Press the Save button in order to save the configuration.

CONFIGURING SCIM2 

PREREQUISITES 

  • A user with access to the Priverion Platform 
  • Your user must at least have IT Administrator role, or a Custom Role with IT Settings access 
  • Authentication configuration set with SAML2 

SUPPORTED FEATURES

  • User operations
    • Create
    • Read
    • Update
    • Deactivate
  • Group operations
    • Create
    • Read
    • Update
    • Delete
NOTE: Priverion Platform does not support Okta's "Push Now" functionality for group membership synchronization. Group updates are processed via standard SCIM PATCH/PUT events. Membership changes for non-Okta users (users created manually within the platform) will not be affected by group push operations from the Identity Provider.

 CONFIGURATION STEPS

 

  1. From the upper bar menu, click on the Settings icon button 
  2. On the opened menu, select IT Settings  

 

  1. Open the Identity & Access menu 
  2. Select the SAML2/OAuth2 suboption 
  3. Click on the Edit button in order to open the Authentication Configuration screen  

 

  1. Activate the SCIM2 integration by enabling the option Enable SCIM2  

 

  1. Navigate back to the Identity & Access 
  2. Select the SCIM2 suboption menu. There you should find the necessary SCIM2 endpoints provided by the platform according to your Instance and Company 

 SCIM ATTRIBUTES TABLE

SCIM attributes table with syntax definition for User available values. Can also be found under /Schemas/urn:ietf:params:scim:schemas:core:2.0:User if needed.

Attribute (SCIM path) Type Multi-valued Required Mutability Value syntax / example JSON Notes
userName string No Yes readWrite "userName": "bjensen" Unique across all users (uniqueness: server); must be non-empty.
name complex No No readWrite "name": { "givenName": "Barbara", "familyName": "Jensen" } Complex object with sub-attributes below.
name.formatted string No No readWrite "name": { "formatted": "Ms. Barbara J Jensen, III" } Full formatted name.
name.familyName string No No readWrite "name": { "familyName": "Jensen" } Family / last name (Western languages).
name.givenName string No No readWrite "name": { "givenName": "Barbara" } Given / first name (Western languages).
name.middleName string No No readWrite "name": { "middleName": "Jane" } Middle name(s).
name.honorificPrefix string No No readWrite "name": { "honorificPrefix": "Ms." } Title / prefix.
name.honorificSuffix string No No readWrite "name": { "honorificSuffix": "III" } Suffix.
displayName string No No readWrite "displayName": "Barbara Jensen" Human-friendly display label.
emails complex Yes No readWrite "emails": [{ "value": "bjensen@example.com", "type": "work", "primary": true }] Multi-valued complex array; this implementation maintains the primary email per user.
emails.value string β€” No readWrite { "value": "bjensen@example.com" } Email value; typically canonicalized.
emails.type string β€” No readWrite { "type": "work" } Canonical values: work, home, other.
emails.primary boolean β€” No readWrite { "primary": true } true must appear no more than once in the array.
active boolean No No readWrite "active": true User administrative status.
entitlements complex Yes No readWrite "entitlements": [{ "value": "pro", "display": "Pro plan", "type": "plan", "primary": true }] List of entitlements (things the user has).
entitlements.value string β€” No readWrite { "value": "pro" } Entitlement identifier/value.
entitlements.display string β€” No readWrite { "display": "Pro plan" } Human-readable label.
entitlements.type string β€” No readWrite { "type": "plan" } Label indicating function.
entitlements.primary boolean β€” No readWrite { "primary": true } true must appear no more than once in the array.
roles complex Yes No readOnly "roles": [{ "value": "student", "display": "Student", "type": "org", "primary": true }] Read-only (clients should not set via SCIM).
roles.value string β€” No readOnly { "value": "student" } Role identifier/value.
roles.display string β€” No readOnly { "display": "Student" } Human-readable label.
roles.type string β€” No readOnly { "type": "org" } Label indicating function.
roles.primary boolean β€” No readOnly { "primary": true } true must appear no more than once in the array.

SCIM attributes table with syntax definition for Group available values. Can also be found under /Schemas/urn:ietf:params:scim:schemas:core:2.0:Group if needed.

Attribute (SCIM path) Type Multi-valued Required Mutability Value syntax / example JSON Notes
displayName string No Yes readWrite "displayName": "Engineering" Human-friendly group name.
members complex Yes No readWrite "members": [{ "value": "USER_ID", "display": "Barbara Jensen" }] Multi-valued complex array; your schema snippet does not list sub-attributes here.

CONFIGURING AUTHORIZATION 

PREREQUISITES 

  • A user with access to the Priverion Platform 
  • Your user must at least have IT Administrator role, or a Custom Role with IT Settings access 
  • Already configured Groups provisioning through SCIM2 
  • Synced Groups from your Identity Provider 

CONFIGURATION STEPS

 

  1. From the upper bar menu, click on the Settings icon button 
  2. On the opened menu, select IT Settings 

 

 

  1. Open the Identity & Access menu 
  2. Select the Role Mapping suboption 
  3. Click on the Edit button 

 

  1. Map provided Groups to any of the Priverion Platform Roles according to your requirements 


Was this article helpful?

English
Powered by Product Fruits