Fortinet black logo

Admin Guide

Home FortiToken Cloud Admin Guide

Add SCIM clients

Add SCIM clients

Perhaps the greatest benefit of SCIM is that it provides a standardized, secure methodology for exchanging information between IT systems. This ensures interoperability across domains without expensive custom integrations.

SCIM auto-provisioning increases productivity across the entire organization. Besides freeing up IT teams to focus on more valuable tasks, SCIM, in partnership with access management, reduces the time needed to grant access to backend infrastructure, giving employees a productivity boost. Together, these benefits improve the return on investment (ROI) on IT infrastructure and reduce the total cost of ownership (TCO).

Features

User Provisioning

  • Automated creation of user accounts in target systems based on changes in the identity provider (IdP).

  • When a new user is added to the IdP or updates are made to existing user attributes, the SCIM server communicates these changes to the connected applications or services, ensuring that user accounts are consistently provisioned across the ecosystem.

User Deprovisioning:

When a user is deactivated or removed from the identity provider, the SCIM server ensures that corresponding actions are taken in connected systems to deactivate or delete the user accounts.

Attribute Synchronization:

Synchronize user attributes (such as name, email, group memberships, roles, etc.) between the identity provider and connected systems. Changes made to user attributes in one system are propagated to other systems, ensuring consistency and accuracy of user data across the organization's IT infrastructure.

Group Management:

Supports the management of user groups and their memberships across different systems. Group provisioning and deprovisioning functionalities enable organizations to efficiently manage access permissions by automatically updating group memberships based on changes in the identity provider.

Security:

Implement security measures such as authentication, authorization, and secure communication protocols (e.g., HTTPS) to ensure the confidentiality, integrity, and availability of sensitive identity data exchanged between systems.

Standards Compliance:

SCIM is built on standard web protocols such as HTTP and JSON, making it interoperable and widely supported by various identity management solutions, cloud services, and applications. Compliance with SCIM specifications ensures seamless integration and compatibility with other SCIM-compliant systems.

Overall, a SCIM server streamlines identity management processes, reduces manual effort, enhances security, and improves the efficiency of user lifecycle management in organizations with complex IT environments.

Use Case

Imagine a large multinational corporation with offices spread across the globe. Each office has its own identity management system, handling employee accounts, permissions, and access to resources. However, managing user identities across these disparate systems can be a nightmare. This is where SCIM comes in.

In this scenario, the corporation decides to implement SCIM to streamline the management of user identities across all its offices. Here's how it works:

  1. Centralized Identity Management: With SCIM, the corporation can establish a central identity management system that serves as the authoritative source of user identities. This system contains a master user directory where all employee identities are stored.

  2. Automated User Provisioning: Whenever a new employee joins the company, their information is entered into the central identity management system. SCIM allows for automated provisioning, meaning that user accounts can be automatically created in the various office-specific identity systems without manual intervention.

  3. Consistent User Data: SCIM ensures that user data remains consistent across all systems. If an employee updates their profile information (such as changing their job title or contact details), those changes are automatically propagated to all relevant systems via SCIM.

  4. Simplified Access Management: With SCIM, access permissions can be managed centrally. When an employee's role changes or they leave the company, access privileges are updated in real-time across all systems, reducing the risk of unauthorized access.

  5. Interoperability: SCIM provides a standardized way for different identity management systems to communicate with each other. This ensures interoperability between systems from different vendors, allowing the corporation to use the best-in-class solutions for each office while still maintaining a cohesive identity management strategy.

  6. Audit Trail and Compliance: SCIM provides a comprehensive audit trail, allowing administrators to track changes to user identities and access permissions. This is crucial for compliance purposes, ensuring that the corporation meets regulatory requirements related to data security and privacy.

Overall, by implementing SCIM, the corporation can achieve greater efficiency, consistency, and security in managing user identities across its distributed infrastructure.

Examples:

An FTC customer's organization would like to use exiting Okta/AZURE/FAC users/group to sync with FTC.The following steps will need to be done for an enduser in the organization to start using SCIM Server

  • Customers user/group based OKTA / Azure / FortiAuthenticatior

    • FTC Admin - will create the below things

    • FTC admin Side Config --> https://ftc.fortinet.com -- > applications-> Web Apps -- > Add SCIM Client and copy the secret

  • Okta SCIM Client Side Config

    • login to the okta organaization admin account

    • Application--> Browse App Catalog and search SCIM 2.0 Test App ( Header Auth)

    • Add the applications

    • Add Integreations--> Provisioning-->Enable API integreation

      • Base URL :https://ftc.fortinet.com:9696/api/v2/scim/

      • API Token: ( Bearer+space-Copied Secret)

      • Click Test API Credentials

    • Assignments

      • Add the users ( tom / mike ) or group

      • remove the users or group

  • Azure SCIM Client Side Config

    • https://portal.azure.com login with Corp account >>Click Enterprise Applications -->Click the New Applications

    • After applications is created

      • Click on Provisioning--> Select Automatic --> Admin Credentials

        • Tenant URL:https://ftc.fortinet.com:9696/api/v2/scim/

        • Secret Token: Copied Secret

        • Test Connection

      • Manage -- Users and groups

        • Click Add user/group , Select the user or grooup and Assign

        • Remove user , Select the user and Remove the assignments

  • FAC SCIM Client Side Config

    • login to the FAC with organaization admin account

    • In Authentication > SCIM > Service Provider, select Create New.

    • The Create New Scim Service Provider window opens

    • Edit Service Provider

      • Name:test-scim

      • SCIM endpoint: https://ftc.fortinet.com:9696/api/v2/scim/

      • Access Token:Copied Secret

    • Click the sync

    • Automatically exiting users added to the scim

Demo

FTC Server Side Configurations

In FTC

1. http://ftc.fortinet.com and login

2. applications-> Web Apps -- > Add SCIM Client

  • Name: Example : test-scim1

  • Realm : <default>

  • Adaptive Auth Profile: --None--

3. After the Clicked Save button and will open the page.

  • Name: Example : test-scim1

    • Realm : <default>

    • Adaptive Auth Profile: --None--

    • ID: 650*

    • Secret: ey*

  • Copy the secret and need to use the secret for scim clients ( FAC / Okta or Azure)

Okta SCIM Client Applications Integrations:

1. In Okta url http://okta.com and login with Corp account

2. Applications --> Click Browse App Catalog

3. search SCIM 2.0 Test App ( Header Auth)

4. Click SCIM 2.0 Test App ( Header Auth) and Add Integration.

5. Okta Add SCIM Provisioning.

Previous
Next

Add SCIM clients

Perhaps the greatest benefit of SCIM is that it provides a standardized, secure methodology for exchanging information between IT systems. This ensures interoperability across domains without expensive custom integrations.

SCIM auto-provisioning increases productivity across the entire organization. Besides freeing up IT teams to focus on more valuable tasks, SCIM, in partnership with access management, reduces the time needed to grant access to backend infrastructure, giving employees a productivity boost. Together, these benefits improve the return on investment (ROI) on IT infrastructure and reduce the total cost of ownership (TCO).

Features

User Provisioning

  • Automated creation of user accounts in target systems based on changes in the identity provider (IdP).

  • When a new user is added to the IdP or updates are made to existing user attributes, the SCIM server communicates these changes to the connected applications or services, ensuring that user accounts are consistently provisioned across the ecosystem.

User Deprovisioning:

When a user is deactivated or removed from the identity provider, the SCIM server ensures that corresponding actions are taken in connected systems to deactivate or delete the user accounts.

Attribute Synchronization:

Synchronize user attributes (such as name, email, group memberships, roles, etc.) between the identity provider and connected systems. Changes made to user attributes in one system are propagated to other systems, ensuring consistency and accuracy of user data across the organization's IT infrastructure.

Group Management:

Supports the management of user groups and their memberships across different systems. Group provisioning and deprovisioning functionalities enable organizations to efficiently manage access permissions by automatically updating group memberships based on changes in the identity provider.

Security:

Implement security measures such as authentication, authorization, and secure communication protocols (e.g., HTTPS) to ensure the confidentiality, integrity, and availability of sensitive identity data exchanged between systems.

Standards Compliance:

SCIM is built on standard web protocols such as HTTP and JSON, making it interoperable and widely supported by various identity management solutions, cloud services, and applications. Compliance with SCIM specifications ensures seamless integration and compatibility with other SCIM-compliant systems.

Overall, a SCIM server streamlines identity management processes, reduces manual effort, enhances security, and improves the efficiency of user lifecycle management in organizations with complex IT environments.

Use Case

Imagine a large multinational corporation with offices spread across the globe. Each office has its own identity management system, handling employee accounts, permissions, and access to resources. However, managing user identities across these disparate systems can be a nightmare. This is where SCIM comes in.

In this scenario, the corporation decides to implement SCIM to streamline the management of user identities across all its offices. Here's how it works:

  1. Centralized Identity Management: With SCIM, the corporation can establish a central identity management system that serves as the authoritative source of user identities. This system contains a master user directory where all employee identities are stored.

  2. Automated User Provisioning: Whenever a new employee joins the company, their information is entered into the central identity management system. SCIM allows for automated provisioning, meaning that user accounts can be automatically created in the various office-specific identity systems without manual intervention.

  3. Consistent User Data: SCIM ensures that user data remains consistent across all systems. If an employee updates their profile information (such as changing their job title or contact details), those changes are automatically propagated to all relevant systems via SCIM.

  4. Simplified Access Management: With SCIM, access permissions can be managed centrally. When an employee's role changes or they leave the company, access privileges are updated in real-time across all systems, reducing the risk of unauthorized access.

  5. Interoperability: SCIM provides a standardized way for different identity management systems to communicate with each other. This ensures interoperability between systems from different vendors, allowing the corporation to use the best-in-class solutions for each office while still maintaining a cohesive identity management strategy.

  6. Audit Trail and Compliance: SCIM provides a comprehensive audit trail, allowing administrators to track changes to user identities and access permissions. This is crucial for compliance purposes, ensuring that the corporation meets regulatory requirements related to data security and privacy.

Overall, by implementing SCIM, the corporation can achieve greater efficiency, consistency, and security in managing user identities across its distributed infrastructure.

Examples:

An FTC customer's organization would like to use exiting Okta/AZURE/FAC users/group to sync with FTC.The following steps will need to be done for an enduser in the organization to start using SCIM Server

  • Customers user/group based OKTA / Azure / FortiAuthenticatior

    • FTC Admin - will create the below things

    • FTC admin Side Config --> https://ftc.fortinet.com -- > applications-> Web Apps -- > Add SCIM Client and copy the secret

  • Okta SCIM Client Side Config

    • login to the okta organaization admin account

    • Application--> Browse App Catalog and search SCIM 2.0 Test App ( Header Auth)

    • Add the applications

    • Add Integreations--> Provisioning-->Enable API integreation

      • Base URL :https://ftc.fortinet.com:9696/api/v2/scim/

      • API Token: ( Bearer+space-Copied Secret)

      • Click Test API Credentials

    • Assignments

      • Add the users ( tom / mike ) or group

      • remove the users or group

  • Azure SCIM Client Side Config

    • https://portal.azure.com login with Corp account >>Click Enterprise Applications -->Click the New Applications

    • After applications is created

      • Click on Provisioning--> Select Automatic --> Admin Credentials

        • Tenant URL:https://ftc.fortinet.com:9696/api/v2/scim/

        • Secret Token: Copied Secret

        • Test Connection

      • Manage -- Users and groups

        • Click Add user/group , Select the user or grooup and Assign

        • Remove user , Select the user and Remove the assignments

  • FAC SCIM Client Side Config

    • login to the FAC with organaization admin account

    • In Authentication > SCIM > Service Provider, select Create New.

    • The Create New Scim Service Provider window opens

    • Edit Service Provider

      • Name:test-scim

      • SCIM endpoint: https://ftc.fortinet.com:9696/api/v2/scim/

      • Access Token:Copied Secret

    • Click the sync

    • Automatically exiting users added to the scim

Demo

FTC Server Side Configurations

In FTC

1. http://ftc.fortinet.com and login

2. applications-> Web Apps -- > Add SCIM Client

  • Name: Example : test-scim1

  • Realm : <default>

  • Adaptive Auth Profile: --None--

3. After the Clicked Save button and will open the page.

  • Name: Example : test-scim1

    • Realm : <default>

    • Adaptive Auth Profile: --None--

    • ID: 650*

    • Secret: ey*

  • Copy the secret and need to use the secret for scim clients ( FAC / Okta or Azure)

Okta SCIM Client Applications Integrations:

1. In Okta url http://okta.com and login with Corp account

2. Applications --> Click Browse App Catalog

3. search SCIM 2.0 Test App ( Header Auth)

4. Click SCIM 2.0 Test App ( Header Auth) and Add Integration.

5. Okta Add SCIM Provisioning.

Previous
Next