Skip to main content

SCIM 2.0 in JupiterOne

JupiterOne supports SCIM 2.0 (System for Cross-domain Identity Management) following the protocol defined by the IETF. SCIM is an industry-standard protocol designed to simplify user identity management tasks in a multi-domain environment.

With SCIM 2.0 support, you can keep JupiterOne in sync with your identity provider by managing group membership, provisioning, and deprovisioning all through the IdP.

Key Benefits of SCIM

  • Automated User Provisioning: SCIM support allows administrators to automatically provision user accounts within JupiterOne when users are added to the identity provider. This eliminates the need for manual user account creation, reducing the chances of human errors and saving valuable time.

  • User Deprovisioning: When a user is removed from the identity provider, SCIM ensures that the user's access to JupiterOne and associated resources is promptly revoked, maintaining security and compliance by preventing lingering access.

  • Real-time User Sync: SCIM enables real-time synchronization of user identity information including group membership, ensuring that changes made in the identity provider are immediately reflected in JupiterOne. This ensures consistency and accuracy in user access control.

Setting Up SCIM with you IdP in JupiterOne

Prerequisites

  1. Confirm that your IdP supports SCIM 2.0 protocol. JupiterOne does not support SCIM 1.0.
  2. Confirm that your IdP supports SCIM authentication by API Bearer Token. J1 does not support basic auth or OAuth with SCIM.
  3. SAML SSO is required before setting up SCIM. Follow these steps to enable SP-initiated SSO: How to Configure SAML SSO Integration with JupiterOne.

Common steps

No matter your IdP integration, there are some common steps that you will need to take within JupiterOne.

Generating an API Token

As previously stated, JupiterOne supports authentication through an API Bearer Token header. You can generate one through code or through the JupiterOne UI. More information can be found here: Authentication. We recommend generating an account level api token (as opposed to a user level token) for SCIM.

Note: the max Time To Live for an API token is 365 days. You will need to figure out your own token rotation strategy that is either manual or using our api.

SCIM Endpoint

The endpoint URL for JupiterOne SCIM is: https://api.us.jupiterone.io/iam/scim/v2.

In the Identity Provider

Once confirming support of SCIM 2.0 by your IdP, follow their SCIM setup instructions. You can see example instructions for integrating with Okta below.

note

JupiterOne’s support of SCIM allows for Create/Read/Update/Delete actions from the Identity Provider (IdP) to JupiterOne. JuptierOne’s support of SCIM does not permit the reverse action of Create/Read/Update/Delete from JupiterOne to the Identity Provider.

Example: JupiterOne SCIM support through Okta

Following the SCIM setup instructions from Okta:

Log in to Okta (IdP) as an administrator and follow these steps:

  1. After setting up your SAML SSO Integration, navigate to that application in Okta.

  2. Click on the Provisioning tab.

  3. Top Level Integration Settings:

    • Click on the Integration option in the Settings nav on the left.

    • Click Edit.

    • Set SCIM connector base URL to https://api.us.jupiterone.io/iam/scim/v2

    • Set Unique identifier field for users to email

    • Enable the following Supported provisioning actions:

      Note: JupiterOne does not support “Import New Users and Profile Updates”

      1. Push New Users
      2. Push Profile Updates
      3. Push Groups
    • Set Authentication Mode to HTTP Header

      Note: JupiterOne does not support basic authentication or Oauth with SCIM.

    • Set Authorization to an account level API Token as described above.

  4. To App Settings:

    • Click on the To App option in the Settings nav on the left.
    • Click Edit
    • Enable the following:
      1. Create Users
      2. Update User Attributes
      3. Deactivate Users