Configuring a SCIM identity connector

A SCIM connector allows your central identity provider, such as CyberArk Identity, to push user and group data into Trust Protection Foundation asynchronously. The data is stored locally in the database, which eliminates the need for real-time directory queries when a user attempts to log in.

Because SCIM provisioning securely pushes data via an API, you must configure your public SCIM server URL, create the connector, and then generate a static bearer token to paste into your identity provider's portal to authorize the connection.

To configure global SCIM server settings

In preparation for deploying a SCIM connector, we recommend your Trust Protection Foundation public address is load balanced and resolves to two or more servers in your system cluster. This protects against having a single point of failure if something goes wrong.

Additionally, you must define the global URL that identity providers will use to reach your SCIM server before you can create individual SCIM connectors.

  1. On the CyberArk server, open the CyberArk Configuration Console and navigate to the Connectors node.
  2. In the Actions panel, under Global Connector Actions, click SCIM Server Settings.
  3. In the Global SCIM Provider Settings window, enter your Public SCIM Server URL.
    The default location is https://your-server-name/vedscim or for a load-balanced cluster, https://your-load-balanced-address/vedscim.
  4. Click OK.

To create a SCIM connector

  1. On the CyberArk server, open the CyberArk Configuration Console and navigate to the Connectors node.
  2. In the Actions panel, under Create Identity Connectors, click SCIM Connector.

  3. In the Create SCIM Identity Provider window, complete the following fields:

    Field Description
    Object Name A name for your new SCIM identity provider object that appears in the administration consoles. Choose a unique name with only alphanumeric characters and spaces.
    Friendly Name A friendly name for the connection. This name acts as a prefix if end-users need to explicitly route their login to this directory (for example, scim+FriendlyName:username).
    Rank The search order for this identity connector. Trust Protection Foundation searches for users starting with the lowest rank number first.
    IdP Provider Select your identity provider from the list (for example, CyberArk Identity or Microsoft Entra ID). If your provider isn't listed, select Other.
    Administrator Specify the administrator account responsible for managing this connector.
  4. Click Create.

To generate the SCIM bearer token

To authenticate the push requests coming from your identity provider, you must generate a static bearer token and provide it to your identity provider.

  1. In the center Platform Connectors panel, select your newly created SCIM identity connector.
  2. In the Actions panel, click Properties.
  3. On the General tab, under the Issued Tokens section, click Issue....

  4. When the token window appears, copy the token string immediately.

    CAUTION  This is a one-time token. It won't be shown again and Trust Protection Foundation can't retrieve it for you later. Treat this token like a password. Keep it secure and only use it within your identity provider's configuration portal.

  5. Click Close, and then click OK to exit the properties window.

What's next?

SCIM is used strictly for identity lifecycle management and doesn't authenticate users. Because SCIM-provisioned users typically don't have local passwords pushed to Trust Protection Foundation, you must configure a delegated authentication method so that these users can log in.

To allow your SCIM users to log in, proceed to Configuring single sign-on for an identity connector to map this directory to an OpenID Connect (OIDC) or SAML profile.