You can now automatically create, update, and remove users in Secure Code Warrior directly from your identity provider (IdP) using SCIM. SCIM is an open standard for automating user provisioning supported by many identity providers. By enabling this integration with Secure Code Warrior, you can eliminate much of the effort involved in managing users manually within Secure Code Warrior.
In this article we will cover what features & capabilities are currently supported in Secure Code Warrior for SCIM provisioning:
- Steps Summary & SCIM endpoints
- SCIM API Key
- Provisioning Users
- Updating Users
- Deprovision Users
- Supported User Attributes
- Unsupported Features
- Unsupported User Attributes
- Licensing
- Email Notifications
- FAQs
- Tutorial Video: Azure Entra ID
Steps Summary
# | Step | System | Access Required |
1 | Add the Secure Code Warrior to your identity provider | Identity Provider (e.g. OKTA) |
Administrator |
2 | Create SCIM API Key | Secure Code Warrior | Company Administrator |
3 | Enable user provisioning in the Secure Code Warrior application | Identity Provider (e.g. OKTA) |
Administrator |
SCIM Endpoints
Below is the list of tenant URLs or SCIM connectors, depending on the terminology used by your identity provider:
- Production (US): https://scim.prod-us.prod.securecodewarrior.com/v2/
- Production (EU): https://scim.prod-eu.prod.securecodewarrior.com/v2/
- Test: https://scim.customertest.prod.securecodewarrior.com/v2/
SCIM API Key
To generate a SCIM API Key, please follow the steps below:
Step 1
Navigate to Administration from the top menu
Step 2
From the More drop-down menu, click Edit Company.
Step 3
Scroll to the SCIM API section, enter a label for the API key, and click the Generate Key Button
Provisioning Users
You can leverage SCIM to create users and assign them to the appropriate team, role, and tags.
For more details, check the supported attributes section.
Note: SSO Strict Mode & SCIM
If you are using SSO Strict Mode together with SCIM, please ensure your configuration is consistent across both to avoid conflicting user information. Both features can make updates to user information automatically. SSO can update user information at the time of login. SCIM updates user information on a schedule or on-demand.
Updating Users
The following user details can be updated via SCIM:
- First Name
- Last Name
- Role
- Team
- Tags
Changes to key attributes, such as email addresses, do NOT result in duplicate users.
Deprovisioning Users
SCIM will either disable or delete users from Secure Code Warrior depending on how you configure your identity provider. This feature will not back date de-provisioning for users that had already been removed from the Active Directory before this was turned on. SCIM will only update users as long as they have been successfully synchronized within their Active Directory.
For more information on de-provisionng users, please refer to your IDP's documentation for more details on the available options when de-provisioning users.
Note: Deleting users from the platform will hard delete all of the user's information. This action is irreversible.
Supported User Attributes
The following standard User schema attributes are supported and processed by the SCW SCIM API.
SCW Attribute | Description |
User's email address.
Notes MUST be formatted as a valid email address.
SCIM Schema Name userName |
|
First Name |
User's first name
SCIM Schema Name name.givenName |
Middle Name |
User's middle name
SCIM Schema Name name.middleName |
Last Name |
User's last name
SCIM Schema Name name.familyName |
Status |
User's status in Secure Code Warrior.
Possible Values
User Status Mapping
Notes When the active attribute is being updated from false to true for an existing user then the user's SCW status will be reverted to the status the user had before being disabled.
SCIM Schema Name active |
Role |
User's role in Secure Code Warrior.
Possible Values
Notes
SCIM Schema Name urn:ietf:params:scim:schemas:extension:scw:2.0:User:role |
Team Name |
User's team in Secure Code Warrior.
Notes
SCIM Schema Name urn:ietf:params:scim:schemas:extension:scw:2.0:User:teamName |
Tags |
User's tags in Secure Code Warrior.
Notes
SCIM Schema Name urn:ietf:params:scim:schemas:extension:scw:2.0:User:tags |
Unsupported Features
Groups
- Synchronising groups from your IdP into Secure Code Warrior is currently not supported. Please note, you can still use groups to determine which users are synchronised into Secure Code Warrior. You just can't synchronise the groups themselves as Teams into Secure Code Warrior.
- We recommend that you disable Group sync in your identity provider if possible.
- Any requests made to the SCIM API’s /v2/Groups endpoints will return a 501 Not Implemented error.
Password Change
- We do not currently support this operation. Any passwords sent in the password attribute for a user will be ignored.
Unsupported User Attributes
The following attributes are not supported by the SCW SCIM API. If you attempt to include an unsupported attribute in an API call, the call will fail.
- nickName
- profileUrl
- title
- userType
- locale
- timezone
- password
- emails
- phoneNumbers
- ims
- photos
- addresses
- groups
- entitlements
- roles
- x509Certificates
- employeeNumber
- costCenter
- organization
- division
- department
- manager
Licensing
When your identity provider attempts to create new users in Secure Code Warrior the following two checks are performed:
- Does your organisation have enough licenses available in the team the user is being created in?
- Does your organisation have enough licenses available overall?
If any of these checks fail, provisioning errors will be returned by our SCIM API.
Note: The SCIM API will return a 403 Forbidden error with a message indicating which of the 2 conditions above were not met.
Email Notifications
Users automatically created by your IdP via SCIM will receive an invitation email from Secure Code Warrior.
You can switch off this email by following the steps below:
- Navigate to Administration then Preferences
- Disable the 'SCIM Invitation email" configuration
SCIM Okta Configuration
*Future note place here about SCIM not being available in the SCW App and we will provide an update when this will be release*
To set up SCIM within Okta, please follow these steps below on how this can be completed.
SCIM Connection Set Up
-
- Create a Custom SCW App within the IDP Provider
- Go to Provisioning > Integration and select edit.
- From here, you will turn on the SCIM connector and add the following information into this section
- SCIM Connector will be based on the server your account is currently set up in.
- Unique Identifer field for users will be named userName
- The HTTP Header is the location where you put the API Key from the Platform. Please see this article for more information on how to create the API Key.
- In the Supported Provisioning Actions, please select Push New Users and Push Profile Updates. *may need to rework to break down each provisioning action *
SCIM Application Provisioning
- Go to To App > Provisioning
- From here, please select the provisioning you would like to be enabled in the App.
- Create Users - Creates and links users to the Platform
- Update User Attributes - Okta will update the user attributes in Platform when the App is assigned to the user.
- Deactivate Users - Users will be deactivated when they are unassigned to the App.
- Sync Password - Creates a password for each assigned user and is pushed into the Platform.
Okta Attribute Assignment
FAQs
How can I check whether automated provisioning is working?
We recommend that you use the operational health metrics that your IdP provides. For example, in Microsoft Entra ID you can view a summary of the latest provisioning cycle that has run along with provisioning logs to troubleshoot issues.
Comments
0 comments
Please sign in to leave a comment.