You can now automatically create, update, and remove users in Secure Code Warrior directly from your identity provider (IdP) using SCIM. SCIM is an open standard for automating user provisioning supported by many identity providers. By enabling this integration with Secure Code Warrior, you can eliminate much of the effort involved in managing users manually within Secure Code Warrior.
In this article we will cover what features & capabilities are currently supported in Secure Code Warrior for SCIM provisioning:
- Steps Summary & SCIM endpoints
- SCIM API Key
- Provisioning Users
- Updating Users
- Deprovision Users
- Supported User Attributes
- Unsupported Features
- Unsupported User Attributes
- Licensing
- Email Notifications
- FAQs
- Tutorial Video: Azure Entra ID
Steps Summary
# | Step | System | Access Required |
1 | Add the Secure Code Warrior to your identity provider | Identity Provider (e.g. OKTA) |
Administrator |
2 | Create SCIM API Key | Secure Code Warrior | Company Administrator |
3 | Enable user provisioning in the Secure Code Warrior application | Identity Provider (e.g. OKTA) |
Administrator |
SCIM Endpoints
Below is the list of tenant URLs or SCIM connectors, depending on the terminology used by your identity provider:
- Production (US): https://scim.prod-us.prod.securecodewarrior.com/v2/
- Production (EU): https://scim.prod-eu.prod.securecodewarrior.com/v2/
- Test: https://scim.customertest.prod.securecodewarrior.com/v2/
SCIM API Key
To generate a SCIM API Key, please follow the steps below:
Step 1
Navigate to Administration from the top menu
Step 2
From the More drop-down menu, click Edit Company.
Step 3
Scroll to the SCIM API section, enter a label for the API key, and click the Generate Key Button
Provisioning Users
You can leverage SCIM to create users and assign them to the appropriate team, role, and tags.
For more details, check the supported attributes section.
Note: SSO Strict Mode & SCIM
If you are using SSO Strict Mode together with SCIM, please ensure your configuration is consistent across both to avoid conflicting user information. Both features can make updates to user information automatically. SSO can update user information at the time of login. SCIM updates user information on a schedule or on-demand.
Updating Users
The following user details can be updated via SCIM:
- First Name
- Last Name
- Role
- Team
- Tags
Changes to key attributes, such as email addresses, do NOT result in duplicate users.
Deprovisioning Users
SCIM will either disable or delete users from Secure Code Warrior depending on how you configure your identity provider. In most cases, users will simply be disabled. However, some identity providers support completely deleting users from Secure Code Warrior when they are deprovisioned.
Note: Deleting users from the platform will hard delete all of the user's information. This action is irreversible.
Supported User Attributes
The following standard User schema attributes are supported and processed by the SCW SCIM API.
SCW Attribute | Description |
User's email address.
Notes MUST be formatted as a valid email address.
SCIM Schema Name userName |
|
First Name |
User's first name
SCIM Schema Name name.givenName |
Middle Name |
User's middle name
SCIM Schema Name name.middleName |
Last Name |
User's last name
SCIM Schema Name name.familyName |
Status |
User's status in Secure Code Warrior.
Possible Values
User Status Mapping
Notes When the active attribute is being updated from false to true for an existing user then the user's SCW status will be reverted to the status the user had before being disabled.
SCIM Schema Name active |
Role |
User's role in Secure Code Warrior.
Possible Values
Notes
SCIM Schema Name urn:ietf:params:scim:schemas:extension:scw:2.0:User:role |
Team Name |
User's team in Secure Code Warrior.
Notes
SCIM Schema Name urn:ietf:params:scim:schemas:extension:scw:2.0:User:teamName |
Tags |
User's tags in Secure Code Warrior.
Notes
SCIM Schema Name urn:ietf:params:scim:schemas:extension:scw:2.0:User:tags |
Unsupported Features
Groups
- Synchronising groups from your IdP into Secure Code Warrior is currently not supported. Please note, you can still use groups to determine which users are synchronised into Secure Code Warrior. You just can't synchronise the groups themselves as Teams into Secure Code Warrior.
- We recommend that you disable Group sync in your identity provider if possible.
- Any requests made to the SCIM API’s /v2/Groups endpoints will return a 501 Not Implemented error.
Password Change
- We do not currently support this operation. Any passwords sent in the password attribute for a user will be ignored.
Unsupported User Attributes
The following attributes are not supported by the SCW SCIM API. If you attempt to include an unsupported attribute in an API call, the call will fail.
- nickName
- profileUrl
- title
- userType
- locale
- timezone
- password
- emails
- phoneNumbers
- ims
- photos
- addresses
- groups
- entitlements
- roles
- x509Certificates
- employeeNumber
- costCenter
- organization
- division
- department
- manager
Licensing
When your identity provider attempts to create new users in Secure Code Warrior the following two checks are performed:
- Does your organisation have enough licenses available in the team the user is being created in?
- Does your organisation have enough licenses available overall?
If any of these checks fail, provisioning errors will be returned by our SCIM API.
Note: The SCIM API will return a 403 Forbidden error with a message indicating which of the 2 conditions above were not met.
Email Notifications
Users automatically created by your IdP via SCIM will receive an invitation email from Secure Code Warrior.
You can switch off this email by following the steps below:
- Navigate to Administration then Preferences
- Disable the 'SCIM Invitation email" configuration
FAQs
How can I check whether automated provisioning is working?
We recommend that you use the operational health metrics that your IdP provides. For example, in Microsoft Entra ID you can view a summary of the latest provisioning cycle that has run along with provisioning logs to troubleshoot issues.
Comments
0 comments
Please sign in to leave a comment.