User directory: SCIM

You can synchronize your users and groups using an SCIM (System for Cross-domain Identity Management) user directory. Haiilo acts as a SCIM Service Provider. 

To set up a user directory, you need the "Manage user directories" permission in Haiilo and sufficient permissions in your Identity Provider (IdP) to configure SCIM on both ends.

Basics of SCIM on Haiilo

With SCIM, you can: 

Create users Create new user accounts in Haiilo with the required information. The attribute userName is the minimum requirement.
Update users Keep profile information in sync (name, email, department, etc.). Haiilo supports profile fields with the prefix profileField_ (for example, profileField_department).
Deactivate or delete users Remove access when someone leaves the company. What happens when a user is deprovisioned depends on the deprovision policy you define.
Create groups Create groups (for example, teams, departments, or project groups).
Manage group membership Add or remove users from groups based on changes in your IdP.
Sync group information Keep group names and descriptions up to date.

SCIM support can vary depending on your IdP's SCIM implementation and Haiilo's current capabilities.

Connection details

The SCIM connection details for Haiilo are as follows:

  • SCIM Base URL or Tenant URL: https://<your_haiilo_domain>/api/scim/v2
  • SCIM Version: 2.0
  • Authentication Method: OAuth 2 Client Credentials
  • (OAuth) Token Request: https://<your_haiilo_domain>/api/oauth/token
  • (Oauth) Client ID: The Client ID you copied from your SCIM user directory setup in Haiilo.
  • (Oauth) Client Secret: The Client Secret you copied from your SCIM user directory setup in Haiilo.
  • Auth Type Header: Bearer
  • Users Resource: /Users
  • Groups Resource: /Groups

Set up SCIM between Haiilo and your IdP

To configure SCIM, you must complete steps on both Haiilo and your IdP.

IdP SCIM setup

We offer IdP-specific guides for the following systems:

If your organization uses a different identity provider, please contact our Support team. We'd be happy to assist you with setting up SCIM on other providers.

Haiilo SCIM setup

When you create or edit a SCIM directory on Haiilo, these are the available configuration settings:

API Clients

You can create an API client pair (Client ID and Client Secret) to use in your IdP's SCIM configuration.
Users

You can control how synced users behave if they are also managed manually or through other directories in Haiilo.

  • Remove local groups: Check if you want to remove the synced users from any local groups they've been manually added to.
  • Remove other directory groups: Check if you want to remove the synced users from any other user directory groups they've been manually added to.
Synchronization

You can define what happens during sync runs:

  • Activation: If checked, new and restored users are activated during synchronization. Otherwise, you have to manually set the users' status to Active in the user management.
  • Restore users: If checked, a user who has been deactivated or deleted from Haiilo but is present again in the user directory during the sync will be reactivated. It's not possible to restore anonymized users. A previously anonymized user can only be created as a new user.
  • Set deprovision policy: Choose what happens to users who are currently active on Haiilo but no longer exist in the user directory.
    • Deactivate: SCIM delete requests set the user status to Inactive. 
    • Delete: SCIM delete requests soft-delete the user and set the status to Delete. 

 

Was this article helpful?

0 out of 0 found this helpful