Provisioning Users with SCIM

This article discusses provisioning users to your Cato account with the SCIM protocol.

Overview

SCIM defines a standard for exchanging identity information across different cloud app vendors. For example, with SCIM you can easily create, update, or remove user data at scale in your Cato account.

User information is securely synced from your IdP to Cato to create users. Any changes to users details that were made in the IdP are reflected in Cato in near real time. For example, if an employee leaves a company, their account is removed from the company IdP. This change is synced with Cato and the user is deleted.

You can see which users were imported and which users were manually created in the Directory Name column - imported users appear with the name of SCIM directory and manually created appear as Manual. You can also filter by a directory name, or to see all of the manually added users in your system.

Once a user is provisioned with SCIM they can be assigned a license and be included in policies.

Advantages of Provisioning users with SCIM

Provisioning users with SCIM has these advantages:

  • Immediately synchronize users from the IdP to your Cato account.

  • Updates or changes to group membership or user profiles are updated in near real time

  • Integrate the IdP to your Cato account without configuring any in-bound firewall rules

  • SCIM is widely supported by IdP vendors, and is easy to integrate with your account

Provisioning Users Process Flow

This process explains how users are provisioned from your IdP, and then assigned licenses and added to policies, so they can securely connect to the network.

User_Provisioning.png

  1. In your IdP, define the users and/or groups to be provisioned to Cato.

  2. Configure automatic user sync with Cato.

  3. Assign licenses to required users

  4. Apply polices to users

Provisioning Users with SCIM

These are the IdPs that are support for provisioning users with SCIM:

  • Azure

  • Okta

  • One Login

For more information on how to configure SCIM provisioning for each IdP, see Provisioning Users with SCIM.

Removing Users or Groups from the SCIM App

Important: Do not delete Users or Groups that are provisioned with the SCIM app directly from the Cato Management Application. You must first unassign them in the SCIM app.

When you want to remove users or groups that are provisioned to your Cato account with the SCIM app, unassign them in the app. The users and groups are automatically disabled during the next time the SCIM app syncs with your account.

If you are removing or changing SCIM providers, ensure you remove all imported users or groups from the SCIM app before deleting your SCIM provider configuration from CMA. After the SCIM app syncs, these entities are removed from the CMA.

When you disable or remove SCIM provisioned users with a ZTNA (SDP) license, the ZTNA license is unassigned and available for other users.​

Was this article helpful?

1 out of 1 found this helpful

0 comments