This article explains the considerations of changing provisioning methods from SCIM to LDAP or vice versa.
Cato leverages your existing Identity Provider (IdP), which is a centralized service for managing user identities, and supports the ability to easily provision and synchronize users to your account. The IdP is integrated with your Cato account and automatically imports and updates users. This ensures that you have a single source of truth for user identity, and gives you consistent user identity across your environment.
Cato supports the following methods to import and create users:
-
Import users from an IdP via SCIM
-
Import users from an IdP via LDAP
-
Manually create users in the Cato Management Application
For more information on how to configure each method, see Directory Services.
-
User Awareness is supported from Windows Client v5.4 and higher and macOS Client v5.3 and higher. For more information, see Using Cato Identity Agents for User Awareness
-
Immediately synchronize users from the IdP to your Cato account.
-
Updates or changes to group membership or user profiles are updated in near real time
-
Integrate the IdP to your Cato account without configuring any in-bound firewall rules
-
SCIM is widely supported by IdP vendors, and is easy to integrate with your account
Before you change how your users are provisioned, it is important you understand the impact on users and User groups.
These are the rules that are applied to users and User groups when you change from LDAP to SCIM provisioning:
-
SCIM provisioned users override LDAP provisioned users and manually created users
-
Users are identified as a match based on their UPN or email
-
-
SCIM provisioned User groups override LDAP provisioned User groups
-
User groups are identified as a match based on their name
-
Users are removed from all LDAP provisioned User groups and are assigned to SCIM provisioned User groups
-
Applies to both SDP User groups and User awareness User groups
-
For example:
-
100 users are in a User group called R&D that was provisioned with LDAP
-
10 users are in a User group called R&D that was provisioned with SCIM
-
In the Cato Management Application, the R&D user group only contains the 10 users provisioned with SCIM
-
-
The provisioning rules that are applied to users and user groups when you change from LDAP to SCIM for on-premises AD and Azure AD are the same as changing from LDAP to SCIM provisioning, outlined above.
Users provisioned with SCIM must have a SDP license to be identified by User Awareness. To identify users without an SDP license, provision them with LDAP. The user needs to authenticate once so that they can be identified.
These are the rules that are applied to users and User groups with you change from SCIM to LDAP provisioning:
-
LDAP provisioned users do not override SCIM provisioned users
-
Before changing, remove all SCIM provisioned users from the IdP. This disables the user in the Cato Management Application
-
-
LDAP provisioned User groups do not override SCIM provisioned User groups
-
Before changing, remove all SCIM provisioned User groups from the IdP
-
-
Before changing, remove SCIM provisioned users and User groups from policies and delete from the Cato Management Application
2 comments
What is meant by "a [sic] Azure Hybrid AD Join" in this article? Only devices can be Hybrid Azure AD joined, is that what this is referring to? Or is the discussion about hybrid user identities (synced from AD to Azure AD)?
Hi JM,
I have updated the article to make this scenario clearer. Let us know if you have any further questions.
Please sign in to leave a comment.