Cato Networks Knowledge Base

Search

Changing Between SCIM and LDAP User Provisioning

This article explains the considerations of changing provisioning methods from SCIM to LDAP or vice versa.

Overview

Cato leverages your existing Identity Provider (IdP), which is a centralized service for managing user identities, and supports the ability to easily provision and synchronize users to your account. The IdP is integrated with your Cato account and automatically imports and updates users. This ensures that you have a single source of truth for user identity, and gives you consistent user identity across your environment.

Cato supports the following methods to import and create users:

  • Import users from an IdP via SCIM

  • Import users from an IdP via LDAP

  • Manually create usersĀ in the Cato Management Application

For more information on how to configure each method, see Directory Services.

Benefits of SCIM Import

  • User Awareness is supported from Windows Client v5.4 and higher and macOS Client v5.3 and higher. For more information, see Using Cato Identity Agents for User Awareness

  • Immediately synchronize users from the IdP to your Cato account.

  • Updates or changes to group membership or user profiles are updated in near real time

  • Integrate the IdP to your Cato account without configuring any in-bound firewall rules

  • SCIM is widely supported by IdP vendors, and is easy to integrate with your account

Changing How Users are Provisioned

Before you change how your users are provisioned, it is important you understand the impact on users and User groups.

Changing from LDAP to SCIM Provisioning

These are the rules that are applied to users and User groups when you change from LDAP to SCIM provisioning:

  • SCIM provisioned users override LDAP provisioned users and manually created users

    • Users are identified as a match based on their UPN or email

  • SCIM provisioned User groups override LDAP provisioned User groups

    • User groups are identified as a match based on their name

    • Users are removed from all LDAP provisioned User groups and are assigned to SCIM provisioned User groups

    • Applies to both SDP User groups and User awareness User groups

    • For example:

      • 100 users are in a User group called R&D that was provisioned with LDAP

      • 10 users are in a User group called R&D that was provisioned with SCIM

      • In the Cato Management Application, the R&D user group only contains the 10 users provisioned with SCIM


Changing from LDAP to SCIM Azure Provisioning with a Azure Hybrid AD Join

The rules that are applied to users and User groups when you change from LDAP to SCIM with a Hybrid AD join are the same as changing from LDAP to SCIM provisioning, outlined above.

In Hybrid environments, users provisioned with SCIM must have a SDP license to be identified by User Awareness. Users without a SDP license are recommended to be provisioned with LDAP.


Changing from SCIM to LDAP Provisioning

These are the rules that are applied to users and User groups with you change from SCIM to LDAP provisioning:

  • LDAP provisioned users do not override SCIM provisioned users

    • Before changing, remove all SCIM provisioned users from the IdP. This disables the user in the Cato Management Application

  • LDAP provisioned User groups do not override SCIM provisioned User groups

    • Before changing, remove all SCIM provisioned User groups from the IdP

  • Before changing, remove SCIM provisioned users and User groups from policies and delete from the Cato Management Application

Was this article helpful?

2 out of 2 found this helpful

Comments

0 comments

Please sign in to leave a comment.