# SCIM Support

SCIM (System for Cross-domain Identity Management) protocol allows the exchange of user identity and group information between the identity provider (ex: Entra ID, Okta, etc.) and the service provider (ex: Cloudbrink, Salesforce, etc.). This automation helps in streamlining the process of managing user accounts across different applications by ensuring secure and standard data exchange. 

Cloudbrink supports SCIM protocol so that user identity and group association information can be synchronized between identity provider and Cloudbrink service. By using SCIM capability, Admins can ensure that any change in the user account information on the identity provider is immediately reflected on the Cloudbrink service. 

With this process, the access control and other security policies defined at the Device-User-Groups level on Cloudbrink will be applied as per the new account information of the user during the next login. 

It also helps Admins to select the Device-User-Groups to which policies are applied from a simple drop-down on the Cloudbrink administrator console. 

SCIM Configuration 

1\) SCIM capability is available at the SAML-IDP authentication policy level. Admin has to enable this capability by enabling the “SCIM Provisioning” option. 

<br>

<figure><img src="/files/zbjqVCiAP1EZ5ne8W0MF" alt=""><figcaption></figcaption></figure>

<br>

2\) After enabling SCIM Provisioning, Admin should click on “Generate Bearer Token” in order to create a new SCIM token for this IDP.&#x20;

<br>

<figure><img src="/files/xXc1VZOtylFV0pQxFWoT" alt=""><figcaption></figcaption></figure>

3\) Upon successful generation of the bearer token, Admin can copy the “SCIM Base URL” and the “Bearer Token”. These values are required to be updated on the IDP side for the SCIM synchronization to take place successfully.&#x20;

<br>

<figure><img src="/files/jVfV6kgJXMoNEB4KdZf8" alt=""><figcaption></figcaption></figure>

IDP Configuration&#x20;

The SCIM base URL and Bearer token must be configured on the IDP-side as well so that IDP can send the user identity and group association information to the Cloudbrink service successfully.&#x20;

NOTE: On Okta, the SCIM must be enabled and the groups to be pushed should be selected first, and then assign the groups to the Okta app so that it reflects on the Cloudbrink.&#x20;

For Okta IDP, below link provides the steps to configure the SCIM base URL and Bearer token.&#x20;

a) On Okta dashboard, go to Applications main page&#x20;

<br>

<figure><img src="/files/5bOZIg6v4nGWmI5KVEsK" alt=""><figcaption></figcaption></figure>

bGo to specific Application → General settings for which SCIM provisioning must be enabled&#x20;

<br>

<figure><img src="/files/aAvaWPRB3EReRn9M08r1" alt=""><figcaption></figcaption></figure>

<br>

c) Click Edit and then, enable SCIM provisioning option and Save&#x20;

<br>

<figure><img src="/files/TLwoTH01L12chW3E8uXG" alt=""><figcaption></figcaption></figure>

d) Go to Provisioning tab → Integration → and select appropriate provisioning actions as show in the picture below&#x20;

<br>

<figure><img src="/files/ao9Xp37k3MN4LZjODuFq" alt=""><figcaption></figcaption></figure>

e) Next, select the Authentication Mode as HTTP Header, and configure the SCIM base URL, Unique identifier for users, and Authorization bearer token as below.&#x20;

<br>

SCIM connector base URL → Copy the Base URL link from the SAML authentication policy defined on the Cloudbrink admin portal that is pointing to this Okta application&#x20;

Unique identifier field for users → “userName”&#x20;

Authorization → Copy the Bearer token from the SAML authentication policy defined on the Cloudbrink admin portal that is pointing to this Okta application&#x20;

<figure><img src="/files/MZhbR0X5dRCQpgP0x1ES" alt=""><figcaption></figcaption></figure>

f) Next, test if the configuration is correct by clicking on “Test Connector Configuration” button. If the connection is successful, then Save the configuration.&#x20;

<br>

<figure><img src="/files/BHpz00O3qmvaLEJc5etx" alt=""><figcaption></figcaption></figure>

Sample test connector configuration output&#x20;

<figure><img src="/files/whSoFQKBQ9hkBDvp9Nj4" alt=""><figcaption></figcaption></figure>

g) Go to Push Groups tab and search groups by their names&#x20;

<br>

<figure><img src="/files/uqmk0n1KeO12lWKZFUxg" alt=""><figcaption></figcaption></figure>

<br>

h) Search groups by names, and add them one group at a time to the “Push Groups” section and Save&#x20;

<br>

<figure><img src="/files/t1mQsvMzjxo5pbDKD1VX" alt=""><figcaption></figcaption></figure>

i) After adding the groups, go to “Push Status” column and select “Push now” option from the drop-down menu&#x20;

<br>

<figure><img src="/files/lLtsFIIxBmL6WWEuERpE" alt=""><figcaption></figcaption></figure>

#### Cloudbrink Admin Portal&#x20;

On the Cloudbrink admin portal, navigate to Configure → Collections → User Collections tab and ensure that the Okta group(s) that are pushed are displayed on the admin portal.&#x20;

<figure><img src="/files/ic3ejOrZczmHyL6vAr2L" alt=""><figcaption></figcaption></figure>

Click on the User Collection name to see the individual Okta users also being synced&#x20;

<figure><img src="/files/Ba1dR37RqRZQVgCwwP4q" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cloudbrink.com/configuration/scim-support.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.