SCIM Provisioning

Learn how to configure System for Cross-Domain Identity Management (SCIM) for seamless user state synchronization.

Introduction

System for Cross-domain Identity Management (SCIM) is a standard protocol designed to automate the synchronization of user states across multiple systems. SCIM facilitates the transfer of user information from a source system, such as an external identity provider (IdP), to a target system, such as SAP LeanIX.

In SAP LeanIX, SCIM works together with single sign-on (SSO). SCIM is used to automate the process of user provisioning and deprovisioning across multiple systems, while SSO is used for authentication and authorization. During the sign-in process, SSO checks if a user has the right to access the system (known as authentication) and determines the user's permissions within the system (known as authorization). For more information, see Single Sign-On (SSO).

SCIM is used for the following purposes:

  • User provisioning: Provisioning means creating a user account. If a user exists in the source system, such as an external IdP, but not in the target system (SAP LeanIX), then a corresponding user object is created in the target system.
  • User deprovisioning: Deprovisioning means archiving a user account. If a user exists in the target system but not in the source system, then the user object in the target system gets deprovisioned.
  • User updating: If the user data in the source system differs from the data in the target system, then this data is transferred to the target system.

📘

Note

You can choose a SCIM provider that is not the same as your SSO provider.

Synchronized Attributes

During periodic synchronizations, the following user details are updated:

  • First name
  • Last name
  • Email address
  • Username
  • Role, custom roles, and Access Control Entities (ACEs), if applicable
  • Department, if applicable

Configuring SCIM

Before proceeding, note the following:

  • Synchronization of user states only works for the workspaces for which you've configured SCIM.
  • If you've enabled the Invite Only flow with SSO for your workspace, user permissions are not created with SCIM.

To configure SCIM between your IdP and SAP LeanIX, follow these steps:

  1. In SAP LeanIX, create a Technical User with the Admin permission role. Save the API token that appears. For instructions, see Create a Technical User.
  2. Request the ACCOUNTADMIN or SUPERADMIN role for the Technical User by submitting a ticket to SAP LeanIX Support. If you're an SAP customer, submit a request from the SAP for Me portal. In the request, provide the name of the Technical User.
  3. Obtain an access token required for the SCIM integration:
    1. Using the API token of the Technical User, obtain a short-lived access token. For instructions, see Get a Short-Lived Access Token.
    2. Using the short-lived access token, obtain a long-lived access token. For instructions, see Get a Long-Lived Access Token.
  4. In your IdP, configure user provisioning. For instructions, refer to the documentation of your IdP. Use the following details:
    • SCIM endpoint: https://{SUBDOMAIN}.leanix.net/services/mtm/v1/scim/v2
    • SCIM access token: Long-lived access token that you obtained.
  5. In your IdP, configure attribute mapping. For more information, see SCIM Attribute Mapping.
  6. Depending on the configuration of your IdP, you may need to enable the synchronization of user states.

After you've set up SCIM, user states are synchronized between your IdP and SAP LeanIX.

SCIM Attribute Mapping

The following table lists attributes that are supported in the SCIM integration. Your IdP may require other attributes that are not listed in the table.

AttributeRequiredDescription
userNameRequiredAs configured in SSO in the uid claim
givenNameRequiredUser's given name
familyNameRequiredUser's family name
emails or emailRequiredUser's work email address
activeRequired (in Microsoft Entra ID)Controls provisioning and deprovisioning

📘

Note

To learn how to synchronize authorization, refer to the instructions for a specific identity provider.

The username and email address are unique user identifiers. The following scenarios are possible:

  • The username and email address in SAP LeanIX match with the provisioned information: The user can be matched. No changes to the user in SAP LeanIX are applied.
  • The username or email address in SAP LeanIX matches with the provisioned information: The user can be matched. The user in SAP LeanIX gets updated with the provisioned information.
  • Neither the username nor email address matches with the provisioned information: The user can’t be matched. A new user is created in SAP LeanIX.