SCIM-Based User Provisioning in PAM3608 minutes to read
SCIM (System for Cross-domain Identity Management) provisioning offers a standardized approach for managing user identities across various systems and applications. In the context of PAM360, SCIM integration facilitates seamless provisioning of users and user groups, empowering administrators to efficiently manage access to critical resources. Since PAM360 is an on-premise application, a provisioning agent is required from the identity provider to establish the connection to the PAM360 server. This enables administrators to effortlessly synchronize user and user group details between their existing identity management systems and the PAM360 application using the provided PAM360 SCIM APIs. This eliminates the need for manual intervention, ensuring that user information remains up-to-date and aligned with organizational requirements. User Account Requirements - An API user account with the Privileged Administrator, Administrator, or custom role with the Manage SCIM Provisioning privilege is required to implement SCIM-based identity provisioning in PAM360. The PAM360 SCIM APIs are divided into three categories, comprising sixteen APIs in total, aimed at facilitating CRUD (Create, Read, Update, Delete) operations:
These APIs empower users to provision and manage user identities across various identity management systems. For further insights into the PAM360 SCIM APIs and their functionalities, please refer to this document. Note: To disable SCIM functionality in PAM360 at the cost of emergency, navigate to Admin >> Manage >> Emergency Measures. Select the Disable SCIM API Access checkbox and click Save >> OK. The image below illustrates how PAM360 SCIM APIs operate to provision users and user groups in Entra ID. This documentation also offers a sample configuration of user and user group provisioning from Microsoft Entra ID to PAM360.
1. PrerequisitesIn order to set up SCIM provisioning in Entra ID, create a PAM360 API user account with the Privileged Administrator, Administrator, or custom role with the Manage SCIM Provisioning privilege enabled. Ensure to copy the user Authentication Token generated during the API user creation process, as it will be required for the SCIM configuration in the identity management system or application. In addition to the above requirements, you will need a Windows Server endpoint connected to the PAM360 server network with a valid SSL certificate for the SCIM agent deployment. 2. Configuring SCIM Provisioning in Microsoft Entra for PAM360 Application
For example: https://<Hostname-of-the-PAM360-server>:<Port>/scim/v2 Whenever a user or a user group is added/modified in the PAM360 SCIM application of Entra ID, with the PAM360 SCIM APIs and the agent deployed, those user and user group will be synced between the identity management system or application (i.e., Entra ID) and the PAM360 server at synchronization. You can check the status of users and groups provisioned with the PAM360 server in the Overview tab. 3. Limitations
| |