This is a premium product add-on and must be purchased and configured through your Account Manager.
System for Cross-domain Identity Management (SCIM) is a protocol that enables automated user provisioning and de-provisioning between different identity systems. It allows SailPoint to communicate with the MANTL Console to exchange user identity information and perform provisioning and de-provisioning actions automatically.
- Considerations
- Prerequisites
- Supported Features
- Supported Attributes
- Configuration Steps
- Troubleshooting
Considerations
When choosing to use SCIM provisioning, consider the following:
- MANTL's implementation of SCIM maps SailPoint groups one-to-one with MANTL roles.
- The Mantl Console does not supported nested roles.
- When SCIM is enabled for your organization in MANTL, users and roles in the MANTL Console will become read-only.
- While you will be able to update a role's description and associated permissions, you will not be able to otherwise edit roles using the MANTL Console. e.g. a role's name or user associations.
- User profiles and roles will need to be updated in SailPoint.
- Permissions and their associations to roles will still be edited in the MANTL Console.
- Users can only be deactivated, not deleted.
- If a user is off-boarded or unassigned from a relevant group in SailPoint, their status in MANTL updates accordingly.
- All other historical information associated with that user will remain in MANTL.
- Deactivated users can be reenabled without creating a new user in MANTL by reassigning them.
- For organizations with multiple clients (i.e. brands) they may manage client assignment either at the user or role level.
-
By default client assignments are made at the user level and managed within the Console. The system default is to assign all clients to a user. As a result, admins would update a user via the Console to limit client access as needed.
-
Managing client assignments via roles may be desirable for organizations that have many users with varying client access. In this case, a group system will need to be created in SailPoint to control client assignments, after which client/role assignment can be managed via the Console, similar to permission/role assignment.
-
Prerequisites
- Before getting started in SailPoint, your Customer Success Manager (CSM) will provide you with an access token for authenticating SCIM requests.
- Because the token is highly sensitive information, this will be sent to you using your preferred secured messaging platform and not emailed.
Supported Features
- Create users
- Update user attributes
- Deactivate users
- Create roles
- Assign/disassociate users from roles (update memberships)
- Authentication type: API Token
- Not supported: Password Management
Supported Attributes
MANTL supports the following attributes when working with SCIM provisioning in SailPoint:
- First / Last Name: Users in the MANTL Console are required to have first and last name attributes. This may cause synchronization issues for some users if the first and last names are missing.
- Contact Info: MANTL only supports a single email address (required) and a phone number (optional) per user.
- Address: MANTL does not support physical address, locale, or time zone attributes for users.
Configuration Steps
SailPoint also documents the configuration process in their documentation.
- In the SailPoint dashboard, navigate to Admin > Connections > Sources.
- Select Create New, search for the SCIM 2.0 connector and select Configure.
- Enter the following in the dialog:
- Source Name: Enter a name for the new source, e.g. "MANTL UAT SCIM".
- Description: Enter a description for the new source to help distinguish it from similar sources.
- Source Owner: Begin typing the name of an owner. Matches appear after you type two or more letters.
- Connection Type: Select Direct Connection.
- Governance Group (Optional): Select an optional governance group from the dropdown list.
- Select Continue to create the new source with your selections.
- On the connection settings view, the Connection Timeout can be left to the default of one minute.
- Set the Host URL:
- Production: https://console.mantl.com/scim/v2
- UAT: https://console.uat.mantl.com/scim/v2
- Select Authentication Type: API Token.
- Enter the access token provided by your CSM.
- Select Save.
- Enter the Filter Condition For Groups to aggregate the SCIM Group resources. For example, you can use
DisplayName sw "SecGroup"
.- As MANTL's permissions are role-based, we don't recommend syncing users not associated with groups intended to use the MANTL Console.
- The remaining settings can be left at their defaults, unless your organization has special requirements.
- Select Save.
-
Select Review and Test.
-
Select Test Connection to run the connection test.
Known Issues and Troubleshooting
- MANTL users are required to have first and last names. A SailPoint user may error when attempting to sync if missing either field.
If any unknown error occurs, contact your CSM, and we can help you troubleshoot the issue.