Skip to main content

Duo User Provisioning

  • Updated

    Contact your Account Manager if you are interested in SSO.

    System for Cross-domain Identity Management (SCIM) is a protocol that enables automated user provisioning and de-provisioning between different identity systems. It allows Duo to communicate with the MANTL Console to exchange user identity information and perform provisioning and de-provisioning actions automatically.

    Considerations

    When choosing to use SCIM provisioning, consider the following:

    • MANTL's implementation of SCIM maps Duo groups one-to-one with MANTL roles.
      • The MANTL Console does not supported nested roles.
    • When SCIM is enabled for your organization in MANTL, users and roles in the MANTL Console will become read-only.
      • While you will be able to update a role's description and associated permissions, you will not be able to otherwise edit roles using the MANTL Console. e.g. a role's name or user associations.
      • User profiles and roles will need to be updated in Duo or your source-of-truth system that feeds into Duo.
      • Permissions and their associations to roles will still be edited in the MANTL Console.
    • Users can only be deactivated, not deleted.
      • If a user is off-boarded or unassigned from a relevant group in Duo, their status in MANTL updates accordingly.
      • All other historical information associated with that user will remain in MANTL.
    • Deactivated users can be re-enabled without creating a new user in MANTL by re-assigning them.
    • For organizations with multiple clients (i.e. brands) they may manage client assignment either at the user or role level.
      • By default client assignments are made at the user level and managed within the Console. The system default is to assign all clients to a user. As a result, admins would update a user via the Console to limit client access as needed.
      • Managing client assignments via roles may be desirable for organizations that have many users with varying client access. In this case, it is possible to drive client assignments via Duo groups. If enabled, client/role assignment would be managed via the Console, similar to permission/role assignment.

    Prerequisites

    • Before getting started in Duo, your Implementation Manager or Customer Success Manager (CSM) will provide you with an access token for authenticating SCIM requests.
      • Because the token is highly sensitive information, this will be sent to you using your preferred secured messaging platform and not emailed.

    Supported Features

    • Create users
    • Update user attributes
    • Deactivate users
    • Create groups
    • Delete groups
    • Update user assignments

    Supported Attributes

    MANTL supports the following attributes when working with SCIM provisioning in Okta:

    • First / Last Name: Users in the MANTL Console are required to have first and last name attributes only. Middle names, honorifics, prefixes and postfixes, display names, or nicknames do not get mapped to the MANTL Console. This may cause synchronization issues for some users if the first and last names are missing.
    • Contact Info: MANTL only supports a single email address (required) and a phone number (optional) per user.
    • Address: MANTL does not support physical address, locale, or time zone attributes for users.
    • Job Title: Duo does not have a default user attribute for job title, but if you've configured a custom attribute, it can be mapped during the setup process.

    Configuration Steps

    1. You must be an administrator in your Duo account.
    2. If you have already added the MANTL app integration to your Duo account for SSO, skip to step 6 to enable user provisioning.
    3. Navigate to Manage Application page (Left menu, Applications > Applications), and click the "Add Application" button.

    4. Search for "generic oidc" and click the "Add" button for the "Generic OIDC Relying Party" tile. 

      • Duo doesn't provide an application with only provisioning, even if you plan on only using user-provisioning, without SSO, you'll add this application and simply not enable the OIDC feature. 
    5. Rename the application "MANTL" or "MANTL UAT", as appropriate.
    6. Navigate to the Provisioning tab, along the top, and for Authentication mode select "Bearer token".
    7. Set Base URL
      • Production: https://console.mantl.com/scim/v2
      • UAT: https://console.uat.mantl.com/scim/v2

    8. Set the access token provided and click "Connect to application". 

    9. Setup attribute mappings.

      • In this example, the optional phones has been included as well as a custom job title attribute. 

    10. Setup groups.
      • If you're using Duo for both SSO and provisioning, the "Use groups with SSO access" option is recommended as it means you'll only need to manage group assignments in one place.
      • The "Exclude group information" should not be checked. MANTL only supports permission assignments at the group level. If this option is checked, users will not have access to any MANTL features once logged in.
    11. Click the Save and enable button.
    12. Groups and Users will immediately start being created in MANTL.
    13. If you have not already, you can now configure the application for Duo Central.

    Related articles