Automated User Management with SCIM 2.0

  • Updated
  • Updated
Avatar
Written by Charissa F.
  • Updated
Requires one of the following licenses:

Note

As a prerequisite, this feature requires completed Domain Verification (DV).

SCIM 2.0 (System for Cross-domain Identity Management) is an industry-standard protocol that enables identity providers (IdPs), such as Okta or Microsoft Entra, to manage access to Samsara resources. SCIM 2.0 can automatically add new users, update user information, and delete users from the system if they leave. This helps keep user access accurate, improves internal security, and reduces the need for manual updates by administrators.

While Single Sign-On (SSO) Authentication confirms user identity at sign-in, SCIM ensures that only the right users exist in the system in the first place. SCIM 2.0 can also create and configure user accounts, such as their assigned role, before they sign-in for the first time through SSO.

To set up SCIM 2.0 for your organization, select a workflow:

Configure SCIM 2.0 for Okta

Samsara supports SCIM 2.0 for Okta. You must be integrated with Okta as your IdP to use SCIM 2.0 for Okta. Use the following workflow to set up SCIM 2.0 for Okta:

  1. From the Samsara dashboard, navigate to Settings ( Gear_Icon.png ) > Organization > Single Sign On.

  2. Toggle on Enable SCIM.

    enable_scim.png

  3. In your Okta Admin Console, navigate to the app you use to manage access to Samsara.

  4. Under General, select the SCIM option in Provisioning.

    okta_admin_console_general_scim.png

  5. Save.

  6. Under Provisioning, select Integration and configure your SCIM Connection:

    scim_provisioning_integration.png

    1. Enter your SCIM endpoint into the SCIM connector base URL.

    2. For the Authentication Mode, ensure HTTP Header is selected.

    3. Open a new window and return to the Samsara dashboard to copy the Bearer Token from SCIM settings located in Settings ( Gear_Icon.png ) > Organization > Single Sign On.

      scim_bearer_token.png

    4. Return to the Okta Admin Console and paste the Bearer Token into the field for Authorization.

    5. Click Test Connector Configuration to confirm the connection is successful.

    6. After the connection succeeds, Save.

  7. While still under Provisioning, select To App and click Edit:

    To_App_Edit.png

    1. Ensure that Create Users, Update User Attributes and Deactivate Users are enabled.

    2. Save.

    3. Scroll down and select Go to Profile Editor.

    4. In the Profile Editor, click + Add Attribute and enter the following fields entries:

      scim_okta_add_attribute.png

      Attribute

      Field Entry

      Example

      Data type

      string array

      Display name

      Samsara Dashboard Roles

      Variable name

      samsaraRoles

      External name

      rolesList

      Enum

      Select Define enumerated list of values

      Attribute members

      Enter every role for your organization.

      If you want to target roles with tags user the following format: Full Admin tags:warehouse,dock

      Display name: Full Admin, Value: Full Admin

      Attributes required

      Select Yes

      External namespace

      urn:ietf:params:scim:schemas:core:2.0:User

    5. Save.

    After you save, configuration for SCIM 2.0 between Okta and Samsara is complete.

Configure SCIM 2.0 for Microsoft Entra

Samsara supports SCIM 2.0 for Entra. You must be integrated with Entra as your IdP to use SCIM 2.0 for Entra. Use the following workflow to set up SCIM 2.0 for Entra:

  1. Sign in to Azure and perform a search for Entra ID, then select Microsoft Entra ID.

    scim_entra_step_1.png

    Then, perform the following steps within Azure:

    1. Navigate to Manage > Enterprise applications.

      scim_entra_step_2.png

    2. Select + New application.

      scim_entra_step_3.png

    3. Click + Create your own application.

    4. Name your application.

    5. Within the app you just created, select Provision User Accounts.

      scim_entra_step_1-d.png

    6. Select Connect your application.

      scim_entra_step_7.png

  2. From the Samsara dashboard, navigate to Settings ( Gear_Icon.png ) > Organization > Single Sign On.

  3. Toggle on Enable SCIM.

    Bearer Token and SCIM Endpoint for EntraID fields will be used in the next step.

    enable_scim.png

  4. Copy the SCIM Endpoint for EntraID from your Samsara dashboard, and then paste it in the Tenant URL field in Entra.

    scim_entra_tenant_url.png

  5. Copy the Bearer Token from your Samsara dashboard and paste it in the Secret token field in Entra.

    scim_entra_secret_token.png

  6. Within Entra, continue the following steps:

    1. Select Test connection.

      When successful a pop-up will display confirming the test was successful.

    2. Click Create.

    3. Upon successful creation, you are directed to Overview. Select Attribute mapping (Preview).

      scim_entra_attribute_mapping_overview.png

      Then, perform the following steps within Attribute Mapping:

      1. Check Show advanced options, and then click Edit attribute list for customappsso.

        scim_entra_show_advanced_options.png

      2. Add a new attribute with the Name roles, Type string, and have Multi-Value checked.

        scim_entra_add_attribute.png

      3. Save.

      4. Click Add New Mapping to map the roles attribute you just created.

      5. In Edit Attribute:

        • From the Mapping type drop down, select Expression.

        • In the Expression field, input AppRoleAssignmentsComplex([appRoleAssignments]).

        • From the Target attribute drop down, select roles.

        scim_entra_edit_attribute.png

      6. Select Ok.

      7. Save.

        This is what the Attribute Mapping table must look like:

        scim_entra_attribute_mapping.png

        If any rows are missing, the SCIM connection won't work. If any rows are missing, or if the values under CustomAppSSO Attribute or Microsoft Entra ID Attribute differ from what is displayed, click Edit to modify the entry, or Add New Mapping to create it and then Save.

        If there are any additional request attributes not accepted by the Samsara SCIM schema, the SCIM connection won’t work. Some attributes are automatically set by Entra.

    4. Navigate to Provisioning enable the Provisioning Status to On.

      scim_entra_provisioning.png

    5. Save.

      After this step, you can create roles and assignments within Entra.

Role Creation and Assignment within Entra

After you complete the final step in Configure SCIM 2.0 for Microsoft Entra, you can create roles and assign them in the app you made in Entra. Roles are created in the app you created in Entra, under App Roles.

scim_app_roles.png

The Display name should match the Samsara dashboard name, and the Value should be the base64 encoded role name.

To pass tags within a role, append tags:<tag1,tag2> in the Display name. For example, if you have a Full Admin role in a tag named warehouse, you would input the following in Display name: Full Admin tags:warehouse. The Value should be the same base64 encoded string.

scim_entra_tags.png

These roles can be assigned to users by creating app assignments through Users and groups > + Add user/group.

Note

At this time, Samsara only supports user provisioning. Groups cannot be provisioned.

scim_entra_user_and_groups.webp

For a quick test, go to Provision on demand, and try to provision a user. If successful, the user is created or updated in the Samsara dashboard with the assigned role.

Feedback

Was this article helpful?
0 out of 0 found this helpful
Have more to say? We want to hear it!
Have more questions? Submit a request
Return to top

Comments

0 comments

Article is closed for comments.

Related articles

Articles in this section

©2024 Samsara Inc.

Chat with us