Skip to main content
User provisioning using SCIM

Use System for Cross-domain Identity Management (SCIM) v2.0.

Updated over a month ago

Overview

This article lists the steps to enable SCIM integration and manage users in inSync.

Pre-requisite

Only a Druva Cloud administrator and inSync Cloud administrator can configure inSync to manage users using SCIM.

Procedure

Step 1: Configure Druva inSync to use SCIM to manage users

inSync cloud administrator must define the user import type in the Druva console. To configure and use SCIM for managing users in the Druva Console, perform the following steps:

  1. On the Microsoft 365 / Google Workspace dashboard, click Users > User Provisioning.

  2. Click Use SCIM to use SCIM based IdPs to import and manage users. A confirmation box appears.

  3. Click Continue. You are redirected to generate a token to integrate IdP with inSync.

    clipboard_e02866fdbfcec8e4e55727cd2f76c24c8.png


❗ Important

  • Once you select SCIM for user management in the inSync Management Console, you cannot use AD or LDAP for user management.


Step 2: Generate a token to integrate IdP with Druva inSync

As an inSync Cloud administrator, after you select SCIM for user management, you must generate a token to integrate the IdP from which you want to manage users in inSync. A token is a key to identify and authenticate the IdP with inSync.


❗ Important

  • If you see the message - API gateway feature is disabled for your account, kindly contact Support to enable this feature for your account.

  • Only a Druva Cloud administrator and inSync Cloud administrator can generate a token.

  • You must copy the token and save it immediately when you generate it. The token is not saved in the Druva Console.

  • Once generated, the token is valid for 365 days.

  • If you or any other inSync Cloud administrator regenerates a token, the previous token becomes invalid. The new token must be used to reconfigure the existing SCIM app.


Procedure

To generate a token:

  1. In the previous step, if you are redirected to the Settings tab on the User Deployment page, click on vertical ellipsis and then 'New Token'.

  2. Once generated, copy the new token and securely save it. You will need it to enable API Integration of IdP with inSync later in Step 5.

clipboard_efce7badb77f960c9dbc669a795ade424.png

Alternatively,

1)On the inSync Management Console menu bar, click Users > Deployment.

2)On the User Deployment page, click on vertical ellipsis.

3)Click on 'New Token' and then on Continue for the Confirmation.

4)The token is generated. Copy the token and save it. Use it to enable API Integration of IdP with inSync.

To regenerate a new token:

You can create a new token by following the steps below.

Creating a new token will expire the existing one, and all APIs using the existing token will cease to function.

  1. Navigate to the Druva Console menu bar and click on Users > User Provisioning.

  2. On the User Provisioning page, locate and click on the vertical three-dot menu.

  3. Click New Token.

  4. Once generated, copy the new token and securely save it. You will need it for enabling API Integration of IdP with inSync later in Step 5.

clipboard_eb814061cbdb1801fe8e7b919ca861820.png

Step 3: Create a SCIM mapping

A SCIM mapping enables inSync administrators to define the filter parameters (SCIM attributes configured in the IdP) to automatically classify users and define the profile, storage region, and storage quota that should be assigned to the users who match the filter criteria.

An inSync administrator can create multiple mappings to classify users based on the various SCIM attributes and value pairs. After creating multiple mappings, administrators can also specify the priority of the mapping based on which the user classification should take precedence.

Druva inSync supports the standard SCIM attributes. You can even map the custom SCIM attributes and create a mapping to classify the users.


❗ Important

  • The SCIM attributes that you define in the SCIM mapping must be mapped to the IdP attributes in the IdP; otherwise, the user creation fails.

  • If a user does not classify or fall under any SCIM mapping created in Druva inSync, the user account creation fails.

  • Druva recommends that you also create a default mapping with the configuration ' Allow any user '. This default mapping will ensure that any users who do not classify or fall under any of the mappings are created with a default configuration. The priority of this default mapping can be set to lowest.

  • Once you create a SCIM mapping, you can only modify the Mapping Name and inSync configuration. You cannot modify the User criteria to filter users.

  • The filter is case-sensitive. The value you specify in the SCIM mapping and the attribute value in IdP should be in the same case.


Before you begin

Ensure you have:

  • Created a Profile - A profile is a set of configurations that is applied to a set of users. Using profiles, you can define the data sources for backup, and generic backup configuration parameters that are automatically applied to all the users that belong to that profile. For more information, see Create and manage profiles.

  • Your Druva inSync storage region is configured.

Procedure

  1. On the Druva Console menu bar, click Users > User Provisioning.

  2. Click New Mapping.

  3. On the New Mapping wizard, under Mapping Configuration tab, specify the following details:

    1. Mapping Name - Specify a name for the SCIM mapping.

    2. Under the Filter Users section,

      • Select SCIM attribute, if you want to configure users based on a specific SCIM attribute and matching values.

      • Specify the SCIM Attribute name.

      • In the Value(s) box, type the value for the attribute.



        ❗ Important

        The filter is case-sensitive. The value you specify in the SCIM mapping and the attribute value in the IdP should be in the same case.



        💡 Tip

        Use a comma to specify multiple values for the attribute. Only the user accounts, that match the values specified in the box are mapped to this mapping.


        Else, select All Users if you want to import and configure users based on no criteria.

        clipboard_e51ee540ddbb275d9df9b7f04c61dfb19.png
  4. Click Next.

  5. On the Backup Configuration tab, specify the following details:

    1. Select the Storage on which the user data should be saved.

    2. Select the Profile to which the users should be assigned to if they are mapped using this SCIM mapping. The data lock enabled profile has​​​​​​ the lock icon. If you select this profile, you cannot:

      1. Delete the snapshots, users, and devices associated with the profile.

      2. Change profile of users.

      3. Remove the license of the user. For more details, see Data Lock.

    3. Specify the storage Quota per user.

    4. Select Send activation email to newly added users check box, if you want to send Druva inSync invitation email to the users who are added to Druva inSync.

      clipboard_e966354aa92b57981e455e7fad47fb052.png
  6. Click Finish.

SCIM mapping is created. You can create multiple mappings to define multiple combinations of SCIM attributes and values to classify users in inSync and allocate them a different profile, storage region, and storage quota.

Any new SCIM Mapping or an update to an existing SCIM mapping is logged by inSync and displayed in the administrator audit trails. Audit trails is a feature that is part of the Governance offering.

(Optional) Step 4: Define the priority for the SCIM mapping

User accounts are automatically created when the IDP is integrated with inSync. When you define multiple SCIM mappings, inSync automatically classifies the users, while creating the user accounts, based on the filter parameters and starts assigning the profile and storage specified in the SCIM mapping.

However, it may be a case, where user accounts fall under multiple SCIM mappings based on the defined criteria. In such cases, inSync administrators can define the priority for the mappings, and users are imported based on the mapping sequence and assigned the profile and storage specified in that mapping.

When you create multiple SCIM Mappings, inSync by default gives priority to the oldest SCIM mapping. SCIM mapping listed at the top has the highest priority while the one at the bottom has the lowest priority. By default, the latest SCIM mapping defined is assigned the lowest priority.

inSync provides an option to change the priority of a SCIM mapping after you create it.

Example

Assume you have defined two SCIM mappings that have the following criteria,

  • General Users Mapping

    • Import all users from the Engineering department

    • Assign them to General Profile 1

    • Per-user storage - 5 GB

  • Executive Users Mapping

    • Import Executive users that are also from the Engineering department

    • Assign users to the Executive Profile

    • Per-user storage - 50 GB

General Users Mapping is created before Executive Users Mapping. Here is how inSync imports users based on the criteria defined in the SCIM mappings,

Executive users fall under both the Mappings. As General Users Mapping is created before the Executive Users Mapping, by default, it has priority. All the users are imported to Druva inSync, including Executive users, and assigned to the General Profile 1 and storage of 5 GB.

However, you want Executive users assigned to the Executive Profile and storage usage of 50 GB. In this case, you must change the priority of Executive Users Mapping from lowest to highest. Druva inSync then first classifies the Executive users and assigns them to the Executive Profile, and then other General users are assigned to the General Profile.

Procedure

To change the priority of a SCIM mapping:

  1. Go to the Druva Console and click on Users > User Provisioning.

  2. On the User Provisioning page, you can view the details of existing SCIM mappings. Locate the vertical three-dot menu next to New Mapping and click on it.

  3. Select Set Mapping Priority Order from the options provided.

  4. In the Edit Mapping Priority Order section, you can view the existing SCIM mappings listed according to their defined priorities.

  5. Choose the SCIM mapping whose priority you want to change.

  6. Utilize the following options appropriately to adjust the priority of the selected SCIM mapping:

    • Move Up: Click this button to increase the priority by one level.

    • Move Down: Click this button to decrease the priority by one level.

    • Move to Top: Click this button to set the priority to the highest level.

    • Move to Bottom: Click this button to set the priority to the lowest level.

  7. Click Save.

    The priority of the selected mapping is updated. inSync classifies users based on the updated priority of the mapping and assigns them the profile and storage

    clipboard_e200ef43c24857e4e543412bc4dfd536a.png

Step 5: Configure IdP to integrate with inSync to manage users

After configuring inSync, the inSync administrator must configure the IdP to integrate with inSync. After successful integration, users from the IdP are created and automatically managed in Druva inSync.

Follow these steps to integrate an IDP with inSync:

  1. Create a custom SCIM app in the IDP.

  2. Enable API Integration with inSync.

  3. Configure and map the SCIM attributes with the IdP attributes in the SCIM app.

  4. Assign users to the SCIM app.

To integrate Okta with inSync, see Manage Users from Okta using SCIM.

To integrate Microsoft Azure AD with inSync, see Manage Users from Microsoft Azure Active Directory using SCIM.

Did this answer your question?