What is SCIM?
Kion supports the system for cross-domain identity management – also known as SCIM – which is an industry standard for automating the exchange of user identity information between identity providers and downstream IT services. By leveraging Kion’s new SCIM support, CloudOps teams are able to provide a more secure experience to users and ensure their identity information in Kion stays up-to-date with the latest changes from downstream identity providers like Microsoft Entra or Okta.
Configuring SCIM in Kion
SCIM is a supported feature of SAML 2.0 IDMS types in Kion. When you add or edit a SAML-based IDMS in Kion, you will receive a SCIM endpoint URL and SCIM secret key for that particular IDMS.
To begin using SCIM in Kion:
- Navigate to the “Users” menu and click “Identity Management Systems”
- Select an existing SAML-based IDMS type from the list (or, you can create a new SAML-based IDMS)
- Click the “SCIM Key” tab
- Under the “SCIM Key tab”, you will see your SCIM endpoint URL. Copy this.
- Next, generate a SCIM token:
- Click “Generate Token”
- Click the “Generate Key” button
Important: Be prepared to save the secret key once it’s generated. You will not be able to view it again. If you lose the key, you’ll need to generate a new one. - Copy the Secret Key into a secure location.
You will now use the SCIM endpoint URL and SCIM Secret Key in the next section “Configuration SCIM in EntraID/Okta”.
Note: You may need to create an allow-list between your IDMS and Kion for the SCIM endpoint URL above. Please check with your network administrator.
Configuring SCIM in EntraID/Okta
Kion’s implementation of SCIM should work with any SAML 2.0 IDMS that also supports SCIM provisioning. Kion has limited explicit testing of SCIM to EntraID and Okta only.
Please see setup instructions for EntraID and Okta below.
EntraID Setup
- Navigate to Enterprise Applications
- Under the “Manage” menu, select the “All Applications” sub-menu. Navigate to the existing Kion application in your list.
- NOTE: You must already have Kion configured for SAML. At this time, the EntraID gallery application for Kion does not support SCIM. You must create your own application and manually configure the Kion parameters to use provisioning.
- Navigate to the “Provisioning” menu.
- Select “New provisioning”.
- Under the “Admin Credentials” section:
- Enter the SCIM endpoint URL for Kion (copied from the “Configured SCIM in Kion” section above).
- Enter the SCIM Secret Key (copied from the “Configured SCIM in Kion” section above).
- Click “Test Connection” to verify everything is working as expected.
- Click Save.
- If you are transitioning from LDAP synchronization, note the following things:
- You must disable LDAP synchronization on your IDMS before enabling SCIM.
- You must ensure that the userName attribute being sent to Kion matches the same principal that was used for LDAP synchronization to ensure that user objects are not recreated. This setting is located under your Enterprise Application > Provisioning > Attribute Mapping within the Azure console.
- After confirming any settings you need in the previous step, go to the Overview screen for the Provisioning section of your application and click the "Start Provisioning" button at the top of the screen to begin the provisioning process. You can monitor the status of your provisioning using the Overview page > Current cycle status or using Monitor > Provisioning logs (for more detail).
- NOTE: We recommend using the default Scope of Sync only assigned users and groups for EntraID. Synchronizing unnecessary users into the Kion platform can result in poor performance during configuration activities.
Okta Setup
- Under the “Applications” menu, select the “Applications” sub-menu.
- Select the Kion application from the list.
- Note: This assumes you have already setup the Kion integration with Okta.
- Click the “Provisioning” tab
- Under “Settings”, click “Integration”
- Click “Edit” next to “SCIM Connection”
- Enter the following values
- Under “SCIM connector base URL”, enter the SCIM endpoint URL for Kion (copied from the “Configured SCIM in Kion” section above)
- Set “Authentication Mode” to “HTTP Header”
- Under “HTTP Header”, enter the SCIM Secret Key (copied from the “Configured SCIM in Kion” section above)
- Save your changes.
Post-setup
Once SCIM has been setup and enabled on your IDMS, users will be automatically provisioned and deprovisioned via the SCIM protocol, including user metadata updates such as first name, last name, email, and phone number.
Viewing Users Managed by SCIM
To view users managed by SCIM, follow these teps:
- Login to Kion
- Under the “Users” menu, click the “All Users” sub-menu.
- Under the IDMS drop down at the top of the page, filter by the SAML-based IDMS you have setup to use SCIM.
- You will now see a list of users managed by SCIM.
- Note that SCIM-managed users cannot be deleted directly via Kion; instead, you will see a tooltip like the one below, which indicates the user is SCIM managed. Deprovisioning can only occur via your IDMS.
- Note that SCIM-managed users cannot be deleted directly via Kion; instead, you will see a tooltip like the one below, which indicates the user is SCIM managed. Deprovisioning can only occur via your IDMS.