Skip to main content
User provisioning with SCIM

Instructions to connect your Identity Server to provision users and groups to CybSafe and what attributes we sync across

Jonathan Webster avatar
Written by Jonathan Webster
Updated over 3 months ago

CybSafe supports provisioning for most Identity Providers (IDPs) via the SCIMv2 protocol.

Note: we have a more specific article for Azure customers

⚠️ If you utilise a provisioning integration to manage your people on CybSafe, all user management should be done from your source IdP in your infrastructure.

Any changes made within the CybSafe platform can be reverted when your provisioning sync next runs.


Installation details:

Authentication type: OAuth 2 Bearer Token

Installation steps

  1. Generate a token by visiting Access Management with your administrator account

  2. Copy the SCIM endpoint & token into your Identity Provider

Supported SCIM attributes

Minimum for CybSafe User

Description

userName

Required by SCIM, usually primary work email address

emails[type eq "work"].value

Work email address marked as primary

givenName

First name

familyName

Last name

addresses[type eq "work"].country

At least 1 address with only country subfield

preferredLanguage

Language tag used for email communications

Option

Description

en_gb

English (U.K.)

en

International English

en-us

English (US)

nl

Dutch

ar

Arabic

es

Spanish (Latam)

es-ES

Spanish (Spain)

fr

French

de

German

it

Italian

pl

Polish

pt-BR

Potrugese (Brazil)

tr-TR

Turkish

ru

Russian

ja-JP

Japanese

zh-CN

Simplified Chinese

zh-HK

Traditional Chinese

ko-KR

Korean

Optional but recommended

active

Must be true (or user will be provisioned but archived)

phoneNumbers[type eq "mobile"].value

Optional

locale

Optional, default location for purposes of localizing

department

Optional, for filtering in dashboards

division

Optional, for filtering in dashboards

organization

Optional, for filtering in dashboards

Please note: any other attributes from your SCIM will not sync across. Only the above attributes will be captured by CybSafe. If you have attribute mappings that you wish to be synced across to Group management please ensure they are under Department, Division or Organisation. If you do have additional attributes that you need synced across, you can add them in your user provisioning service.

Additional note- For organisations where the userPrincipalName differs to the full email address please contact CybSafe customer support and confirm your preferred Azure property which contains the full email address.

If you have a mismatch between the full email address and userPrincipalName, users may experience issues with different email accounts or missed emails.

Custom attributes that can be optionally added.

Attribute

Description

Values (if relevant)

externalId

Captured, not currently used in reporting

employeeType

used in CybSafe API for your external reporting

urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber

[Employee Number] used in CybSafe API for your external reporting

city

Captured, not currently used in reporting

office

Captured, not currently used in reporting

businessUnit

Captured, not currently used in reporting

grade

Captured, not currently used in reporting

manager

Captured, not currently used in reporting

To add additional attributes in Azure Active Directory specifically, follow the steps in this guide.

Testing

IDPs will vary with how quickly the sync starts, and is maintained, so take a look at your IDP logs to see when Sync has started.

You can verify sync is working by checking the following administration pages:

Still have questions?

If you still have questions, you can contact the CybSafe team via [email protected]. We’re on hand to help resolve any further issues!

Did this answer your question?