CybSafe supports provisioning for most Identity Providers (IDPs) via the SCIMv2 protocol.
Read on to find the ideal solution for you and your organisation.
⚠️ If you utilise a provisioning integration to manage your people on CybSafe, all user management should be done from your source IdP in your infrastructure.
Any changes made within the CybSafe platform can be reverted when your provisioning sync next runs.
Overview
Connect any IDP to CybSafe, use Microsoft Entra or Okta to connect to CybSafe.
You can manage users manually if that is a preferred option, a mixture of automated and manual can be done too. Read more about manual options in the following article, How to add users.
👍 CybSafe recommends
Depending on your infrastructure setup and the volume of users or changes to users details we would recommend setting up an automated provisioning sync.
Once you start to get over a few hundred users automated provisioning is the right way to go.
Be sure to plug into your JML process so your identity team manage new joiners and leavers appropriately to automate this process for you.
Option 1 - Microsoft Entra
We have a published Microsoft Enterprise App to connect SSO and provisioning.
If your Entra data is complete and consistent across your users base we recommend using this integration.
Read more about how to do it in the article, Set Up user provisioning with Microsoft Entra.
Option 2 - Okta
You can also connect to Okta if this is your preferred idp.
Read more below on instructions on setting up your custom Okta app to connect to CybSafe.
⚠️ Please always consult Okta's advice on how to configure a SCIM connection to a 3rd party app.
Okta's official guide: Add SCIM provisioning to app integrations.
Some Okta orgs may need to contact Okta support to enable SCIM provisioning on custom apps if the option doesn't appear.
Option 3 - Connect any other IDP's to CybSafe
CybSafe supports user provisioning from any Identity Provider that uses the SCIM v2 protocol.
To connect your IDP, you'll need to create a custom app or connector within it, then configure it using the SCIM endpoint and bearer token below.
⚠️ Be sure to follow your IDP of choices instructions, the below article gives you the information from CybSafe you may need, but will not cover specifics for your idp.
Installation details:
Authentication type: OAuth 2 Bearer Token
SCIM endpoint: https://app.cybsafe.com/scim/v2/
Installation steps
Generate a provisioning token from our User provisioning tab under the Identity management menu.
Add the SCIM endpoint above to your idp setup.
Be sure to maintain any trailing slash and avoid any spaces.Add the provisioning token into your custom setup for your Identity Provider.
Configure user attributes, detailed below in line with your idp setup.
Test the connection if possible.
Start your first sync and then monitor the deployment, see options below to monitor from CybSafe's side.
Testing
IDPs will vary with how quickly the sync starts, and is maintained, so take a look at your IDP logs to see when the sync has started.
You can verify the sync is working by checking the following administration pages:
People overview - As people are sync'd you will see them added to this list.
Group management - if you have sync'd any user attributes to groups you will see them created here and users added to each group.
Identity management > User provisioning - when the provisioning sync is running you will see dates for the last scim request and last scim change. An N/A in either field, indicates the sync is not running correctly.
Supported SCIM attributes
* The column titled, M, O or R stands for Mandatory, optional or recommended fields.
The attribute names below are the camelcase field names and can be used as the target attribute, unless otherwise stated in additional information.
CybSafe will only show data in a field if it exists in your IDP, any fields mapped with no user data in your IDP will still show as blank.
CybSafe attribute name | Description | Additional information | *M, O or R |
userName | Required by SCIM, usually primary work email address. | Often maps to userPrincipalName | M |
active | Deactivate or activate a user. | Active users in your IDP are provisioned as active in CybSafe. Deactivated users are provisioned but deactivated. | M |
emails[type eq "work"].value | Work email address marked as primary. |
| M |
givenName | Users first name. |
| R |
familyName | Users surname. |
| R |
preferredLanguage | Language tag used for email communications, as defined per RFC 5646: | A full list of supported languages and the associated code can be found here | R |
timezone | Add users timezone | we recommend using the IANA timezone format. i.e. Europe/London. | R |
manager | Sync users line manager info. | The line manager will need to exist in CybSafe to link the profiles. | R |
department | Sync user department information to the folder in group management. | Useful for filtering in campaigns and reporting | R |
organization | Sync any other user information to the organization folder in group management. | Useful for filtering in campaigns and reporting | R |
division | Sync any other user information to the division folder in group management. | Useful for filtering in campaigns and reporting | R |
addresses[type eq "work"].country | Users country location such as GB, US, RSA, FR. |
| R |
externalId | Sync any relevant external id's to CybSafe that you hold. | There is a dedicated employee number field use that for employee id's instead. | O |
office | Sync users office location details. |
| O |
streetAddress | Sync aspects of a users address. |
| O |
city | Sync a users town or city location. |
| O |
state | Sync state, county or province. |
| O |
title | Sync users job titles to the platform. |
| O |
businessUnit | Sync additional user details about their business unit or other departmental structures. |
| O |
employeeNumber | Sync users employee numbers/id's. |
| O |
costCenter | Sync users cost centre details. |
| O |
employeeType | Sync users employee type such as permanent, contractor or part time. |
| O |
employeeLevel | Sync users employee level or other defining criteria. |
| O |
grade | Sync a user's grade or other defining criteria. |
| O |
hireDate | Sync users hire or start date. | The date format should be yyyy-MM-dd | O |
Please note: any other attributes from your SCIM will not sync across. Only the above attributes will be captured by CybSafe if mapped.
If you have attribute mappings that you wish to be synced across to Group management please ensure they are under Department, Division or Organisation.
Additional note- For organisations where the userPrincipalName differs to the full email address please contact CybSafe customer support and confirm your preferred user property which contains the full email address.
If you have a mismatch between the full email address and userPrincipalName, users may experience login issues or create duplicate profiles on CybSafe.
Still have questions?
If you still have questions, you can contact the CybSafe team via [email protected]. We’re on hand to help resolve any further issues!