SCIM with a SAML 2.0 identity provider
Cyral supports the use of the SCIM protocol to retrieve group information from your SAML identity provider. While Cyral also supports other ways to retrieve group information from SAML, the SCIM approach is the only way to get group information for login workflows in which the user does not visit the Cyral Access Portal. For example, login through Tableau to Snowflake with Cyral SSO relies on Cyral's SCIM integration to retrieve the user's group information.
Prerequisites
Before you set up the SCIM integration, make sure you have:
- A working SAML SSO integration in Cyral.
note
Note the following limits on Cyral SCIM integrations:
- Cyral supports only SCIM 2.0.
- Bulk operations are not supported.
- Cyral supports only the
userandgroupresource types. No other custom resources are supported. - PUT and PATCH are both supported for user and group resource types.
- Cyral supports authentication only via a long-lasting OAuth 2.0 bearer token that's been sent as an HTTP authorization header.
Get configuration values from the Cyral UI
In the Cyral CP, navigate to Integrations ➡️ SAML ➡️ Configure ➡️ find your SAML SSO integration and click the pencil icon to edit.
Select Enable service account resolution. The Configure Your SCIM Integration panel appears.
Note the value shown in the field, SCIM connector base URL. In the next procedure, you or your SAML administrator will copy this value into SAML. Keep this tab open, or store this value securely until you need it. This value contains the OAuth bearer token, which must be kept secure.
note
The information shown here includes:
- SCIM connector base URL: The base URL for the SCIM integration endpoints.
- Supported provisioning actions: The provisioning actions your SAML app
will take for this integration. In our case, we want the SAML app to:
- Push New Users to Cyral
- Push Profile Updates to Cyral
- Push Groups to Cyral
- Authentication Mode: The method used by SAML to authenticate with Cyral. This will be an OAuth HTTP bearer token.
- Bearer Token: An OAuth access token needed for authentication and authorization with the Cyral SCIM endpoints associated with the given integration instance.
Click Save.
Configure SCIM in your SAML 2.0 identity provider
Perform the following steps in your SAML 2.0 identity provider.
Set up and test SCIM
Enable SCIM provisioning on your SAML app used for Cyral SSO (mentioned in the procedure above).
Enable user provisioning
The following steps will start the provisioning process to copy SAML users and groups to Cyral.
tip
When setting up a new SCIM integration, Cyral recommends first testing the steps below with a limited set of users and groups, before you attempt to import all users.
Set your SAML application to allow SCIM clients to perform the following actions:
- Create Users
- Update User Attributes
- Deactivate Users
In your SAML application, set up attribute mappings to allow sharing of each user's:
- first name
- last name
- username
Make sure all needed users and groups have been assigned to the SAML application. Check the documentation for your SAML provider to find out how to assign users to the SAML app.
If your SAML application allows it, perform a sync action to send user and group information to Cyral.
Next step
With SCIM configured, your Cyral installation can provide service account resolution for Looker and Tableau, ensuring you know the SSO user identity of users who connect to a repository through a service account. See set-up instructions: