Skip to main content
Version: v4.8

SCIM with a SAML 2.0 Identity Provider

Cyral supports the use of the SCIM protocol to retrieve group information from your SAML identity provider. While Cyral also supports other ways to retrieve group information from SAML, the SCIM approach is the only way to get group information for login workflows in which the user does not visit the Cyral Access Portal. For example, login through Tableau to Snowflake with Cyral SSO relies on Cyral's SCIM integration to retrieve the user's group information.

Prerequisites

Before you set up the SCIM integration, make sure you have:

note

Note the following limits on Cyral SCIM integrations:

  • Cyral supports only SCIM 2.0.
  • Bulk operations are not supported.
  • Cyral supports only the user and group resource types. No other custom resources are supported.
  • PUT and PATCH are both supported for user and group resource types.
  • Cyral supports authentication only via a long-lasting OAuth 2.0 bearer token that's been sent as an HTTP authorization header.

Get configuration values from the Cyral UI

  1. In the Cyral CP, navigate to Integrations ➡️ SAML ➡️ Configure ➡️ find your SAML SSO integration and click the pencil icon to edit.

  2. Select Enable service account resolution. The Configure Your SCIM Integration panel appears.

  3. Note the value shown in the field, SCIM connector base URL. In the next procedure, you or your SAML administrator will copy this value into SAML. Keep this tab open, or store this value securely until you need it. This value contains the OAuth bearer token, which must be kept secure.

    note

    The information shown here includes:

    • SCIM connector base URL: The base URL for the SCIM integration endpoints.
    • Supported provisioning actions: The provisioning actions your SAML app will take for this integration. In our case, we want the SAML app to:
      • Push New Users to Cyral
      • Push Profile Updates to Cyral
      • Push Groups to Cyral
    • Authentication Mode: The method used by SAML to authenticate with Cyral. This will be an OAuth HTTP bearer token.
    • Bearer Token: An OAuth access token needed for authentication and authorization with the Cyral SCIM endpoints associated with the given integration instance.
  4. Click Save.

Configure SCIM in your Identity Provider

Follow your IdPs SCIM configuration instruction, referencing the values you got from the Cyral UI. Ensure that the IdP can connect to SCIM, and then test the provisioning of users and groups. Please consider the following:

  1. Ensure that your IdP's SCIM application can perform the following actions:

    • Create Users
    • Update User Attributes
    • Deactivate Users
  2. Cyral requires the following user attributes to be sent via SCIM at a minimum:

    • first name
    • last name
    • username
    • email Additional attributes are accepted. Please use the SCIM Schema endpoints to see a full list of supported attributes.
  3. Make sure all users and groups have been assigned to the SCIM application.

Next step

With SCIM configured, your Cyral installation can provide service account resolution for Looker and Tableau, ensuring you know the SSO user identity of users who connect to a repository through a service account. See set-up instructions: