SCIM with a SAML 2.0 identity provider
Cyral supports the use of the SCIM protocol to retrieve group information from your SAML identity provider. While Cyral also supports other ways to retrieve group information from SAML, the SCIM approach is the only way to get group information for login workflows in which the user does not visit the Cyral Access Portal. For example, login through Tableau to Snowflake with Cyral SSO relies on Cyral's SCIM integration to retrieve the user's group information.
Prerequisites
Before you set up the SCIM integration, make sure you have:
- A OneLogin solution that supports User Provisioning (such as the Professional Bundle).
- A working OneLogin SSO integration configured in Cyral.
Get configuration values from the Cyral UI
In the Cyral CP, navigate to Integrations ➡️ SAML ➡️ Configure ➡️ find the OneLogin SSO integration you created for OneLogin and click the pencil icon to edit.
Select Enable service account resolution. The Configure Your SCIM Integration panel appears.
The integration tile will display some configuration values. In the next procedure, you or your SAML administrator will copy this value into the IdP. Copy the values displayed and store them securely.
note
The following values must be saved for later use:
- SCIM connector base URL: The base URL for the SCIM integration endpoints.
- Bearer Token: An OAuth access token needed for authentication and authorization with the Cyral SCIM endpoints associated with the given integration instance.
Click Save.
Configure SCIM in OneLogin
Perform the following steps in OneLogin.
Navigate to the SCIM Provisioner with SAML (SCIM v2 Enterprise, full SAML) application you created upon configuring a OneLogin SSO integration
Navigate to the Configuration tab of your OneLogin SAML application. Under the API Connection section:
- Select Enable.
- Copy the following json into the SCIM JSON Template field:
{
"schemas": [
"urn:scim:schemas:core:2.0"
],
"userName": "{$parameters.scimusername}",
"name": {
"familyName": "{$user.lastname}",
"givenName": "{$user.firstname}",
"formatted": "{$user.display_name}"
},
"emails": [{
"value": "{$user.email}",
"type": "work",
"primary": true
}],
"title": "{$parameters.title}"
} - Enter the SCIM Base URL retreived from the Cyral management console in the previous section.
- Enter the Bearer Token retreived from the Cyral management console in the previous section.
- Save the integration.
Navigate to the Rules tab. Add a rule. Name it
scim-groups-are-roles. Under Actions:- Select Set Groups in <APP_NAME> from the dropdown menu.
- Select Map from OneLogin.
- Use the second dropdown and select Role that matches
^.*$. Note: If you prefixed all your Cyral OneLogin Roles with the string ‘cyral’, you can use the regex^cyral.*$ - Click Update.
- Save the integration.
Navigate to the Provisioning tab.
- Select Enable Provisioning
- Ensure that updates in OneLogin are automatically propagated to Cyral. Under ‘Require admin approval before this action is performed’, deselect all actions.
- Save the integration.
Navigate to the Parameters tab.
- Edit the scimusername field. Set the value to Email.
- Edit the Groups field. Select Include in User Provisioning.
- Ensure that updates in OneLogin are automatically propagated to Cyral. Under ‘Require admin approval before this action is performed’, deselect all actions.
- Save the integration.
Navigate to the Provisioning tab. Under the Entitlements section, select Refresh. This is how you will trigger the rule you created, mapping OneLogin Roles to the users and groups that will be provisioned to Cyral.
Navigate to the Users tab. From the drop down in the top right corner, select Apply to all and then Reapply Mappings. Repeat steps 6 and 7 until there are no errors.
Next step
With SCIM configured, your Cyral installation can provide service account resolution for Looker and Tableau, ensuring you know the SSO user identity of users who connect to a repository through a service account. See set-up instructions: