User Provisioning through miniOrange using SCIM

The System for Cross-domain Identity Management (SCIM) integration between miniOrange and SafeNet Trusted Access (STA) enables you to provision users or groups from miniOrange to STA.

The miniOrange Provisioning Service is based on the SCIM 2.0 protocol. It can connect to the SCIM API for STA user management endpoint to automatically create, update, and remove/deactivate users or groups.

Setting up your SCIM integration between miniOrange and STA requires:

1. Getting an API key and the SCIM endpoint for SafeNet Trusted Access for authorization

2. Configuring miniOrange for the SCIM integration

3. Verifying provisioning and deprovisioning

Getting an API key and the SCIM endpoint for SafeNet Trusted Access for Authorization

The miniOrange provisioning service needs API Key credentials to connect to the SCIM API for STA. As the miniOrange provisioning service uses the SCIM protocol, it needs an API key and an SCIM API endpoint, which you can get from the SafeNet Trusted Access Console.

• To generate an API key for your tenant, refer to Generate an API key.

• To copy the SCIM API endpoint, refer to Endpoint URL.

You will need the API key and SCIM API endpoints while configuring miniOrange for the SCIM provisioning.

Configuring miniOrange for the SCIM Integration

Configuring miniOrange for the SCIM integration requires:

1. Creating an SCIM-based application

2. Creating a group

3. Creating a policy

4. Assigning users to a group

Creating an SCIM-based Application

To setup the SCIM integration between miniOrange and SafeNet Trusted Access (STA), the first step is to add an application, representing STA in miniOrange.

Perform the following steps to add an application in miniOrange:

1. Log in to miniOrange as a cloud administrator using the https://login.xecurify.com/moas/login URL.

2. On the administrator console, in the left pane, under Configure, click Apps, and in the right pane, click +Add Application.

3. Under Choose Application Type, select PROVISIONING.

4. Under Provisioning, select SCIM Server (Destination).

5. Under Add App, perform the below steps:

   1. In the Custom Application Name field, enter a name for your application (for example, STA).

   2. In the SCIM Base URL field, enter the SCIM API ENDPOINT URL that you obtained earlier in the Getting an API key and the SCIM endpoint for SafeNet Trusted Access for authorization section.

   3. In the Bearer Token field, enter the API KEY that you obtained earlier in the Getting an API key and the SCIM endpoint for SafeNet Trusted Access for authorization section.

   4. Under CONFIGURE ATTIRIBUTES MAPPING, you can map the attributes as per your preferred configuration.

      • For information on the SCIM attributes supported by STA, refer to SCIM core user attributes.

      • For information on the SCIM attributes not supported by STA, refer Unsupported core user attributes.

      • For information on the custom user attributes in STA, refer to STA custom user attributes.

   5. Under ENABLE PROVISIONING FEATURES, turn on the toggle for all the options (options may differ as per your preferred configuration).

   6. Click Save.

   

Creating a Group

You need to create a group in miniOrange to provision users or a group of users in SafeNet Trusted Access (STA). Perform the following steps to create the user group:

1. On the administrator console, in the left pane, under Manage, click Groups > Manage Groups, and in the right pane, click Create Group.

2. Under ADD GROUP, in the Group Name field, enter a name for your group (for example, STA Group), and click Create Group.

Creating a Policy

To provision the user group in STA, you need to create a policy that will map the SCIM-based application with the user group. Perform the following steps to create the policy:

1. On the administrator console, in the left pane, under Configure, click Policies > App Login Policy.

2. In the right pane, under APP AUTHENTICATION POLICY, click the Add Policy tab, and perform the below step:

   1. In the Application field, select the STA instance (for example, STA) that you created earlier in step 5 (a) of Creating an SCIM-based Application.

   2. In the Group Name field, select the group (for example, STA Group) that you created in step 2 of Creating a Group.

   3. In the Policy Name field, enter a name for the policy (for example, STA Policy).

   4. In the Login Method field, select a login method as per your preferred configuration.

   5. Click Save.

   

Assigning Users to a Group

In order to provision users to SafeNet Trusted Access (STA), you need to assign the users to the group (for example, STA Group) that you created in step 2 of Creating a Group. The users who have the group membership will be provisioned to STA.

Perform the following steps to assign users to the group:

1. On the administrator console, in the left pane, under Manage, click Groups > Manage Groups.

2. In the right pane, for the group (for example, STA Group) that you created earlier, in the Action column, select Assign Users.

3. Under ASSIGN USERS, perform the following steps:

   1. In the table, select the user whom you want to provision in STA.

   2. In the Select Action dropdown list, select Assign to Group.

   3. Click Apply.

   

Verifying Provisioning and Deprovisioning

Creating Users

After assigning users to the group, users are provisioned in SafeNet Trusted Access(STA). You can verify the provisioning of users by performing the following steps:

1. Log in to the SafeNet Trusted Access Console.

2. Go to the STA Token Management console and click the Assignment tab.

3. Under Search User, you can search for a list of users that are assigned to the group in miniOrange. Alternatively, you can search for individual users to verify if the users are provisioned in STA.

Updating Users

After updating a user in miniOrange, the user is automatically updated in SafeNet Trusted Access (STA). You can update a user in miniOrange by performing the following steps:

1. On the administrator console, in the left pane, click Users > User List and in the right pane, in the Actions column, select Edit for the user to be updated.

2. Update the fields’ values as per your preferred configuration and click Save.

3. After updating the user in miniOrange, perform the following steps to verify if the user is updated in STA:

   1. On the STA Token Management console, click the Assignment tab.

   2. Under Search User, search for the user to verify if the user is updated.

Deleting Users

After deleting a user from miniOrange, the user is automatically deleted from SafeNet Trusted Access (STA). You can delete a user in miniOrange by performing the following steps:

1. On the administrator console, in the left pane, click Users > User List, and in the right pane, in the Actions column, select Delete for the user to be deleted.

2. The Delete Enduser window is displayed. Click Yes to delete the user.

3. Perform the following steps to verify if the user is deleted from STA:

   1. On the STA Token Management console, click the Assignment tab.

   2. Under Search User, search for the user to verify if the user is deleted.

Removing the user from group in miniOrange will delete the user from STA if the user belongs to only that group.

Disabling Users

After disabling a user in miniOrange, the user will automatically comes under the locked token state in SafeNet Trusted Access (STA). You can disable a user in miniOrange by performing the following steps:

1. On the administrator console, in the left pane, click Users > User List, and in the right pane, in the Actions column, select Disable User for the user to be disabled.

2. The Disable a enduser window is displayed. Click Yes to disable the user.

3. Perform the following steps to verify if the user is disabled in STA:

   1. Go to the STA Token Management console and click the Assignment tab.

   2. Under Search User, search for the user to verify if the user is under the locked token state in STA.

A token must be assigned to a user in STA.

Creating Groups

After mapping the SCIM application with the group while creating a policy, the group push from miniOrange to SafeNet Trusted Access (STA) will be executed. You can verify the provisioning of groups by performing the following steps:

1. On the STA Token Management console, click the Groups tab.

2. Under Group Maintenance > Internal, all the miniOrange groups that are pushed to STA are listed.

Deleting Groups

After deleting the policy that you created in the Creating a policy section, the group will be automatically deleted from SafeNet Trusted Access (STA). You can delete a policy in miniOrange by performing the following steps:

1. On the administrator console, in the left pane, click Policies > App Login Policy and in the right pane, in the Action column, click Delete for the policy to be deleted.

2. The Delete Policy window is displayed. Click Yes to delete the policy.

3. Perform the following steps to verify if the the group is deleted from STA:

   1. On the STA Token Management console, click the Groups tab.

   2. Under Group Maintenance > Internal, search for group to verify if it is deleted.