# SCIM user sync

## Introduction

SCIM (System for Cross-domain Identity Management) is an open standard for synchronising users between an identity provider (Google, Azure, Okta, etc) and service provider (Skovik).

## Supported SCIM schemas

Our implementation follows the SCIM 2.0 specification and supports the following schemas.

<table data-full-width="false"><thead><tr><th width="204">Schema</th><th width="518">URN</th></tr></thead><tbody><tr><td>Core user schema</td><td><code>urn:ietf:params:scim:schemas:core:2.0:User</code></td></tr><tr><td>Enterprise user schema</td><td><code>urn:ietf:params:scim:schemas:extension:enterprise:2.0:User</code></td></tr><tr><td>Custom user extension</td><td><code>urn:ietf:params:scim:schemas:extension:skovik:2.0:User</code></td></tr></tbody></table>

The Custom User Extension schema is used to synchronize custom field values, unique to our system, for example cost center, default project membership and similar.

## Provided SCIM endpoints

We provide the following SCIM endpoints:

* `/Users` ⇒ For user provisioning, updates, and deprovisioning.
* `/ServiceProviderConfig` ⇒ For SCIM service provider metadata.
* `/Schemas` ⇒ The SCIM schemas supported by our API, including the core user schema, the enterprise extension and our custom extension.
* `/ResourceTypes` ⇒ The resource types available (such as User), along with their associated schemas.

{% hint style="info" %}
We do not support provisioning groups. If you have a need or use case for this, send us feedback explaining the use case and we'll consider it for our future product roadmap.
{% endhint %}

## Implementation Guide

### Prerequisites

* Ensure that all users have a unique email address, as that will be used as the unique identifier (`userName`) used for logging in to Skovik.
* Ensure that the branch an employee should belong to can be identified by an attribute on the identity provider. This attribute must match the `external_identifier` of the branch in our system.
* Identify any custom fields in Skovik that should be provisioned for the employees.

### Configuring SCIM in Skovik

{% stepper %}
{% step %}

### **Create an identity provider configuration**&#x20;

Enable "User provisioning" and set up custom field mappings as needed.
{% endstep %}

{% step %}

### Verify branch identifiers

Make sure the `external_identifier` is set on all relevant branches.
{% endstep %}

{% step %}

### Generate a SCIM token and a URL

Generate a SCIM token and URL in the identity provider configuration.
{% endstep %}
{% endstepper %}

### Configuring SCIM in the identity provider

{% stepper %}
{% step %}

### Create a new application for provisioning users

Ask your identity provider or pursue their docs if you don't know how.
{% endstep %}

{% step %}

### Configure the SCIM endpoint and token

&#x20;Use the URL and token generated in our system.
{% endstep %}

{% step %}

### Setup attribute mappings

See table of mappings below.
{% endstep %}
{% endstepper %}

### Table of mappings

<table data-full-width="false"><thead><tr><th width="329">SCIM field</th><th width="325">Skovik property</th><th data-type="checkbox">Required</th></tr></thead><tbody><tr><td><code>userName</code></td><td>Employee's email</td><td>true</td></tr><tr><td><code>name.givenName</code></td><td>Employee's first name</td><td>true</td></tr><tr><td><code>name.familyName</code></td><td>Employee's last name</td><td>true</td></tr><tr><td><code>active</code></td><td>Active in Skovik. Setting to <code>false</code> will permanently archive the user.</td><td>true</td></tr><tr><td><code>urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division</code></td><td>Employee's branch</td><td>true</td></tr><tr><td><code>urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager</code></td><td>Employee's superior</td><td>false</td></tr><tr><td><code>urn:ietf:params:scim:schemas:extension:skovik:2.0:User:custom_field1</code></td><td>Mapped to a custom field in the identity provider configuration.</td><td>false</td></tr><tr><td><code>urn:ietf:params:scim:schemas:extension:skovik:2.0:User:custom_field1</code></td><td>Mapped to a custom field in the identity provider configuration.</td><td>false</td></tr><tr><td><code>urn:ietf:params:scim:schemas:extension:skovik:2.0:User:custom_field2</code></td><td>Mapped to a custom field in the identity provider configuration.</td><td>false</td></tr><tr><td><code>urn:ietf:params:scim:schemas:extension:skovik:2.0:User:custom_field3</code></td><td>Mapped to a custom field in the identity provider configuration.</td><td>false</td></tr><tr><td><code>urn:ietf:params:scim:schemas:extension:skovik:2.0:User:custom_field4</code></td><td>Mapped to a custom field in the identity provider configuration.</td><td>false</td></tr><tr><td><code>urn:ietf:params:scim:schemas:extension:skovik:2.0:User:custom_field5</code></td><td>Mapped to a custom field in the identity provider configuration.</td><td>false</td></tr><tr><td><code>urn:ietf:params:scim:schemas:extension:skovik:2.0:User:custom_field6</code></td><td>Mapped to a custom field in the identity provider configuration.</td><td>false</td></tr><tr><td><code>urn:ietf:params:scim:schemas:extension:skovik:2.0:User:custom_field7</code></td><td>Mapped to a custom field in the identity provider configuration.</td><td>false</td></tr><tr><td><code>urn:ietf:params:scim:schemas:extension:skovik:2.0:User:custom_field8</code></td><td>Mapped to a custom field in the identity provider configuration.</td><td>false</td></tr><tr><td><code>urn:ietf:params:scim:schemas:extension:skovik:2.0:User:custom_field9</code></td><td>Mapped to a custom field in the identity provider configuration.</td><td>false</td></tr></tbody></table>