Installing the Provisioning Service

The Laserfiche SCIM Service is a SCIM 2.0 compatible service for automating user provisioning from a SAML identity provider to Directory Server.

Install the Laserfiche Directory Server SCIM Service (SCIM 2.0)

  1. Use the autorun or double-click SetupLf.exe to launch the installation.

    Note: The Laserfiche SCIM Service must be installed on a machine that is reachable by the SAML provider (e.g., Microsoft Entra ID and Okta). The Laserfiche SCIM Service can be installed on the same machine as the external STS, but is not a requirement.

  2. In the Language Selection, select the desired language display for the installation.
  3. On the Welcome to the Laserfiche Directory Server Setup Wizard step, click Next to continue.
  4. On the License Agreement step, click I accept the terms in the License Agreement after reading the license agreement and click Next to accept the agreement.
  5. On the Custom Setup step, select the Laserfiche SCIM Service 11 component. In the Install directory option, specify a different installation path if necessary and click Next to continue.
  6. On the TLS Certificate Options step, select the appropriate certificate from the Local Computer's Personal certificate store.

    Note: Laserfiche Directory Server requires secure HTTP communication. If you bypass this step, you must still configure a valid HTTP binding on your IIS website hosting LFDS. To learn more, navigate to Certificate Types & Requirements.

  7. On the Laserfiche Service Settings step, select an appropriate user account for the SCIM Service IIS App Pool.
  8. On the Ready to Install step, click Install to begin the installation.
  9. On the final step, click Finish to close the wizard.
  10. On the machine hosting the Laserfiche SCIM Service, open the Laserfiche SCIM Service Configuration Utility (by default, the utility is installed to C:\Program Files\Laserfiche\Directory Server\SCIM\LfdsScimServiceConfig.exe).
  11. Take note of the Laserfiche SCIM Service base URL for configuration purposes in your respective SAML identity provider.
  12. Under Laserfiche Directory Server site, click Add to specify the location of Laserfiche Directory Server. Include the machine name, port number, and licensing site name. The default port is 5049 and the site should be using TLS (The URL should include https://). For example:

    https://SampleDirectoryServerHostname:5049/SampleLicensingSiteName

    The URL can be found from the Directory Server administration site by viewing the Settings page's General tab. Take note of the SCIM service endpoint URL value.

  13. Configure certificate authentication between the Laserfiche SCIM Service and Laserfiche Directory Server. The certificate must include the private key and if the certificate is generated with select purposes, it must include the "Client Authentication" purpose. This certificate must be configured for both Laserfiche Directory Server and the Laserfiche SCIM Service.
    • Laserfiche Directory Server: On the machine hosting Directory Server, open the Laserfiche Directory Server Configuration Utility (by default, the utility is installed to C:\Program Files\Laserfiche\Directory Server\XmlEndpointUtility.exe).
      1. Click the Other tab.
      2. In the Certificates section, used the drop-down list to view available certificates in the local store. Select the desired certificate and click Add to add the certificate for Directory Server.
    • Laserfiche SCIM Service: On the machine hosting the Laserfiche SCIM Service, open the Laserfiche SCIM Service Configuration Utility (by default, the utility is installed to C:\Program Files\Laserfiche\Directory Server\SCIM\LfdsScimServiceConfig.exe).
      1. In the Certificate to connect to server section, select or import a certificate to encrypt communication with Laserfiche Directory Server.
  14. Click Connect to test the connection.
  15. In the Bearer tokens section, click Add to generate a bearer token for use with the SAML identity provider. This bearer token will be necessary for configuration purposes in your respective SAML identity provider.

Okta Provisioning Agent (SCIM 1.1)

Note: Installing the Okta Provisioning Agent is only necessary when using Laserfiche Directory Server 's SCIM 1.1 implementation.

Prior to configuring on premises provisioning for Laserfiche Directory Server, you must install the provisioning agent using the Windows installer in Okta.

Note: It is recommended to have the Okta provisioning agent communicate with Laserfiche Directory Server over HTTPS. The Base SCIM URL link generated in Laserfiche Directory Server is defaulted to the HTTPS Laserfiche Directory Server endpoint (port 5049).

Using the Windows Installer in Okta

To install the provisioning agent using the Windows installer, do the following:

  1. Sign into Okta and navigate to the Administrator Dashboard.
  2. Click Settings, then Downloads.
  3. Click the Download button for the appropriate Windows Okta Provisioning Agent.
  4. Launch the installer and then click the Next button.
  5. Click Next on the License Agreement dialog box.
    • Optional: Change the installation folder on the Installation options dialog box and then click the Install button.
  6. Enter your Okta Customer Domain URL and then click the Next button to register.
  7. Go to your browser and sign into your organization. You are asked to grant permission to access the Okta API. Click the Allow Access button.
  8. Go back to the installation wizard and click Finish to complete the installation.
  9. Enable TLS 1.2 protocol. If you already have TLS 1.2 enabled, you may skip this section.

    Note: Enabling TLS 1.2 is only necessary if the Okta provisioning agent communicates with Laserfiche Directory Server over HTTPS.

    • Navigate to C:\Program Files\Okta\OktaProvisioningAgent\current\jre\bin.
    • Double-click javacpl to open the Java Control Panel.
    • On the Java Control Panel, click the Advanced tab.
    • Under the Advanced Security Settings section, choose TLS 1.2.
  10. Navigate back to Okta and go to your Administrator Dashboard.
  11. Select Agents and make sure that the on premises agent that you configured is displayed in the list.

Note: To learn more about installing the provisioning agent using the Windows or Linux installer, see Installing the On-Premises Provisioning Agent.