Configuring SCIM (System for Cross-domain Identity Management) in Laserfiche Cloud
SCIM is an open standard designed to manage user identity information. The goal of SCIM is to help automate the exchange of user identity data between your company's various applications and service providers. Once configured, users that are added, updated, or removed from your identity provider will be automatically updated in Laserfiche. This will greatly minimize manual administration of users between identity providers and Laserfiche.
Note: When an administrator removes assigned users or groups from the SCIM application on the identity provider, the corresponding user in Laserfiche is disabled, and the corresponding group in Laserfiche is removed.
To enable SCIM:
- Navigate to Laserfiche Cloud Account Administration.
- Click the Settings tab.
- Click the Single Sign-On tab
- Click the SCIM Provisioning tab.
Note: You must have SSO configured to see the SCIM Provisioning tab.
- Next to SCIM Provisioning Status, click Enable.
- In the Cross Domain Identity Management Token dialog box that appears, click Copy the bearer token to clipboard. This token will let the identity provider authenticate with the SCIM server. Save this token in a secured location for later use. Click Finish.
- Once enabled, a Management Endpoint and Rotate Bearer Token section will appear. The Management Endpoint is a URL the identity provider will send the SCIM requests to. Click Copy endpoint to clipboard. The Rotate Bearer Token section lets you create a new bearer token if needed.
Service Provider Information
Clicking the Service Provider Information link displays additional information you may need to set up your identity service provider:
- Audience URL (SP Entity ID)
- Assertion Consumer Service URL
- Recipient and destination URL
- Name ID format
- Default relay state
- Download a public certificate
You can also download a Laserfiche metadata file to import to your identity provider.
For more information on configuring SCIM for different identity providers, see the Configuring SCIM for Specific Identity Providers help topic.
SCIM Group License Rules
Notice Period for October 31, 2024 to November 14, 2024: During this interim period before the general availability release of the full feature, existing SCIM provisioning functionality remains unchanged. However, to change an already SCIM-provisioned user’s license type, you must turn on the new "Exempt from SCIM licensing rules" option for a user before choosing a new license type. Administrators can use this period to familiarize themselves with the new license rules options as well as pre-configure new group rules. Pre-configured group rules can be saved in preparation for the general availability release on November 14, 2024. Saving changes will show a notification indicating that the saved changes to license rules won’t take effect until the final release.
Laserfiche can help automate license assignments for SCIM-provisioned users based on the user's group membership.
To create group license rules
Group rules should be organized by priority. If a user is a member of multiple groups, the user will be assigned the license that is set for the rule with the highest priority, in other words, the first rule that matches going top to bottom. The first rule on the page has the highest priority. The last rule on the page has the lowest priority.
- Navigate to the Laserfiche Cloud Account Administration service.
- Click the Settings page.
- Click the Single Sign-On tab.
- Click the License Rules tab.
- Select a Default License Type.
- Optional: If no groups have been provisioned from your Identity Provider, you will need to push groups to Laserfiche Cloud first.
Note: Laserfiche does not retrieve information from your Identity Provider; Laserfiche can only receive information. A group may not be available in the dropdown list for a license rule until the group is pushed from your Identity Provider to Laserfiche.
- Click Add a new rule to select a group and the license type that will be assigned to any users in this group.
- Click Save Changes to save your rules.
General Guidelines for SCIM License Rules
See the following general recommendations when using SCIM license rules to automate license assignment.
- Plan out the group structure for license assignment.
- Automate License Changes Based on Group Membership: SCIM Group Licensing allows for automatic license assignments when a user is added or removed from a group, ensuring that users always have the correct access.
- Minimize Group Overlap: Avoid unnecessary group overlap to prevent complexity in license assignments and potential conflicts.
- Create Specific License Groups If Needed: Use dedicated SCIM groups for licensing when possible, rather than relying on existing groups created for other purposes, like email or access management.
- Configure a Default License Type as a Fallback.
Configure default license type as a fallback for users who are not covered by group licensing rules. This ensures that users don’t lose access if they are not assigned to any group or in case of group synchronization failures.
- Keep each group under 5000 users when using SCIM provisioning with Okta.
This recommendation aims to provide a smooth user experience for Okta customers as they may experience provisioning issues with group memberships exceeding this size.
- Only SCIM-provisioned users are affected by SCIM license rules. Existing users cannot be migrated over to being managed through SCIM group licensing.
Note: When SCIM license rules are saved for the first time, all SCIM users' licenses will be automatically managed by these rules. The rules apply only to direct groups, not to indirect or nested groups (i.e., groups assigned to other groups).
Exempting a SCIM-provisioned User from Licensing Rules
When a user is provisioned via SCIM to Laserfiche, the Exempt from SCIM licensing rules option is not selected by default. The license type cannot be changed until this checkbox is selected. Additionally, attempting to modify the license type through the Import user configuration CSV file or Set user license type options on the Users page will result in an error message: Cannot update SCIM-managed user license.
Clear the checkbox to have the user's license assigned automatically through SCIM license rules. When checked, administrators can override SCIM license rules and specify a license type.
Note: For manually created users, this checkbox is not available.