Configure user account creation via SCIM

Created by Joseph T Roepcke, Modified on Fri, 17 Oct at 10:41 AM by Joseph T Roepcke

Configure user account creation via SCIM

TABLE OF CONTENTS

Configure user account creation via SCIM

Overview

SCIM is a mechanism for provisioning employees directly from your Identity provider (IdP).

Spotnana is SCIM compliant with Entra ID.

Advantage of SCIM: A quicker configuration if you are already using SCIM for other applications (since it’s a standard industry protocol). It is also mostly configurable without the need to refactor code or set up a file.
Possible disadvantage of SCIM: The set of fields available from IdP software providers is potentially more limited than what’s used in HRIS software. As a result, the full set of fields you have in your HR system might not be present in your Entra ID. This could then add more complexity if you also want these additional fields passed in when creating users.

Prerequisites

Some things you need to do before mapping your attributes:

Evaluate the SCIM client made available by your IdP. Determine whether the data provided by SCIM will match the data requirements you have for your users in Spotnana.
Ask your Spotnana Account Manager or TMC support to create an API user with SCIM long-lived token credentials for you.
Verify that your SCIM client has a reporting mechanism that verifies and logs the success and failure of requests.

Map the required attributes

Use the entries in the table below to guide you in the mapping of your required attributes.

Fixed fields	Mapping if using Entra ID	Mapping if using another IdP *	Caveats/configuration notes
userName	userPrincipalName	Primary business email	Should be used as the matching attribute
active	Switch([IsSoftDeleted], , "False", "True", "True", "False")	boolean of True or False
emails[type eq "work"].value	mail	Work email
name.givenName	givenName	First name
name.familyName	surname	Last name
externalId	mailNickname	Additional unique ID	Optional, should be unique
urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:legalEntityRef.name	legalEntityName	Legal entity name	NOTE: A legal entity is required for each user. If your user is imported via SCIM without a legal entity assigned, the user will automatically be added to a default legal entity. If having users added to a default legal entity is not acceptable for your configuration, you should not use SCIM.
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber	employeeId	Employee ID or Employee number	Optional, should be unique
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department	department	Department name
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager	manager	Object like {“value”: managerId}
urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:officeRef.name	officeName	Office name
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:costCenter	costCenterName	Cost Center name
urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:isoCountryCode	isoCountryCode	2-digit ISO code

* Note: For the values for non-Entra IdPs, we may not be able to suggest an explicit value. However, you may be able to determine which value to use based on what we provided for Entra.

Activate SCIM in the Online Booking Tool

If migrating from another user creation tool to SCIM

If you are migrating to SCIM from any other HR feed that you had previously used to create user accounts in Spotnana, please be sure to stop using that HR feed (or any other). This includes:

Stop submitting any HR feed data via the OBT
Stop submitting any HR feed data via SFTP
Stop using Spotnana’s User Management APIs
Request that Spotnana support disable any HRIS integration sync

Once all of these steps are completed, proceed to If activating SCIM for the first time below.

If activating SCIM for the first time

These steps assume you are using Entra as your IdP. However, they can conceptually be applied when using another IdP.

If you are activating SCIM for the first time, please complete the following steps in your IdP:

Begin defining the SCIM configuration in your IDP. For example, for Entra you would create your custom enterprise application for SCIM provisioning.
Create the relevant mappings in Entra using the settings in the table above.
Set "https://api.spotnana.com/v2/scim" as the base domain (in your IdP) to which SCIM requests will be sent.
Request a long-lived API user token from your Spotnana support representative or TMC support.
Then, add this token in your IdP for long-lived authentication for your SCIM client.
Ask your Spotnana support representative or TMC support to include your email as a recipient for SCIM error reports.
Try to provision a single user and inspect the output as a test. The test can be considered successful if:
- The user is created on the Spotnana platform and the account contains all expected information.
- The SCIM client produces log entries showing success. If the log shows a failure or there are any issues, contact Spotnana.
Define the user groups in your IdP which should be provisioned by SCIM. This will determine which users have access to Spotnana.
Disable usage of SCIM groups in the IdP’s SCIM settings.
- Note: IdP user groups are not SCIM groups. You can still provision IdP user groups. However, Spotnana does not support SCIM groups.
Enable automatic SCIM provisioning for all users within your IdP.

Verify that your SCIM integration is working

To verify that your SCIM integration is working correctly, do the following:

Verify that user profiles are being loaded into Spotnana.
Periodically check if errors are being sent to the designated email account.

If configured as the email recipient for SCIM errors, your user account will receive daily emails documenting any errors.