Your Visitor Management (formerly Sign In Enterprise) account has the ability to use SCIM to provision users from your Identity Provider (Okta, Azure, OneLogin, etc) into Visitor Management as hosts. This integration gives you a method to synchronize your hosts and host groups without using a CSV or Active Directory. Click HERE to learn more about CSV host provisioning or HERE to learn about syncing hosts via Active Directory.
The SCIM integration will allow you to:
Push hosts into Visitor Management directly from your Identity Provider.
Push host groups into Visitor Management directly from your IdP.
Delete host groups that are unassigned through your IdP.
Mark hosts as invisible in Visitor Management if they’re unassigned through your IdP.
Hosts provisioned to Visitor Management through SCIM cannot be edited within the Visitor Management web portal. They are read-only. These hosts also cannot be fully deleted from Visitor Management. They are only marked as invisible in your Visitor Management account when removed via SCIM.
Note: The screenshot examples used in the article are taken specifically from Okta. If you are using Azure AD, you can follow the steps in THIS article.Creating the SCIM app in your Identity Provider
The process for creating an app in your identity provider differs depending on what IdP you are using, but you can generally follow the requirements below to create an app that allows you to provision hosts in Visitor Management via SCIM:
Ensure that SCIM provisioning is enabled.
Ensure the app is enabled to create, update, and deactivate users/groups.
Ensure that the SCIM version is 2.0 and that your authentication is set to Basic Auth
The SCIM connector URL, username, and password required for this authentication will be grabbed from the SCIM Host Provisioning section of your Visitor Management account. This is detailed in the “Gathering Information from Visitor Management” section below.
Ensure the unique identifier field for provisioned users is set to email
The screenshots below show what these settings look like in Okta:
User provisioning settings
App Integration settings
Gathering information from Visitor Management
To use our SCIM Host Provisioning feature, Visitor Management provides the base URL, username, and password that you must enter into your IdP to make the connection. This information can be found in Visitor Management’s preferences page on the web portal. To get there:
1. Click on the gear icon in the top-right corner of your account.
2. Click Preferences.
3. In the General tab, scroll down until you get to the SCIM Host Provisioning section. You will then see a URL, Username, and Token that you can copy.
4. Input these three fields into their corresponding sections in your identity provider. The example below shows where this is inputted in Okta:
Attributes and Mappings
After the app is created in your IdP, you must also ensure that the correct attributes and mappings for your users are configured to allow for a successful connection to Visitor Management. All Visitor Management hosts are required to have an email, first name, and last name. Optionally, you can also include phone numbers, alternate emails, and departments.
Additionally, you can create host groups within Visitor Management by mapping over your IdP user groups. To do this, you must ensure that your IdP’s attributes and mappings are configured to match Visitor Management’s requirements. The links below will lead you to the attribute and mapping lists for Okta, Azure AD, and OneLogin:
Adding and removing hosts/host groups
One this is configured in your account, you can now assign your IdP users to the application you’ve created. Any users who are successfully assigned to the app are automatically pushed into Visitor Management as a host.
Users can be assigned to your app in Okta in the assignments section (Click Applications>applications>*Your Application*>Assignments).
Note: Any individual hosts in Visitor Management provisioned through SCIM cannot be edited. They are, in effect, read-only.
Additionally, you can push your IdP user groups into Visitor Management as host groups to allow for easier sorting of these hosts within the Visitor Management web app/iPad. Simply add your group to your iDP app for Visitor Management by clicking ‘Push Groups>Find Groups By Name>Search for your group>Save.
The Group will then show as Active when it is successfully pushed to Visitor Management.
To learn how to choose which host groups are visible within your iPad sign-in flows, click HERE.
Note: All hosts included in these user groups must already have been assigned individually within your IdP to Visitor Management.
Removing users/groups:
For individual users, un-assigning them from your IdP will mark them as invisible in Visitor Management. This means that they are still included as a user in the system, but are not visible to your visitors when they sign-in.
For host groups, un-linking your user groups in your IdP will automatically remove that group from Visitor Management. The individual hosts will still remain but will no longer be associated with that IdP group. They will still be visible in the Visitor Management web portal.