Configuring SCIM Integration
KnowBe4’s SCIM (System for Cross-domain Identity Management) integration allows you to leverage user data from your identity provider to provision, meaning to populate and maintain, your users and groups within your KnowBe4 Console. Provisioning is accomplished by syncing users and groups from your SCIM identity provider to KnowBe4’s SCIM API endpoints.
After you configure SCIM, users and groups will be automatically added, changed, and archived based on information sent from your identity provider. It is important to note that this is a one-way process of synchronization, and no information will be sent back to your identity provider from the KnowBe4 console.
Alternatively, if you are interested in using Active Directory to sync your users, please check out our Active Directory Integration (ADI) Configuration Guide.
We also have a video that shows how to set up SCIM. However, we recommend that you first read through the sections below.
How SCIM Works
Integrating your KnowBe4 console with your identity provider will allow you to import the users and groups from your identity provider into your console. This allows you to manage your users and groups from one place and the changes you make to your users and groups through your identity provider will be automatically synced to your KnowBe4 account.
The synchronization of data from SCIM is considered authoritative. This means that by default, any users who are not found in your identity provider will be archived in your KnowBe4 console and any manual changes you've made to a user in the KnowBe4 console will be overwritten by the data contained in your identity provider.
Prior to enabling user provisioning on your account, all user accounts in the KnowBe4 Console are considered console-managed. This means changes are made in the console by either editing the users directly or updating them via CSV imports. Once SCIM is enabled and the first sync occurs, users are considered to be managed by user provisioning, meaning changes are all done at the identity provider level and then pushed to the console.
You can prevent a specific user or users from being managed by user provisioning by creating a CSV with the list of users and setting Provisioning Managed to “false” for those users.
Before you begin, you will need to ensure that you meet all the requirements for SCIM (listed below).
- Access to Azure Active Directory.
- Your account specific token and tenant URL.
- See this section for details on where to find this information.
- Know which users and groups you want to synchronize.
Configuring SCIM for KnowBe4
Follow the steps below to configure your SCIM settings in the console.
If you are switching from ADI to SCIM, please note that if you are using alias email addresses, our integration with SCIM does not support that connection, so this information will be removed once you disable Test Mode and a sync runs.
- From your KnowBe4 console, click your email address in the top right corner and select Account Settings.
- Navigate to the User Provisioning section of your settings.
- Select Enable User Provisioning (User Syncing) to display more provisioning settings.
- By default, the toggle will be set to ADI. Click the SCIM toggle to begin setting up.
- Expand your SCIM settings by clicking + SCIM Settings.
Your identity provider will need the token (step 5) and the tenant ID (step 6) in order to establish a connection with KnowBe4. Make sure that you save this information so it is readily available when you are ready to set up the connection with your identity provider.
- Click Generate SCIM Token. This will open a new window with your token ID. Copy this ID and save it to a place that you can easily access later. It is important that you save this token because once you close this window, you cannot view the token again. Once you’ve saved the information, click OK to close the window.
You can regenerate the token by clicking the Regenerate SCIM Token button. This token can only be viewed once, so make sure you save this information before closing the window. Please be aware, you will need to update any instances where you have used the previous token.
- Copy the Tenant URL and save it to a place that you can easily access later.
- Make sure that the Test Mode option is selected.
We recommend keeping Test Mode enabled until you’ve configured the connection between KnowBe4 and your identity provider and have run a successful sync. Test Mode is used to generate a report of what will happen when SCIM is enable. This means no changes are made to your console so you can configure your setup without worrying about changes to your console. When you are ready, you can disable Test Mode from your Account Settings to enable syncing.
If you are switching from ADI to SCIM, Test Mode will be enabled automatically after you save your Account Settings.
- Scroll down to the bottom of the Account Settings page and click Save Changes.
Now that you have enabled SCIM in your KnowBe4 account, you are ready to finalize the connection with your identity provider. See one of the articles below to find instructions on configuring SCIM for the identity provider that you are using.
Frequently Asked Questions (FAQs)
Below is a list of frequently asked questions about SCIM.
Question: Which attributes does KnowBe4 Support?
Answer: We support the following fields by default:
|SCIM Attribute||KnowBe4 Field|
|addresses[type eq "work"].formatted||Location|
|phoneNumbers[type eq "work"].value||Phone Number|
|phoneNumbers[type eq "mobile"].value||Mobile Phone Number|
Question: Can I use SCIM and ADI?
Answer: No, we do not allow you to use SCIM and ADI at the same time. However, you can switch between these two types of connections from your Account Settings page. Please be aware that if you switch from one type of user provisioning to another, your data may be overwritten or lost when you start syncing out of test mode.
Question: Which identity providers can I use?
Answer: Currently, we support provisioning users and groups from Azure. We will be adding support for other SCIM identity providers in the future.
Question: Why is there a longer gap between my Sync Received times?
Answer: We have a rate-limiting system in place to prevent too many syncs from processing at one time. You may see a delay of up to three hours between syncs.