KnowBe4’s System for Cross-domain Identity Management (SCIM) integration allows you to use data from your SCIM identity provider (IdP) to manage users within your KSAT console. With this integration, your users will be automatically added, changed, and archived in your KSAT console based on data sent from your SCIM IdP. Once you configure this integration and import your users, you’ll be able to manage all your users in one place.
You also have the option to add, change, and archive users by using Active Directory Integration (ADI). For more information about ADI, see our Active Directory Integration (ADI) Configuration Guide.
How SCIM Works
SCIM allows you to manage your users all in one place by syncing user information from your IdP to your KSAT console.
Before enabling SCIM, you can manage users in your KSAT console by editing user information directly or by updating user information with CSV files. Once you enable SCIM and your first sync occurs, users will be managed through your SCIM IdP and changes will sync to your KSAT console.
This sync is a one-way process, so any changes that you make in your KSAT console will not sync to your SCIM IdP. If you make changes in your KSAT console, these changes will be overwritten by the data in your SCIM IdP. When you sync users, any users who aren’t found in your SCIM IdP will be archived in your KSAT console.
Prerequisites
Before you configure SCIM, make sure that you meet the following requirements:
- You have access to your SCIM Token and Tenant URL in your KSAT Account Settings. For more information about where you can find these items, see the Configure SCIM section below.
- You know which users you would like to sync from your SCIM IdP to your KSAT console.
Configure SCIM
To connect your SCIM IdP with your KSAT console, you’ll need to enable some settings from your KSAT Account Settings. Then, you will need to finish the configuration in your SCIM IdP.
To configure SCIM settings in your KSAT console, follow the steps below:
- In your KSAT console, click your email address in the top-right corner of the page.
- Select Account Settings.
- Navigate to User Management > User Provisioning.
- Select the Enable User Provisioning (User Syncing) check box. After you select this check box, additional settings will display.
- Click SCIM.
- Click + SCIM Settings.
- Click Generate SCIM Token. When you click this button, a new browser window will open with your SCIM token. Make sure to copy this SCIM token and save it to a place that you can easily access later.
Important:After you close the browser window, you will not be able to view this SCIM token again. Once you have generated this SCIM token, the Generate SCIM Token button will change to Regenerate SCIM Token. For more information, see the SCIM Settings section of this article.
- Click OK to close the window.
- Copy the Tenant URL and save it to a place that you can easily access later.
Important:Before you continue, make sure that you have successfully saved your Tenant URL and your SCIM Token from step 7. You will need both of these items when configuring SCIM in your IdP.
- Make sure that the Test Mode check box is selected.
Important:We recommend that you keep the Test Mode check box selected until you’ve finished configuring the SCIM integration and have run a successful sync. Test Mode generates a report of what will happen when SCIM is enabled based on your current configuration. When Test Mode is enabled, no changes will be made to your KSAT console. When you’re ready to enable syncing, you can disable Test Mode from your Account Settings. If you’re switching from ADI to SCIM, Test Mode will be enabled automatically after you save your Account Settings.
- Click Save Changes at the bottom of the Account Settings page.
Supported Providers
Now that you have enabled SCIM in your KSAT console, you can finish the connection in your SCIM IdP.
To configure SCIM in the IdP that you're using, see one of the articles below:
- How to Configure SCIM for Okta
- How to Configure SCIM for Microsoft Entra ID
- How to Configure SCIM for OneLogin
- How to Configure SCIM for JumpCloud
- How to Configure SCIM for Rippling
- How to Configure SCIM for PingFederate and PingOne
SCIM Settings
Once you have enabled the SCIM integration, you'll see three buttons in the SCIM section of your Account Settings. You can click these buttons to help you regenerate or revoke SCIM tokens or force a sync. For more information about these buttons, see the screenshot and list below:
-
Regenerate SCIM token: Click this button to generate a new SCIM token. This token can only be viewed once, so make sure you save this token before closing the browser window. The link between your IdP and your KSAT console will be disabled until you provide the new token.
-
Revoke SCIM token: Click this button to disable your current SCIM token. IdPs that currently use this token will no longer be linked to your KSAT console.
-
Force Sync Now: Click this button to manually force a SCIM sync at any time without requiring a change from your IdP.
Frequently Asked Questions (FAQs)
Below is a list of frequently asked questions about SCIM.
Which attributes does KnowBe4 support?
The attributes we support depend on the IdP that you use. For more information about which fields we support, see our documentation for your specific identity provider.
Can I use SCIM and ADI at the same time?
No, you can't use SCIM and ADI at the same time. However, you can switch between these two types of connections from your Account Settings. Please note that if you switch between ADI and SCIM, your data may be overwritten or lost when you start syncing when Test Mode is disabled.
Does KnowBe4 limit or restrict how often you can sync users via SCIM?
We have a 15 minute global sync limit in place to avoid an overload of the service queue. When a new sync request comes in, if there is an existing sync less than 15 minutes old, the new sync would be skipped.