SCIM

SCIM Configuration Guide

KnowBe4’s System for Cross-domain Identity Management (SCIM) integration allows you to use data from your SCIM identity provider (IdP) to manage users within your KSAT console. With this integration, your users will be automatically added, changed, and archived in your KSAT console based on data sent from your SCIM IdP. Once you configure this integration and import your users, you’ll be able to manage all your users in one place.

You also have the option to add, change, and archive users by using Active Directory Integration (ADI). For more information about ADI, see our Active Directory Integration (ADI) Configuration Guide.

How SCIM Works

SCIM allows you to manage your users all in one place by syncing user information from your IdP to your KSAT console.

Before enabling SCIM, you can manage users in your KSAT console by editing user information directly or by updating user information with CSV files. Once you enable SCIM and your first sync occurs, users will be managed through your SCIM IdP and changes will sync to your KSAT console.

This sync is a one-way process, so any changes that you make in your KSAT console will not sync to your SCIM IdP. If you make changes in your KSAT console, these changes will be overwritten by the data in your SCIM IdP. When you sync users, any users who aren’t found in your SCIM IdP will be archived in your KSAT console.

Prerequisites

Before you configure SCIM, make sure that you meet the following requirements:

  • You have access to your SCIM Token and Tenant URL in your KSAT Account Settings. For more information about where you can find these items, see the Configure SCIM section below.
  • You know which users you would like to sync from your SCIM IdP to your KSAT console.
Note:You have the option to prevent a specific user or users from being managed by SCIM. To prevent specific users from being managed by SCIM, create a CSV file with a list of users that you don’t want to be managed by SCIM. Enter “false” under the Provisioning Managed heading for those users.

Configure SCIM

To connect your SCIM IdP with your KSAT console, you’ll need to enable some settings from your KSAT Account Settings. Then, you will need to finish the configuration in your SCIM IdP.

Note:If you are switching from ADI to SCIM, please note that our SCIM integration does not support alias email addresses. Any alias email addresses will be removed once you disable Test Mode and run a sync.

To configure SCIM settings in your KSAT console, follow the steps below:

  1. In your KSAT console, click your email address in the top-right corner of the page.
  2. Select Account Settings.
  3. Navigate to User Management > User Provisioning.
  4. Select the Enable User Provisioning (User Syncing) check box. After you select this check box, additional settings will display.
  5. Click SCIM.
  6. Click + SCIM Settings.
  7. Click Generate SCIM Token. When you click this button, a new browser window will open with your SCIM token. Make sure to copy this SCIM token and save it to a place that you can easily access later.
    Important:After you close the browser window, you will not be able to view this SCIM token again. Once you have generated this SCIM token, the Generate SCIM Token button will change to Regenerate SCIM Token. For more information, see the SCIM Settings section of this article.
  8. Click OK to close the window.
  9. Copy the Tenant URL and save it to a place that you can easily access later.
    Important:Before you continue, make sure that you have successfully saved your Tenant URL and your SCIM Token from step 7. You will need both of these items when configuring SCIM in your IdP.
  10. Make sure that the Test Mode check box is selected.
    Important:We recommend that you keep the Test Mode check box selected until you’ve finished configuring the SCIM integration and have run a successful sync. Test Mode generates a report of what will happen when SCIM is enabled based on your current configuration. When Test Mode is enabled, no changes will be made to your KSAT console. When you’re ready to enable syncing, you can disable Test Mode from your Account Settings. If you’re switching from ADI to SCIM, Test Mode will be enabled automatically after you save your Account Settings.
  11. Click Save Changes at the bottom of the Account Settings page.

Supported Providers

Now that you have enabled SCIM in your KSAT console, you can finish the connection in your SCIM IdP.

Note:The instructions outlined in the guides below are the only configurations supported by KnowBe4. Any deviations from the steps outlined in these articles may cause issues with user provisioning.

To configure SCIM in the IdP that you're using, see one of the articles below:

SCIM Settings

Once you have enabled the SCIM integration, you'll see three buttons in the SCIM section of your Account Settings. You can click these buttons to help you regenerate or revoke SCIM tokens or force a sync. For more information about these buttons, see the screenshot and list below:

  1. Regenerate SCIM token: Click this button to generate a new SCIM token. This token can only be viewed once, so make sure you save this token before closing the browser window. The link between your IdP and your KSAT console will be disabled until you provide the new token.

  2. Revoke SCIM token: Click this button to disable your current SCIM token. IdPs that currently use this token will no longer be linked to your KSAT console.

  3. Force Sync Now: Click this button to manually force a SCIM sync at any time without requiring a change from your IdP.

Frequently Asked Questions (FAQs)

Below is a list of frequently asked questions about SCIM.

Which attributes does KnowBe4 support?

The attributes we support depend on the IdP that you use. For more information about which fields we support, see our documentation for your specific identity provider.

Can I use SCIM and ADI at the same time?

No, you can't use SCIM and ADI at the same time. However, you can switch between these two types of connections from your Account Settings. Please note that if you switch between ADI and SCIM, your data may be overwritten or lost when you start syncing when Test Mode is disabled.

Does KnowBe4 limit or restrict how often you can sync users via SCIM?

We have a 15 minute global sync limit in place to avoid an overload of the service queue. When a new sync request comes in, if there is an existing sync less than 15 minutes old, the new sync would be skipped.

 

Can't find what you're looking for?

Contact Support