How to manage users with SCIM

Introduction

Sublime's SCIM API allows you to provision, update, and deprovision Sublime users from your identity provider (e.g., Okta), including managing each user's Sublime role.

πŸ“˜

Sublime and identity provider admin required

To integrate with SCIM, you'll need to be an administrator for both Sublime and your identity provider, or get the help of an admin for each.

Below are the steps for integrating Okta with SCIM. If you need help integrating another identity provider with SCIM, drop us a message.

Okta Setup

Gather Sublime info

To integrate Okta with SCIM, you'll need the following from the Sublime dashboard:

  1. The SCIM API base URL for your Sublime instance:
    1. In Sublime, navigate to the API page
    2. Copy the Base URL. For example, Sublime Cloud's US region has the API base URL https://platform.sublime.security
    3. Append /v0/scim to the base URL to construct a SCIM API base URL like https://platform.sublime.security/v0/scim
    4. Hold onto this URL
  2. An API key for a Sublime admin:
    1. In Sublime, navigate to the API page
    2. Click New Key
    3. Enter a key name, such as "SCIM Integration"
    4. Click Save
    5. Copy and hold onto the new key

Create a custom SAML app

Follow the instructions here to set up a custom SAML app in Okta. You'll need an Okta SAML app to integrate Sublime's SCIM API with Okta.

Add SCIM provisioning to the Okta app

  1. Go to the overview page for the Okta application you created
  2. Click the General tab
  3. In the App Settings section, click Edit
  4. Check Enable SCIM provisioning
  5. Click Save
  6. Click the Provisioning tab that appears
  7. Click Edit
  8. For SCIM connector base URL, enter https://platform.sublime.security/v0/scim
  9. For Unique identifier field for users, enter userName
  10. For Supported provisioning actions, check:
    1. Import New Users and Profile Updates
    2. Push New Users
    3. Push Profile Updates
  11. For Authentication Mode, select HTTP Header
  12. For Authorization, enter the Sublime API key you created
  13. Click Test Connector Configuration and confirm you get a Connector configured successfully message
  14. Close the Test Connector Configuration modal
  15. Click Save
  16. Click the To App subtab
  17. In the Provisioning to App section, click Edit
  18. Check Enable for:
    1. Create Users
    2. Update User Attributes
    3. Deactivate Users
  19. Click Save
  20. Under Sublime Platform Attribute Mappings, update the mappings as follows. You should only need to remove some of the default mappings.
  1. Leave all other provisioning settings unchanged

Map Okta groups to Sublime roles

  1. In Okta, go to Directory > Profile Editor
  2. Under the Users tab, click your Sublime Okta app
  3. Click Add Attribute
  4. Add a new attribute with these properties:
    1. Data type: string
    2. Display name: Sublime Role
    3. Variable name: sublimeRole
    4. External name: sublimeRole
    5. External namespace: urn:ietf:params:scim:schemas:core:2.0:User
    6. Enum: checked, with these options:
      1. Admin: admin
      2. Engineer: engineer
      3. Analyst: analyst
    7. Attribute length: between 0 and 50
    8. Attribute required: unchecked
    9. Attribute type: Group
  1. Click Save

When assigning a group to the Okta app, you can now attach a Sublime role: