You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/segment-app/iam/scim.md
+16-14Lines changed: 16 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,11 +11,11 @@ Most IdPs offer SCIM, and it compliments SAML. You can think of SAML as a way fo
11
11
12
12
Before you start, remember that SSO is only available to Business Tier customers, and that only workspace owners may configure SSO connections.
13
13
14
-
To setup SCIM, you must first create an SSO connection. Once you [create your SSO connection](https://segment.com/docs/segment-app/iam/sso/), log back into Segment using SSO.
14
+
To set up SCIM, you must first create an SSO connection. Once you [create your SSO connection](https://segment.com/docs/segment-app/iam/sso/), log back in to Segment using SSO.
15
15
16
16
## Configuration Instructions
17
17
18
-
Segment officially supports [Okta](#okta-setup-guide), Azure AD, and OneLogin. Each link includes specific setup instructions for that IdP. You should read the [features](#features) section of this page to understand which features of SCIM Segment supports.
18
+
Segment officially supports [Okta](#okta-set-up-guide), Azure AD, and OneLogin. Each link includes specific set up instructions for that IdP. You should read the [features](#features) section of this page to understand which features of SCIM Segment supports.
19
19
20
20
You may still be able to use SCIM with another Identity Provider (IdP) by adapting the following instructions.
21
21
@@ -25,7 +25,7 @@ Your IdP needs to know where to send SCIM requests. The Segment base URL is: htt
25
25
26
26
### API Key
27
27
28
-
The other value you need is an API key (sometimes referred to as an Authorization Header). To generate one, go to **Settings > Advanced Settings** in the Segment app, and find the SSO Sync section. Click **Generate SSO Token** and copy the generated token. Use this token for the API key or Authorization Header in your IdP.
28
+
The other value you need is an API key (sometimes referred to as an Authorization Header). To generate one, go to **Settings > Advanced Settings** in the Segment app, and find the **SSO Sync** section. Click **Generate SSO Token** and copy the generated token. Use this token for the API key or Authorization Header in your IdP.
29
29
30
30
This page is located as part of the settings sidebar: https://app.segment.com/CUSTOMER_WORKSPACE_SLUG/settings/advanced
31
31
@@ -53,7 +53,7 @@ Segment user profiles only contain a `userName` (email) and `displayName`. Once
53
53
54
54
## Deleting or Deactivating Users
55
55
56
-
Segment workspace owners **cannot**delete Segment workspace member accounts using SCIM, the web UI, or the Segment API. A user must delete their own account using the Segment app. Workspace owners **can**remove members from the workspace using SCIM, the web UI, or the Segment API.
56
+
Segment workspace owners _cannot_**delete** Segment workspace member accounts using SCIM, the web UI, or the Segment API. A user must delete their own account using the Segment app. Workspace owners _can_**remove members from the workspace** using SCIM, the web UI, or the Segment API.
57
57
58
58
Some IdPs want to set users as "inactive" or "active." Segment does not have an "inactive" state for user accounts. Similar functionality can be achieved by removing a user from your workspace. Setting an existing Segment user to "active" is similar to adding that user to the workspace.
59
59
@@ -73,13 +73,13 @@ Your IdP can add or remove workspace members from existing groups via SCIM. Your
73
73
74
74
## Deleting Groups
75
75
76
-
Your IdP can use SCIM to delete groups from your Segment workspace. Deleting a group in Segment does **not** remove its members from your workspace. You need to unassign users from Segment from your IdP, then Segment removes them from the workspace.
76
+
Your IdP can use SCIM to delete groups from your Segment workspace. Deleting a group in Segment does **not** remove its members from your workspace. To remove members from the workspace, unassign the users from Segment from your IdP, then Segment removes them from the workspace.
77
77
78
78
## Attribute Mapping
79
79
80
-
When you integrate Segment SCIM and your IdP you might need to map attributes for users. The only attributes that Segment SCIM supports are `userName` and `displayName`. You should leave any existing mapping for the `email` SAML attribute, which you might have setup during your initial SSO onboarding. This mapping supports SAML authentication, and is separate from setting up SCIM, but may be within the same page depending on your IdP.
80
+
When you integrate Segment SCIM and your IdP you might need to map attributes for users. The only attributes that Segment SCIM supports are `userName` and `displayName`. You should leave any existing mapping for the `email` SAML attribute, which you might have set up during your initial SSO set up. This mapping supports SAML authentication, and is separate from setting up SCIM, but may be within the same page depending on your IdP.
81
81
82
-
You'll need to map an email (IdP) to `userName` (Segment). Depending on your IdP this attribute may be called `email` or simply`mail`. If your IdP uses emails for usernames, you can map `userName` (IdP) to `userName` (Segment).
82
+
You'll need to map an email (IdP) to `userName` (Segment). Depending on your IdP this attribute might be called `email` or `mail`. If your IdP uses emails for usernames, you can map `userName` (IdP) to `userName` (Segment).
83
83
84
84
If your IdP supports the `displayName` attribute, you can map it directly to the Segment `displayName` attribute. If it does not, most IdPs can create a "macro mapping" which allows you to map more than one field to a single field in Segment.
85
85
@@ -95,22 +95,24 @@ For example, you might map `{firstName} {lastName}` from your IdP to `displayNam
95
95
96
96
4. Next, select **To App** in the left sidebar of the **Provisioning** tab. Click **Edit** and select both **Create Users** and **Deactivate Users**. Click **Save**.
97
97
5. From the **Provisioning** tab, click **Go to Profile Editor** > **Mappings**.
98
-
6. In the left tab that appears, review the data that Segment sends to Okta. Select `do not map` for all attributes except `email` and `displayName`. Click **Save Mappings**, and **Apply Updates Now** (if prompted).
98
+
6. In the left tab that appears, review the data that Segment sends to Okta.
99
+
Select `do not map` for all attributes except `email` and `displayName`. Click **Save Mappings**, and **Apply Updates Now** (if prompted).
99
100
100
101
101
102
102
-
7. Open the **Mappings** again, and click the right tab. This represents the data that Okta sends to Segment. Again, click `do not map` for all attributes except `email` and `displayName`. Then click **Save Mappings**, and **Apply Updates Now** (if prompted) to close the **Mappings** dialog.
103
-
8. Next, delete all unused attributes from the bottom of the **Provisioning** Tab. You must include "Given Name" and "Family Name" as they are required by Okta, but unused by Segment.
103
+
7. Open the **Mappings** again, and click the right tab. This represents the data that Okta sends to Segment.
104
+
Again, click `do not map` for all attributes except `email` and `displayName`. Then click **Save Mappings**, and **Apply Updates Now** (if prompted) to close the dialog.
105
+
8. Next, delete all unused attributes from the bottom of the **Provisioning** Tab. You must include "Given Name" and "Family Name" as they are required by Okta (but are not used by Segment).
104
106
105
107
106
108
107
-
9. Navigate back to the Segment Okta app. You're now ready to assign people or groups. Before you continue, read through the [features](#features) section in this doc to make sure you understand how groups work.
109
+
9. Navigate back to the Segment Okta app. You can now assign people or groups. Before you continue, read through the [features](#features) section in this doc to make sure you understand how groups work.
108
110
10. Segment recommends that you assign users to the Segment app by Okta group. This allows you to manage which groups in your organization can authenticate to Segment. You can also assign users individually.
109
111
110
-
112
+
111
113
112
114
11. Once you assign your users, push the assigned Okta groups to Segment. Then, go to the Segment app to assign permissions to these groups. You can also link Okta groups to an existing group from in the Segment app using the Okta UI.
0 commit comments