1. Resolver Core
  2. End User System Essentials
  3. SCIM

SCIM Frequently Asked Questions

Updated

Article Content

Okta FAQs
Entra ID FAQs

Okta FAQs

Q: What type of Okta user do I need to be in order to configure SCIM?

A: You must be an Okta Administrator to configure SCIM.

Q: How do I configure a new Resolver Okta SCIM integration?

A: Create a new Resolver app integration in Okta. When creating the app integration, select SAML 2.0 for the sign-in method.

Note-ec6f12.png
 Note:
If an existing Resolver app integration exists for SSO, you can skip this step and use your existing SAML 2.0 app integration.

Q: What value should I use in the SCIM connector base URL field?

A: In the SCIM connector base URL field, enter the base URL for your Resolver environment. The URL format is as follows, replacing {resolverBaseURL} with your Org's URL: {resolverBaseURL}/scim/.

Q: What value should I use in the Unique identifier field for users field?

A: In the Unique identifier field for users field, enter userName.

Q: Which options should I select under Supported provisioning actions?

A: Select the following options under Supported provisioning actions:

  • Import New Users and Profile Updates

  • Push New Users

  • Push Profile Updates

  • Push Groups

Q: Which option should I select under the Authentication Mode dropdown?

A: Under the Authentication Mode dropdown, select HTTP Header and enter your Resolver SCIM token in the Bearer field.

Q: Which app settings should I enable?

A: In the To App Settings section, enable the following options:

  • Create Users

  • Update User Attributes

  • Deactivate Users 

Q: Which base mappings between Okta and Resolver should I update?

A: Remove all mappings except the following:

  • familyName

  • givenName

  • email

  • emailType

Entra ID FAQs

Q: What type of Entra ID user do I need to be in order to configure SCIM?

A: You must be an Entra ID Administrator to configure SCIM.

Q: How do I create a new Resolver enterprise application in Entra ID?

A: Create a new Resolver enterprise application in Entra ID. When creating the application, select  Integrate any other application you don’t find in the gallery (Non-gallery) in the What are you looking to do with your application? section. 

Note-ec6f12.png
 Note:
If an existing Resolver app integration exists for SSO, you can skip this step and use your existing application. 

Q: What value should I select from the Provisioning Mode dropdown?

A: Select Automatic from the Provisioning Mode dropdown.

Q:  Which Admin Credentials should I enter?

A: Under the Authentication Method dropdown for Admin Credentials, select Bearer Authentication.  

In the Tenant URL field,  enter the base URL for your Resolver environment. The URL format is as follows, replacing {resolverBaseURL} with your Org's URL: {resolverBaseURL}/scim/.  

In the Secret Token field enter your Resolver SCIM token.

Q: Which SCIM attribute mappings should I enable for the Entra ID application?

A: Resolver only supports the below attributes. Additional attributes can be removed.

  • userName

  • active

  • name.familyName

  • name.givenName

  • emails

  • externalId

Note-ec6f12.png
 Note:
The standard Entra ID attribute mappings are generally recommended, however the userName should reflect your SSO configuration.

Q: Which value should I select in the Target Object Actions section?

A: In the Target Object Actions section, select Update only. Resolver’s current SCIM implementation does not allow Entra ID to add or delete groups directly.

Q: Which SCIM attribute mappings on groups should I enable for the Entra ID application?

A: Resolver only supports the below attributes. Additional attributes can be removed. 

  • displayName (this attribute is used by Entra to map user groups)
  • members
Note-ec6f12.png
 Note:
The standard Entra ID attribute mappings are generally recommended.

Q: How do I assign user groups and users to the new application?

A: Entra ID utilizes the DisplayName property for each group when matching groups. When matching groups:

  • The group must already exist in Resolver

  • The group's DisplayName in Entra must match the group name in Resolver

    • The DisplayName of the group in Resolver is by default identical to the group name in the system, however these can be updated via the API or after the group has been synced in Entra. Changing the DisplayName does not change the name of the group as it appears in Resolver. 

 

Was this article helpful?
0 out of 0 found this helpful

Articles in this section