SCIM-Based User Provisioning

System for Cross-domain Identity Management (SCIM) defines a standard for exchanging identity information across different cloud app vendors. The objects that are exchanged using SCIM are called resources (like user resource, group resource etc). The purpose of SCIM is to automate the exchange of user identity information across apps for user provisioning.

A SCIM-enabled directory server (like Azure AD or Okta) can directly send user information to the SCIM server in Netskope cloud. This service is currently available for Microsoft Azure AD and Okta via REST API v2 token authentication.

Using REST API v2 for SCIM

1. Go to Settings > Tools > REST API v2.
2. Click New Token.
3. Enter a token name, and the desired expiration interval.
4. Click the Add Endpoint dropdown and search for SCIM.
5. Select the api/v2/scim/Users endpoint and click Save.
6. Repeat Step 4, and select the api/v2/scim/Groups endpoint, and click Save.
7. Adjust permissions of the two endpoints that were just selected to support the ability to manage users and groups.

   

8. Click Save.
9. When the Success window opens, copy token to a safe place.

   Note

   This token can not be retrieved in the future. If you lose the token, you must reissue the token again.

10. In your IdP SCIM client, use the new URL for SCIM and Token that you generated.
    • https://<tenant-name>.goskope.com/api/v2/scim
    • Token obtained in step 9

For specific integration instructions, go to:

Follow the instructions specified for the respective applications to the app and provision users. Once complete, test the connection. If the test succeeds, the SCIM integration process is complete. For more details about SCIM integrations with Azure and Okta, go to:

Microsoft Azure Support

Netskope currently supports the following:

Okta Support

Netskope currently supports the following: