User Provisioning with SCIM
☝️ This feature is only available to workspaces using the Enterprise Plan.
You can use SCIM (System for Cross-domain Identity Management) to manage your workspace’s users in Kutano through an Identity Provider of your choice.
What Can You do with SCIM?
When you set up SCIM provisioning, the Enterprise workspace owner or admins will be able to automate critical features of user management in Kutano.
Adding a New User into your Kutano Workspace
Provisioning new user access to the Kutano app in your identity provider will automatically create a user account in Kutano. This new user will also be invited to your workspace with the role details you’ve already set up through a settings page in Kutano (see Enabling User Provisioning section below for more information).
Removing Members from your Kutano Workspace
If a user leaves your organization, de-provisioning the user from the Kutano app in your identity provider will automatically trigger an action to remove the user from your workspace in Kutano.
⚠️ Even though users will lose access to your workspace, their account will still exist and be marked as disabled.
Enabling User Provisioning
To enable user provisioning with SCIM, Enterprise workspace admins should complete the following steps in Kutano.
-
In Kutano, navigate to Workspace admin -> Workspace settings using the sidebar. Scroll down to the User Provisioning section. You will see the current user provisioning settings:
-
Click on the Edit icon to display a dialog that lets you modify the SCIM settings for the workspace.
-
Click on the Enable SCIM provisioning checkbox to enable SCIM
-
Click the Generate token button. A new string of characters will fill in to the Token field.
-
Keep this dialog open while we configure the SCIM identity provider.
-
then copy the generated token into your clipboard. You’ll use this token and Kutano’s SCIM API URL while configuring your identity provider to allow SCIM provisioning for your Kutano workspace.
NOTE: You can enable/disable SCIM provisioning anytime without revoking your SCIM token entirely.
NOTE: You can always re-generate a new SCIM Token. However, you must update your identity provider to use the new token after such an action.
Configuring SCIM Identity Provider
Kutano currently supports Microsoft Entra ID as a SCIM Identity Provider.
Configuring Microsoft Entra ID
NOTE: If you haven't already setup an Enterprise Application in Microsoft, see SAML with Microsoft Entra ID
- Open a new browser window. This will allow you to see Microsoft and Kutano entry screens as the same time.
- Log in as an Azure administrator to https://portal.azure.com.
- Select Microsoft Entra ID in the main navigation panel.
- Select Enterprise Applications from the subcategory panel.
- Open the Enterprise Application you wish to use with Kutano.
- Click on the Provisioning button from the left-hand navigation panel.
- If this is the first time to this screen, click on the Get Started button.
- In the Provisioning dialog, set the Provisioning Mode to Automatic. Ensure that the Admin Credentials panel appears allowing you to enter two fields from Kutano.
- From the Kutano SCIM Provisioning information panel, copy the Tenant URL and Secret Token into the same inputs on the Microsoft Entra ID URL Admin Credentials panel.
- Click on the Test Connection button.
Adding Users to be Provisioned
- While in the Provision dialog of Kutano Enterprise Application on Microsoft Entra ID, click on the Users and Groups menu item in the main navigation panel.
- Click the + Add user/group button.
- Select the users you want to provision for the Kutano application.
- Click the Assign button.
Manually Provisioning your First User
- While in the Provision dialog of Kutano Enterprise Application on Microsoft Entra ID, click on the Provision on demand menu item in the main navigation panel.
- Enter your first user's name into the Select a user or group search box.
- Once a user is selected, click on the Provision button.
- A confirmation dialog show you the results of the provisioning.
- In Kutano Workspace admin => Users screen, you should see the newly provisioned user.
Start Automatic Provisioning
- While in the Provision dialog of Kutano Enterprise Application on Microsoft Entra ID, click on the Overview menu item in the main navigation panel.
- Click on the Start provisioning button. The initial provisioning can take up to an hour to complete.
NOTE: you can navigate to the Provisioning logs screen to diagnose problems.
Disabling User Provisioning
Disabling Provisioning on Microsoft Entra ID
- Log in as an Azure administrator to https://portal.azure.com.
- Select Microsoft Entra ID in the main navigation panel.
- Select Enterprise Applications from the subcategory panel.
- Open the Enterprise Application you wish to use with Kutano.
- Click on the Overview menu item from the left-hand navigation panel
- Click the Stop provisioning button.
Disabling Provisioning in Kutano
- In Kutano, navigate to Workspace admin -> Workspace settings using the sidebar. Scroll down to the User Provisioning section.
- Click on the Edit icon to display a dialog that lets you modify the SCIM settings for the workspace.
- Un-check the Enable SCIM provisioning checkbox.
☝️ Disabling will cause authentication between your identity provider and Kutano’s SCIM API to fail, which means SCIM operations coming from your identity provider will also fail. You will need to remove the Kutano app from your identity provider to avoid these errors.