Tags | SCIM | Provisioning |
Available on Basic, Business plans
Admin privileges required
SCIM is an open API for managing identities between systems, primarily designed around the need to syndicate information between cloud services. In Stack Overflow Business, SCIM 2.0 support allows an Identity Provider to update the application with the user's activation status(Active/Deactive) and/or permission (Admin/User). Unlike SAML 2.0, whose assertions are delivered to Stack Overflow Business at user connection, SCIM 2.0 sends requests as events occur on the Identity Provider. This gives near-real-time updates to user status in the application when the change is made.
1. Supported activities
The SCIM 2.0 integration supports the following activities for users that have already been created in Stack Overflow Business:
Deactivate a user
Reactivate a deactivated user
Optionally promote/demote a user to/from Admin
SCIM 2.0 support does not allow users to be created. Users must still log on to Stack Overflow Business with a valid assertion from their Identity Provider to create an account. That is, Stack Overflow Business relies on Just In Time provisioning when a user presents a valid identity assertion and does not support user creation over SCIM 2.0.
Enabling SCIM 2.0 support does not disable user management options within Stack Overflow Business. That is, a user may be active in the Identity Provider, yet disabled in Stack Overflow Business through the user management UI.
2. Set up SCIM 2.0 support on Stack Overflow for Teams
NOTE: SCIM will only be available if an SSO Authentication is set up first
Navigate to Admin Settings -> Access Management -> SCIM integration where you will see three options:
Enable SCIM Determines whether or not the SCIM 2.0 API is active. This must be selected in the checkbox to enable SCIM 2.0 support.
Generate a SCIM authorization bearer token The shared secret needed to configure an Identity Provider for SCIM 2.0 integration. Treat this as a password. If lost, a new token must be generated and configured in your Identity Provider.
Allow SCIM to manage user roles Determines whether or not the ability to promote/demote users to/from Admin is enabled.
Once these settings are configured, the rest of the work is done at the Identity Provider.
3. Configure the Identity Provider
The following instructions are general instructions for SCIM 2.0 compliant systems. If you are using one of the following Identity Providers, please follow the links for detailed configuration information.
The Identity Provider must send SCIM 2.0 requests to https://stackoverflowteams.com/c/[your_site]/auth/scim/v2. In addition, the following values must be sent as part of the user resource to correctly map the user and set their status:
userName the User ID (must match the Display Name Assertion provided in /admin/access/authentication)
active true/false. Determines whether or not the user should be deactivated or reactivated in Stack Overflow Business
Required fields for SCIM 2.0 (these are commonly mapped for you by your Identity Provider. Usually no action is needed on your part): name.givenName, name.familyName, emails
optional userType Requires Allow SCIM to manage user roles to be checked on the SCIM Integration settings page on Stack Overflow Business. Takes values of either Registered or Admin. If set to Admin, the user is promoted to an Admin. If set to any other value (such as Registered), the user is demoted from Admin.
Need help? Submit an issue or question through our support portal.