Automatic User Provisioning with SCIM

Posted by on August 14th, 2017
August 14th, 2017

If you’ve ever had to manually set up or delete accounts for every new or departing employee, you’ll understand the value of automatic provisioning. Today we’re excited to announce our new SCIM integration, which supports SCIM versions 2.0 and 1.1 and has been certified for two major identity providers, Okta and OneLogin.

SCIM logo

Improving User Management in the Age of Cloud

With the increasing use of cloud applications, the task of managing user access across domains has become even more resource-intensive and risky than before. We first addressed the problem of password management with the support of Single Sign-On (SSO) using SAML 2.0, allowing you to integrate your third-party identity providers with ThousandEyes for authentication into the platform, improving both security and user experience.

Now, ThousandEyes has taken a step further toward simplifying the user management process by implementing a frequently requested feature: automatic user provisioning. We recognize that it’s crucial for our customers to ensure that employees get access to exactly the right set of business resources at the right time, especially due to the sensitive nature of ThousandEyes data. By using the new SCIM integration to automate the onboarding and offboarding process, administrators can now save a great deal of time and risk associated with security and human error.

What’s SCIM?

SCIM (System for Cross-Domain Identity Management) is a popular open standard for automating the exchange of user identity information between IT systems. Already adopted by many major identity providers (IdPs), it works as a common language for IdPs to automatically communicate user information to and from other service providers like ThousandEyes. The current standard, SCIM 2.0, is published as IETF RFCs 7642, 7643 and 7644.

Using SCIM, you’ll be able to automatically provision, update and deprovision ThousandEyes users through identity providers including Okta and OneLogin. Here’s an example of SCIM in action: an administrator creates a new user in Okta who is assigned to the ThousandEyes application. Okta then uses the SCIM API to communicate the new user identity information to ThousandEyes, and the same user is then automatically created in ThousandEyes. Synchronization works bidirectionally, so new information — whether related to user creation, updates or deletion — can be communicated in the other direction as well, from ThousandEyes to Okta.

So what can our SCIM integration do for you?

  • Get the convenience of automatic provisioning: You’ll no longer have to manually create accounts for each new employee and each cloud application they need.
  • Decrease risk related to security and human error: Fat-finger errors and lags between changes in employee work status and access to sensitive resources will be a thing of the past.
  • Works “out of the box”: You won’t need to build and maintain your own API service to implement automatic provisioning with ThousandEyes — we’ve already done it for you.

Using SCIM can make the lives of a number of people in your organization easier, including your IT, InfoSec and development teams. Our new SCIM integration can be particularly helpful if you have dozens or even hundreds of ThousandEyes users to provision and maintain, or if you have a dynamic workforce that requires rapid provisioning and deletion. Below, we’ll talk about how you can get started with SCIM.

Using the SCIM Integration with ThousandEyes

Check out our Knowledge Base documentation for more details on our SCIM implementation and how you can get set up with your identity provider. There are separate articles for setting up the SCIM integration with Okta, OneLogin or another identity provider that supports SCIM. The ThousandEyes integration can be used with any provider that supports SCIM; if you have questions getting set up with a provider that has not been verified, please reach out to our Customer Success team. Stay tuned as our SCIM integration is certified for additional identity providers.

Keep in mind that due to the structure and high degree of customization of ThousandEyes account settings, our integration does not provide for the group schema as defined by the SCIM standard. When users are created in ThousandEyes via SCIM, they will be given a default role that can be customized, whether it’s a ‘Regular User,’ ‘Account Admin,’ or other role.

You can now truly “set it and forget it” with the new SCIM integration — get set up today, and then put your feet up and relax.

Processing...