System for Cross-domain Identity Management (SCIM) is an open standard that automates the exchange of user identity information between two systems. This article provides information on configuring SCIM to exchange user identity information between your identity provider and MoEngage.
Operations Supported
SCIM enables the following user management operations:
- Create users: Create users in MoEngage directly from your identity provider.
- Update users: Update user information, such as their role, in MoEngage from your identity provider.
- Retrieve user information: Retrieve a list of all users on MoEngage and their information.
- Revoke user access: Revoke a user’s access to MoEngage from your identity provider.
library_add_check |
Prerequisites Single Sign-On (SSO) must be configured for your MoEngage account. |
info |
Information
|
Configure SCIM
To configure SCIM in the MoEngage UI, perform the following steps:
- On the left navigation menu in the MoEngage UI, click Settings > Account > Security.
- On the Security page, click the Login tab.
- Click Single Sign On (SSO) only.
- Under Single sign on, turn the Enable SCIM Provisioning toggle on.
- In the Base Connector URL field, copy the URL and paste it into your identity provider’s settings.
- In the Default role list, select the required role.
info Information
This role is used as a fallback value if the identity provider does not assign any role value to the user. - In the Expiry date box, select the expiry date for the SCIM access token.
info Information
The SCIM access token will expire after the validity period you set. You must generate a new access token after that and update the same in the identity provider’s settings. It is advisable to generate it for a longer duration. For example, one year. - Click Generate Access Token. The Generate Access Token pop-up window is displayed.
- Copy the access token and paste it into your identity provider’s settings.
info Information
You can view the access token only once, so ensure that you copy it. - After you enter the Base Connector URL and Access Token in your identity provider’s settings successfully, the SCIM status on MoEngage changes from Inactive:
To Active:
Operations (Attribute Information)
The following tables detail the attributes used for SCIM operations. Use this information to understand the data exchange between your identity provider and MoEngage to ensure consistency and proper configuration.
info |
Information The tables are for reference only. |
Create User
When you create a user through SCIM, your identity provider sends a request to MoEngage with a set of attributes. The following table defines the parameters you can include in the user creation request:
Parameter | Required | Updatable | Description |
---|---|---|---|
userName | Yes | Yes | The user's email address. The SCIM protocol requires this field, which must match the email value. |
givenName | Yes | No | The user's first name, as displayed in the MoEngage UI. |
familyName | Yes | No | The user's last name, as displayed in the MoEngage UI. |
emails | Yes | No |
The user's email address acts as the primary identifier in MoEngage. |
role | Yes | Yes | The user's role in MoEngage. The role is case sensitive and must already exist in the platform. |
Update or Revoke User Access
When you update or revoke a user's access, your identity provider sends a request to MoEngage. A single API handles this process by updating the user's information or revoking their access by changing their active attribute. The following table defines the parameters you can use for the requests:
Parameter | Required | Updatable | Description |
---|---|---|---|
userName | Yes | No |
The user's email address. The SCIM protocol requires this field, which must match the email value. |
givenName | Yes | No | The user's first name, as displayed in the MoEngage UI. |
familyName | Yes | No | The user's last name, as displayed in the MoEngage UI. |
emails | Yes | No |
The user's email address acts as the primary identifier in MoEngage. |
role | Yes | Yes | The user's role in MoEngage. The role is case sensitive and must already exist in the platform. |
active | Yes | Yes |
This value determines whether the user can access MoEngage. When the user is created, this value is set to true by default. To revoke a user's access, set it to false. |