System for Cross-domain Identity Management (SCIM)

System for Cross-domain Identity Management (SCIM) is an open standard that automates the exchange of user identity information between two systems. This article provides information on configuring SCIM to exchange user identity information between your identity provider and MoEngage.

Operations Supported

SCIM enables the following user management operations:

  • Create users: Create users in MoEngage directly from your identity provider.
  • Update users: Update user information, such as their role, in MoEngage from your identity provider.
  • Retrieve user information: Retrieve a list of all users on MoEngage and their information.
  • Revoke user access: Revoke a user’s access to MoEngage from your identity provider.
library_add_check

Prerequisites

Single Sign-On (SSO) must be configured for your MoEngage account.

info

Information

  • You must have Setup & Manage permissions for the Login component to enable SCIM on MoEngage.

  • Enabling SCIM disables all user management operations (except Unblock User) on the MoEngage UI.

  • The SCIM access token will expire on the date you set. It is recommended that you set a longer validity period, such as one year, and generate and update a new token in your identity provider’s settings before the current one expires.

  • The access token is viewable only once, so you must copy it when it is generated.

Configure SCIM

To configure SCIM in the MoEngage UI, perform the following steps:

  1. On the left navigation menu in the MoEngage UI, click Settings > Account > Security.
  2. On the Security page, click the Login tab.
  3. Click Single Sign On (SSO) only.
  4. Under Single sign on, turn the Enable SCIM Provisioning toggle on.
    SCIM1.png
  5. In the Base Connector URL field, copy the URL and paste it into your identity provider’s settings.
    SCIM2.png
  6. In the Default role list, select the required role.
    info

    Information

    This role is used as a fallback value if the identity provider does not assign any role value to the user.
    SCIM3.png
  7. In the Expiry date box, select the expiry date for the SCIM access token.
    info

    Information

    The SCIM access token will expire after the validity period you set. You must generate a new access token after that and update the same in the identity provider’s settings. It is advisable to generate it for a longer duration. For example, one year.

    SCIM4.png
  8. Click Generate Access Token. The Generate Access Token pop-up window is displayed.
    SCIM5.png
  9. Copy the access token and paste it into your identity provider’s settings.
    info

    Information

    You can view the access token only once, so ensure that you copy it.

    SCIM6.png
  10. After you enter the Base Connector URL and Access Token in your identity provider’s settings successfully, the SCIM status on MoEngage changes from Inactive:
    SCIM7.png
    To Active:
    SCIM8.png

Operations (Attribute Information)

The following tables detail the attributes used for SCIM operations. Use this information to understand the data exchange between your identity provider and MoEngage to ensure consistency and proper configuration.

info

Information

The tables are for reference only.

Create User

When you create a user through SCIM, your identity provider sends a request to MoEngage with a set of attributes. The following table defines the parameters you can include in the user creation request:

Parameter Required Updatable Description
userName Yes Yes The user's email address. The SCIM protocol requires this field, which must match the email value.
givenName Yes No The user's first name, as displayed in the MoEngage UI.
familyName Yes No The user's last name, as displayed in the MoEngage UI.
emails Yes No

The user's email address acts as the primary identifier in MoEngage.

role Yes Yes The user's role in MoEngage. The role is case sensitive and must already exist in the platform.

Update or Revoke User Access

When you update or revoke a user's access, your identity provider sends a request to MoEngage. A single API handles this process by updating the user's information or revoking their access by changing their active attribute. The following table defines the parameters you can use for the requests:

Parameter Required Updatable Description
userName Yes No

The user's email address. The SCIM protocol requires this field, which must match the email value.

givenName Yes No The user's first name, as displayed in the MoEngage UI.
familyName Yes No The user's last name, as displayed in the MoEngage UI.
emails Yes No

The user's email address acts as the primary identifier in MoEngage.

role Yes Yes The user's role in MoEngage. The role is case sensitive and must already exist in the platform.
active Yes Yes

This value determines whether the user can access MoEngage. When the user is created, this value is set to true by default. To revoke a user's access, set it to false.

 

Was this article helpful?
1 out of 2 found this helpful

How can we improve this article?