Learn how to configure a SCIM user directory integration.
Overview
To configure a SCIM integration between your Identity Provider (IdP) and Kandji, you will need to:
- Create a new SCIM Directory Integration in Kandji
- Obtain the SCIM API URL and API token from Kandji to use with your IdP.
- Access your IdP to create an app integration and map SCIM attributes.
After completing the steps in this article, refer to the IdP-specific article for information on how to configure SCIM within your IdP.
Create a New SCIM Directory Integration
- Navigate to Integrations in the left-hand navigation bar.
- Click Discover integrations in the upper-right of the Integrations page.
- On the SCIM tile, click Add and configure.
- Click Get started.
- Enter a unique name for the SCIM integration.
- Click Generate token. The SCIM user directory integration uses an HTTP authorization header with a Bearer Token as the authentication method.
- Click Copy token.
- Confirm that you have copied the token and that you know you will need to change it if you want to see the token details again.
- Click Done. You will return to the Integrations page.
Obtain the SCIM API URL
Your SCIM API URL will be in the format of https://subdomain.clients.us-1.kandji.io/api/v1/scim.
- Click the ellipse on the SCIM directory integration you just created.
- Select View Details.
- Copy the SCIM API URL; your identity provider will require this.
- Click Close.
SCIM schema and supported attributes
Kandji supports the following SCIM attributes. Refer to these attributes when mapping your SCIM application in your IdP.
-
userName
-
Unique identifier for the user, used to authenticate to the service provider.
- This attribute is required.
-
-
name.formatted
- The user's full name (for example, "John Doe").
- This attribute or the displayName attribute is required
- displayName
- The user's full name (for example, "John Doe").
- This attribute or the name.formatted attribute is required.
-
active
- The user's status within the identity provider.
- Kandji moves soft-deleted and inactive users to the Archived Users section of Kandji.
-
emails.value
- The user's email address as a subattribute of emails.
- Kandji only stores the first email in the list.
When using SCIM to sync users from a directory, the SCIM app automatically sends new information to Kandji, so there is no need for a Sync Now button that you'd see when using the native Azure Active Directory or Google Workspace directory integrations.