System for Cross-Domain Identity Management (SCIM)

This feature is only available to Archer SaaS customers.

SCIM is an open standard protocol designed to simplify the management of user identities and resources across different systems and domains. With Archer’s SCIM integration you can automate the process of user provisioning from your IDP systems, enabling seamless syncing of user information to Archer.

For information on SCIM see the SCIM website: https://scim.cloud/.

Important: The audience for this topic is the Archer IT administrator. This content assumes that the IT administrator is familiar with provisioning.

On this page

Integrating SCIM provisioner with identity provider

You must complete the following tasks to integrate your IDP with the SCIM Provisions service. This service connects to your Archer Instance.

Download the SCIM application.
Configure the SCIM application.

Download SCIM application

Download the SCIM application. Any IDP which supports SCIM protocol should have an application in it which can be used for SCIM integration.

The list of IDPs which support SCIM protocol are listed on the SCIM website: https://scim.cloud/#Implementations2

Configure SCIM application

You must configure the following items.

SCIM base URL
Bearer token
SCIM JSON template
Custom parameter mapping

The configurations slightly vary among various IDPs (OneLogin, Okta, Azure AD, and so forth). See the SCIM website for configuration information: https://scim.cloud/#Implementations2

Common steps are provided to ensure establishing connection between your IDP and your Archer instance.

SCIM Base URL

Your IDP system accesses the SCIM Provisioner using your unique URL known as the SCIM Base URL. This must be configured in the IDP SCIM application. Your Archer representative provides the URL to you.

This URL is your vanity URL with SCIM added to it. For example, if your vanity URL is https://xyz-prod.archerirm.com, then SCIM Base URL would be https://xyz-prod.scim.archerirm.com.

Bearer token

The bearer token (authentication token) is used to authenticate the SCIM Provisioner service.

This is a base 64 encoded string where the string contains the entities below.

"instanceId": 10001,

"username": "customerscimuser",

"password": "Scim2024!!"

You can use any online tools for encoding the credentials.

The username and password must be your Archer credentials.

If you have multiple IDPs which need to be connected to a common instance, the credentials must be different for each one of them.

Generate a bearer token

Go to this web site: https://www.programiz.com/python-programming/online-compiler/#google_vignette
Copy the following code and update the 3 attributes described in the Bear token section. Paste the code in the left side and click Run. The output generated is the bearer token.

import json

import base64

# JSON representation

data = {

"instanceId": 10001,

"username": "customerscimuser",

"password": "Scim2024!!"

}

# Convert to JSON

json_data = json.dumps(data)

# Encode in Base64

encoded_data = base64.b64encode(json_data.encode('utf-8')).decode('utf-8')

print(encoded_data)

SCIM JSON template for User schema

The SCIM JSON template defines the JSON schema that represents your IDP user based on Archer’s user requirements. It tells the IDP about how to provision user values to Archer.

Here is an example template.

{

"schemas": [

"urn:ietf:params:scim:schemas:core:2.0:User",

"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",

"urn:ietf:params:scim:schemas:extension:Archer:2.0:User"

],

"userName": "{$parameters.scimusername}",

"name": {

"givenName": "{$parameters.firstname}",

"middleName": "{$parameters.familyname}",

"familyName": "{$parameters.lastname}"

},

"title": "{$parameters.title}",

"displayName": "{$parameters.firstname}",

"profileUrl": "{$parameters.profile_url}",

"userType": "{$parameters.user_type}",

"preferredLanguage": "{$parameters.preferred_language}",

"locale": "{$parameters.locale}",

"timezone": "{$parameters.time_zone}",

"emails": [

{

"value": "{$parameters.email}",

"type": "Business",

"primary": true

}

],

"phoneNumbers": [

{

"value": "{$parameters.phone}",

"type": "Business",

"primary": true

}],

"groups": [],

"urn:scim:schemas:extension:enterprise:2.0": {

"organization": "{$parameters.company}",

"division": "{$parameters.division}",

"department":      "{$parameters.department}"

},

"urn:ietf:params:scim:schemas:extension:Archer:2.0:User": {

"domainId": null,

"defaultHomeDashboardId": "{$parameters.default_home_dashboard_id}",

"defaultHomeWorkspaceId": "{$parameters.default_home_workspace_id}",

"enableApproveContentByEmail": "{$parameters.enable_approve_content_by_email}",

"forcePasswordChange": "{$parameters.force_password_change}",

"additionalNote": "{$parameters.additional_note}",

"securityId": "{$parameters.security_id}" }}

Custom parameter mapping

To add custom user field parameters you must use the custom parameter mapping for the IDP you are using.

Once a user is successfully provisioned, the user login can log in using SSO. To use the manual log in to Archer, the Archer admin must reset the user's password for the Archer account.

For groups in Archer to be displayed as available values for selection in the Provisioned Users/Under Parameter section of the SCIM app, the admin must perform a refresh from the Provisioning tab of the SCIM app.

Supported end points

This list includes the end points that are supported in the Archer SCIM integration.

createGroup
getGroups
getGroupById
updateGroupById
deleteGroup
createUser
getUsers
getUserById
updateUserById
deleteUser

ADDRESS	ABOUT ARCHER	CUSTOMERS
13200 Metcalf Ave	Events	Archer Academy
Suite 300	Resources	Archer Exchange
Overland Park, KS 66213	Services	Support
	About Us	Archer Community