System for Cross-Domain Identity Management (SCIM)

This feature is only available to Archer SaaS customers.

SCIM is an open standard protocol designed to simplify the management of user identities and resources across different systems and domains.

Archer offers pre-tested configuration steps and detailed guidance for specific Identity Providers (IDPs), such as Microsoft Entra ID and OneLogin. However, since SCIM is a standardized protocol, it also works with other SCIM compliant IDPs. Organizations that use different IDPs can integrate with Archer by following the standard SCIM specifications and adjusting their configuration as needed.

For information on SCIM, see https://scim.cloud/

Important: The audience for this topic is the Archer IT administrator or IDP administrator. This content assumes that the IT administrator is familiar with provisioning.

On this page

Integrating SCIM provisioner with IDP

  1. Download the SCIM application.

  2. Configure the SCIM application.

Download the SCIM application

IDPs that support the SCIM protocol usually offer a pre-built SCIM integration app in their application catalog. If you can't find this app, you can set up a custom application to enable the integration.

The list of IDPs which support SCIM protocol are listed on the SCIM website: https://scim.cloud/#Implementations2

Configure the SCIM application

You must configure the following items.

The configurations slightly vary among various IDPs (OneLogin, Okta, Azure AD, and so forth). See the SCIM website for configuration information: https://scim.cloud/#Implementations2

Common steps are provided to ensure establishing connection between your IDP and your Archer instance.

SCIM Base URL

Your IDP system accesses the SCIM Provisioner using your unique URL known as the SCIM Base URL. This is also known as Tenant URL and must be configured in the IDP SCIM application. Your Archer representative provides the URL to you.

For example, if your vanity URL is https://xyz-prod.archerirm.com, then SCIM Base URL would be https://xyz-prod.scim.archerirm.com.

API Key

This helps to authenticate SCIM Provisioner service. The Archer engineering team will provide the necessary details, including the Base URL, to authenticate the SCIM Provisioner service.

SCIM Attribute Mapping

This section provides an overview of attribute mappings supported by the Archer SCIM implementation. Mapping ensures user data flows accurately from the IDP to Archer.

All provisioning requests must include the following schemas:

  • User core schema: urn:ietf:params:scim:schemas:core:2.0:User

  • Enterprise schema: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

  • Archer custom schema: urn:ietf:params:scim:schemas:extension:Archer:2.0:User

Mandatory Fields for Archer:

  • userName

  • name.givenName (First Name)

  • name.familyName (Last Name)

Archer Supported SCIM Attribute Mapping

User Core Schema

URN: urn:ietf:params:scim:schemas:core:2.0:User

Archer Fields SCIM Attributes Description

User Name *

userName *

Unique username for authentication.

First Name *

name.givenName *

First name of the user.

Last Name *

name.familyName *

Last name of the user.

Middle Name

name. middleName

Middle name of the user.

Title

title

Job title or position, for example Software Engineer.

Preferred Language

preferredLanguage

Language ID

For example, 1 = English

This option overrides the default language set for the user.

Locale

locale

For example, en-US

Time Zone

timezone

For example, Central Standard Time

Account Status

active

Indicates if an account is active or not.

For example:

  • active = true

  • inactive = false

Email

emails

List of email objects.

For example:

"emails": [

{ "value": "sample@example.com", "type": "Business", "primary": true },

{ "value": "sample2@gmail.com", "type": "Other" }

]

Phone Number

phoneNumbers

List of phone number objects.

For example:

"phoneNumbers": [

{ "value": "+1-555-555-1234", "type": "Business", "primary": true },

{ "value": "+1-555-555-5678", "type": "Mobile" }

]

Enterprise Schema

URN: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

Archer Fields SCIM Attributes Description

Company

organization *

Company field

Archer Custom Schema

URN: urn:ietf:params:scim:schemas:extension:Archer:2.0:User

Archer Fields SCIM Attributes Description

Domain ID

domainId

If your Archer instance has multiple domains, use the ID of the domain where the user should belong. Set it to "null" to default to the Archer domain.

Security Parameter

securityId

The security parameter assigned to the user. For example, 1 is for General User Parameter.

Advanced Workflow Actions By Email

enableApproveContentByEmail

Set this to True to enable Advanced Workflow updates. SCIM supports setting this flag. For complete setup instructions, see Building Advanced Workflows.

Force Password Change

forcePasswordChange

Determines whether the user is forced to change the password the next time they log in (true/false).

Additional Notes

additionalNote

Notes under Account Notes section.

Group Schema

URN: urn:ietf:params:scim:schemas:core:2.0:Group

Archer Fields SCIM Attributes Description

Group Name

display

Name of the group.

Group Members

members

List of group members.

SCIM use cases

  1. User Provisioning: Automatically creates user accounts in Archer when they are provisioned from the IDP.

  2. User Deprovisioning: Automatically removes users in Archer when they are deactivated or removed from the IDP. Deprovisioning is not immediate; to take effect immediately, on-demand provisioning must be used. Otherwise, it will follow the regular provisioning cycle.

  3. User Attribute Updates: Synchronizes changes to user profiles, such as name, email, and other details, from the IDP to Archer.

  4. Group Membership Mapping for Existing Groups: Manages user membership within Archer groups that are already established.

Important: Archer recommends that you create and configure groups manually instead of using SCIM. Ensure that the group you create in Archer matches the groups in your IDP. Once the groups are created, you can manage user memberships through SCIM.

SCIM use case examples

Joining a Company (Provisioning)

When Sarah joins the company and is added to Entra ID, SCIM automatically creates her account in Archer and assigns the correct department, manager, and access level without requiring any manual steps.

Leaving the Company (Deprovisioning)

When John resigns, his IT profile is deactivated in Entra. SCIM automatically deactivates his Archer account as well, ensuring no delays and no security gaps.

SCIM with SSO/Just-In-Time (JIT) enabled

Important: Before enabling JIT provisioning, make sure that the SCIM userName exactly matches the SAML Unique User Identifier (NameID). A mismatch between these values can result in duplicate user accounts for the same individual.

When both SCIM and SSO (with Just-In-Time provisioning) are enabled, user provisioning can occur in two ways:

  • SSO-based provisioning: Takes place during user login.

  • SCIM-based provisioning: Occurs on a regular schedule defined by the IDP.

Since both methods can provision and update user information, it's crucial to configure settings carefully to prevent conflicts and data inconsistencies.

Archer Control Panel Settings for SSO/JIT Provisioning

The Archer Control Panel (ACP) offers the following provisioning settings:

  • Enable User Provisioning: Allows users to be created dynamically upon their first login (JIT).

  • Enable User Update: Allows SSO to update user attributes during login.

  • Enable User Group Update: Allows SSO to update group membership during login.

Important: If user provisioning is managed through SCIM, Archer recommends to disable both the Enable User Update and the Enable User Group Update settings. This prevents SSO from overwriting attributes that SCIM already manages. Here, "user" refers to the end-user.

Operate with SCIM and JIT enabled

With both SCIM and JIT enabled:

  • Users can be created dynamically at their first login via SSO.

  • SCIM continues to auto-provision users at the scheduled interval.

  • The method that triggers first provisions the user in Archer.

If JIT (via SSO) provisions the user before SCIM, certain user attributes may be set or overwritten based on SAML claims. These claims might not fully align with SCIM configurations.

Note: JIT is enabled by selecting the "Enable User Provisioning" checkbox in the ACP.

Attribute conflicts between SCIM and SSO

When both SSO and SCIM are enabled, attribute conflicts can arise. During user login, SSO updates user attributes based on the Additional Claims defined in the SAML configuration. If an attribute provided by SCIM is not included in the SAML claims, SSO may overwrite or remove that data. This occurs only if "Enable User Update" is enabled in the ACP.

For example, if the title attribute is provisioned through SCIM but not included in the SAML claims, it will be cleared during the user's next SSO login. This can lead to confusion and data loss.

Even if the same IDP manages both SSO and SCIM, such mismatches can still occur unless claims are consistently aligned.

Shared features between SCIM and SSO

Important: Do not use both SSO and SCIM at the same time.

Functionality SSO SCIM

Authentication

Yes

No

Authorization

Via groups

Via groups

Profile Updates

Yes

Yes

Proactive user creation

No

Yes

Deactivate users

No

Yes

Reactivate users

No

Yes

Synchronization

Push only

Based on IDP

JIT User Creation

Yes

No

Self Service Configuration

via AIM

in work

Multiple IDPs

Yes

Yes

Supported IDPs

SAML 2.0

SCIM 2.0

SCIM FAQs

How should SCIM be used with Archer Groups to ensure proper permissions and alignment with roles?

In Archer, groups are not linked to roles during creation, so they don't have permissions by default. To address this, administrators should disable group creation at the IDP level. Ideally, the administrators should create the group in Archer, configure the group, subgroups, and roles, and then assign user membership through their Active Directory (AD).

How does the Archer SCIM implementation manage the primary email flag?

Archer SCIM implementation follows the SCIM 2.0 standard, requiring the primary flag to be set to true for an email address to be recognized as the default. If no email is marked as primary: true, the first email in the array is usually used as the default.

What methods are available to prevent certain users from being automatically provisioned through SCIM?

Excluding users from automatic SCIM provisioning depends on the IDP. This process involves either filtering users at the IDP level or configuring exclusion rules.

Filtering at the IDP level is recommended. Most IDPs, such as Okta and Azure AD, let you set user filters before sending data via SCIM. Only users assigned to the SCIM application will be provisioned.

You can achieve this by:

  • Group-Based Provisioning: Synchronize only specific groups rather than all users.

  • Attribute-Based Filtering: Exclude users based on attributes such as department, job title, or custom fields.

  • SCIM Application Assignments: Assign only specific users or groups to the SCIM application within the IDP.

How is the Business Unit attribute from the IDP mapped to a user profile in Archer?

The Business Unit attribute from the IDP is mapped to the organization attribute in the SCIM Enterprise User Schema (urn:ietf:params:scim:schemas:extension:enterprise:2.0:User). The user profile page in Archer includes only a Company field, so we map this field to the organization. There are no available fields for mapping Division or Department.