Skip to main content

Flexera Setup for System for Cross-domain Identity Management (SCIM)

Complete the following steps in Flexera One to set up System for Cross-domain Identity Management (SCIM) before configuring your identity provider.

Step 1: Create a Service Account

Create a service account that will be used for SCIM authentication. This account will have the necessary permissions to manage users and groups through the SCIM API.

For detailed instructions, see the Service Account API documentation.

Step 2: Create a Service Account Client

Generate OAuth2 client credentials for the service account. These credentials will be used by your identity provider to authenticate with the Flexera SCIM API.

For detailed instructions, see the Service Account Client API documentation.

important

Copy and save the Client ID and Client Secret from the response. You will need these values when configuring your identity provider for SCIM integration.

Step 3: Assign SCIM Operator Role to Service Account

Grant the service account the SCIM Operator role, which provides the necessary permissions to manage SCIM resources.

Use the following cURL command as an example, replacing the placeholders with your actual values. For more information, see the Grant Access Rule API documentation.

curl -i -H "$AUTH_HEADER" -X PUT "$BASE_URL/iam/v1/orgs/$ORG_ID/access-rules/grant" -d "{
  \"role\": {
    \"name\": \"scim_operator\"
  },
  \"scope\": {
    \"ref\": \"ref:nam:::iam:org:$ORG_ID\"
  },
  \"subject\": {
    \"ref\": \"ref:nam:::iam:service-account:$SERVICE_ACCOUNT_ID\"
  }
}"

Step 4: Verify Your Domain

Before users can be provisioned through SCIM, you must verify the email domain(s) that will be used for user accounts. SCIM can only provision users whose email addresses belong to verified domains.

Complete the following prerequisites:

  1. Create an Identity Provider for your organization. For more information, see Setting Up an Identity Provider for Flexera One.

  2. Add and verify your domain. For more information, see Verifying a Domain With a TXT Record.

note

Only users with email addresses from verified domains can be provisioned using SCIM. Users with unverified domains will be rejected during the provisioning process.