Custom SAML & SCIM Integration

 

Customer IT / SpaceIQ Onboarding Team

SiQ offers a number Third-party Integration Applications to allow customers to seamlessly integrate employee provisioning and authentication via industry standards SAML (SSO) and SCIM protocols.

While many of the leading Third-party Providers have been already pre-integrated with the SiQ Web app, there are other vendors whose platforms are not yet formally integrated.

The Custom SAML and SCIM integration allow providers without a pre-integration process to integrate through SAML and SCIM into SiQ as long as their specific vendor’s platform supports a common “custom integration” feature.

The following provisioning features are supported:

  • Single Sign-On via SAML
  • Push New Users (SCIM 2.0)
    • New users created through Custom IDP will also be created in the SpaceIQ application.
  • Push Profile Updates (SCIM 2.0)
    • Updates made to the users’ profile through Custom IDP will be pushed to the SpaceIQ application.
  • Push User Deactivation (SCIM 2.0)
    • Deactivating the user or disabling the user's access to the application through Custom IDP will delete the user in the SpaceIQ application. Note: For this application, deactivating a user means removing all of the user's data and removing the user's account.

This article describes how to configure the Custom SAML & SCIM integration for SiQ.

Contents

Prerequisites

Before you configure SCIM-based provisioning for SiQ, make sure you are familiar with SCIM-based authentication.

You will need the Third-party Provider's admin privileges to complete this integration and for the SiQ setup, you must have a SiQ Admin or an IT role.

Integration Activities

Step 1. Activate the SiQ Integration in SiQ

From the SiQ Web App, complete the following:

  1. Click your Profile Name in the top right corner.
  2. Click Settings. The Settings screen displays.
  3. From the left menu, click Integrations.
  4. From the Third Party Integrations area, click the READ MORE link. The Integrations screen displays.

You can either search for Custom SAML & SCIM in the Search field or navigate to Custom SAML & SCIM tile. To navigate complete the following:

  1. From the left menu, click Provisioning & SSO.
  2. For Custom SAML & SCIM, click the Activate button.

The Custom SAML & SCIM dialog displays and it contains a Provisioning tab and an SSO tab.

Provisioning Tab

This is where the SCIM Bearer Token is found.

custom_provisioning.png

SSO Tab

custom_sso.png

From the SSO tab, complete the following:

  1. In the SAML Identity Provider Issuer URL field, paste the Issuer URL copied from the Third-Party Provider.
  2. In the X.509 Certificate field, paste the certificate you downloaded from the Third-Party Provider.
  3. Click the Activate button.
  4. Click the active Custom SAML & SCIM. The Custom SAML & SCIM dialog displays the following details the can be copied into your Third-part SSO Provider Admin Console.
  5. Copy SAML CallBack Endpoint URL and paste into Single Sign On URL field in the Third-party SSO Provider Admin Console.
  6. Copy SAML Audience URL and paste into SP Entity ID field in the Third-party SSO Provider Admin Console.
  7. Optional - In the SSO Provider Portal URL field enter the Application home URL to be redirected back to SSO Provider market space after logout.
  8. Optional - In the SSO Redirect URL (SiQ Portal) field, enter the SSO redirect to automatically authenticate users from SiQ Portal using SSO.
  9. To save any details click the Activate button.

Step 2. Enable the Provisioning in Third-party Provider

Return to the SiQ Web App and complete the following:

  1. Click the active Custom SAML & SCIM. The Custom SAML & SCIM dialog displays.
  2. From the SCIM Bearer Token field, click the Copy copy_icon.png icon. 

From the Third-party Provider, complete the following:

  1. Enable the automatic provisioning by following the IdP (Identity Provider) documentation.
  2. Add the SCIM Bearer Token.

Troubleshooting Tips

Users without a First Name, Last Name, or Department in their SiQ profiles cannot be imported as new users.

In the event that a department also has teams (sub-departments), SiQ expects Organizations/Divisions that contain top-level organization and department details to also contain the Team Name. For example:

Organization: Engineering with Department: QA

More details about attribute mapping in Employee Attribute Mapping.