SCIM Provisioning

---

Managing user accounts and access permissions across various systems and applications can be a complex and time-consuming task. System for Cross-domain Identity Management (SCIM) provides a standardized approach to user provisioning and simplifies the process of creating, updating, and deactivating user accounts. Files.com SCIM provisioning is designed to integrate seamlessly with popular identity providers such as Okta, Azure Active Directory, and OneLogin. Organizations can configure SCIM provisioning by establishing a connection between their identity provider (IdP) and Files.com. Once the integration is set up, user provisioning and management can be effectively streamlined as below.

Files.com SCIM provisioning enables organizations to automate the process of creating user accounts. When a new user is added to the organization's identity provider (IdP), the SCIM provisioning feature automatically provisions the user's account on Files.com, eliminating the need for manual setup. We provision the standard user attributes such as the User Name, Name, Display Name, Email Address, and Company Name. This ensures that new users can quickly access the platform and start collaborating without delays.

SCIM provisioning also facilitates seamless updates to user accounts. When changes are made to user attributes such as name, email address, company name or group memberships in the IdP, these modifications are automatically synchronized with Files.com. This ensures that user information remains consistent across different systems, reducing the risk of data discrepancies and administrative overhead.

When a user leaves the organization or their access needs to be revoked, Files.com SCIM provisioning simplifies the deactivation process. Instead of manually disabling the user's account, administrators can simply update the user's status in the IdP, triggering automatic account deactivation in Files.com. This helps maintain data security by ensuring that former employees or external collaborators no longer have access to sensitive files.

Files.com SCIM provisioning extends beyond individual user accounts to include group management. Organizations can leverage SCIM to automatically create, update, and remove groups in Files.com based on changes made in the IdP. We provision the standard group attributes such as the Group Name and Group Members. This allows for efficient management of team collaborations and access control, ensuring that users have the appropriate permissions within Files.com.

Files.com supports SCIM version 2.0 with Basic authentication and Token based authentication to integrate with your IdP. Along with standard user provisioning and deprovisioning via SCIM, Files.com also support automatic provisioning or deprovisioning of group memberships.

To integrate your IdP with Files.com SCIM provisioning, use the below fields within your IdP SCIM configuration:

Visit Azure AD SSO SCIM, Okta SSO SCIM or OneLogin SSO SCIM pages for more information on how you can configure SCIM with your favorite IdP.

Once SCIM provisioning is enabled in Files.com, any new users created after the integration will be managed and provisioned through SCIM. The SCIM integration ensures that user creation, updates, and deprovisioning processes are automatically synchronized between the identity provider (such as Okta, Azure AD, OneLogin) and Files.com. However, if your users are already present in Files.com with SSO authentication enabled prior to configuring SCIM provisioning, they may not be automatically managed through SCIM after integrating with certain identity providers like Okta.

In situations where you wish to manage or provision all existing and new users via SCIM, it is recommended to delete the existing users in Files.com before enabling SCIM provisioning for all users. Prior to enabling SCIM, it is advisable to conduct testing to ensure a smooth transition in this scenario.

In the event that you modify your user's email address, user principal name (UPN), or username after provisioning the user with SCIM, the updates may not be immediately synchronized with Files.com. As a result, users may experience login difficulties until your Identity Provider (IdP) pushes those changes according to their synchronization interval. To mitigate this issue, we suggest utilizing the on-demand provisioning capabilities of your IdP to promptly provision and propagate these changes.

If you are using Azure SSO or other IdP with Create User On First Login enabled and do not have SCIM configured, you may encounter an issue where duplicate user records are created. This occurs because the system interprets the updated UPN/Email address as a new user entry. On the other hand, if you have Create User On First Login disabled and without SCIM, you may see an error when attempting to change the UPN or primary email/username. This error occurs because the system does not recognize the new user entry that is being referenced. To avoid such cases, we recommend using SCIM and on-demand provisioning to properly synchronize the user name or email address changes between your IdP and Files.com.

Files.com can automatically provision/deprovision group memberships using SCIM. To configure the group provisioning settings, edit the settings for your SSO Provider. Type "SSO Providers" in the search box at the top of every page and click on the matching result. Locate your provider integration in the list and click Edit to see the Advanced Settings option. Once you click on the Advanced Settings, you will see various options related to provisioning. If your Groups at IdP are not synchronizing with Files.com, we recommend using manual provision options within your IdP provisioning settings. If you are using Okta as your IdP, go to Applications > Files.com > Push Groups to force the groups to be synchronized with Files.com application.