SCIM Provisioning

---

Managing user accounts and access permissions across various systems and applications can be a complex and time-consuming task. System for Cross-domain Identity Management (SCIM) provides a standardized approach to user provisioning and simplifies the process of creating, updating, and deactivating user accounts.

Files.com integrates with several identity providers using SCIM provisioning, SCIM is an open standard that simplifies cloud identity management and allows user provisioning to be automated. The integration is designed to integrate seamlessly with many popular identity providers who support SCIM provisioning. Files.com SCIM provisioning is only compatible with SAML-based integration, not with OAuth or OpenID Connect.

Some of the popular identity providers Files.com integrates with using SCIM are Okta, Azure Active Directory, LDAP/Active Directory, OneLogin, and SAML (any provider).

Files.com SCIM provisioning enables organizations to automate the process of creating user accounts. When a new user is added to the organization's identity provider (IdP), the SCIM provisioning feature automatically provisions the user's account on Files.com, eliminating the need for manual setup. We provision the standard user attributes such as the User Name, Name, Display Name, Email Address, and Company Name. This ensures that new users can quickly access the platform and start collaborating without delays.

SCIM provisioning also facilitates seamless updates to user accounts. When changes are made to user attributes such as name, email address, company name or group memberships in the IdP, these modifications are automatically synchronized with Files.com. This ensures that user information remains consistent across different systems, reducing the risk of data discrepancies and administrative overhead.

When a user leaves the organization or their access needs to be revoked, Files.com SCIM provisioning simplifies the deactivation process. Instead of manually disabling the user's account, administrators can simply update the user's status in the IdP, triggering automatic account deactivation in Files.com. This helps maintain data security by ensuring that former employees or external collaborators no longer have access to sensitive files.

Files.com SCIM provisioning extends beyond individual user accounts to include group management. Organizations can leverage SCIM to automatically create, update, and remove groups in Files.com based on changes made in the IdP. We provision the standard group attributes such as the Group Name and Group Members. This allows for efficient management of team collaborations and access control, ensuring that users have the appropriate permissions within Files.com.

Files.com supports SCIM version 2.0 with Basic authentication and Token based authentication to integrate with your IdP. Along with standard user provisioning and deprovisioning via SCIM, Files.com also support automatic provisioning or deprovisioning of group memberships. Note that SCIM is specifically designed to work with the SAML protocol, not with the OAuth protocol.

To integrate your IdP with Files.com SCIM provisioning, use the below fields within your IdP SCIM configuration:

Files.com offers numerous configuration options for SCIM provisioning, detailed in the Configuration Options section. Also, refer to the Azure AD SSO SCIM, Okta SSO SCIM or OneLogin SSO SCIM pages for more information on how you can configure SCIM with your chosen IdP.

Once SCIM provisioning is enabled in Files.com, any new users created after the integration will be managed and provisioned through SCIM. The SCIM integration ensures that user creation, updates, and deprovisioning processes are automatically synchronized between the identity provider (such as Okta, Azure AD, OneLogin) and Files.com.

If your users are already present in Files.com or in your IdP prior to configuring SCIM provisioning, the provisioning works seamlessly as long as the user in Files.com is set with corresponding SSO authentication enabled and the same user is assigned to the Files.com application in your IdP.

In the event that you modify your user's email address, user principal name (UPN), or username after provisioning the user with SCIM, the updates may not be immediately synchronized with Files.com. As a result, users may experience login difficulties until your Identity Provider (IdP) pushes those changes according to their synchronization interval. To mitigate this issue, we suggest utilizing the on-demand provisioning capabilities of your IdP to promptly provision and propagate these changes.

If you are using Azure SSO or other IdP with Create User On First Login enabled and do not have SCIM configured, you may encounter an issue where duplicate user records are created. This occurs because the system interprets the updated UPN/Email address as a new user entry. On the other hand, if you have Create User On First Login disabled and without SCIM, you may see an error when attempting to change the UPN or primary email/username. This error occurs because the system does not recognize the new user entry that is being referenced. To avoid such cases, we recommend using SCIM and on-demand provisioning to properly synchronize the user name or email address changes between your IdP and Files.com.

Files.com can automatically provision/deprovision group memberships using SCIM. To configure the group provisioning settings, edit the settings for your SSO Provider. Type "SSO Providers" in the search box at the top of every page and click on the matching result. Locate your provider integration in the list and click Edit to see the Advanced Settings option. Once you click on the Advanced Settings, you will see various options related to provisioning. If your Groups at IdP are not synchronizing with Files.com, we recommend using manual provision options within your IdP provisioning settings. If you are using Okta as your IdP, go to Applications > Files.com > Push Groups to force the groups to be synchronized with Files.com application.

Below are the available configuration options with our SCIM provisioning. You can access these options within the advanced settings when adding an SSO provider which supports SCIM provisioning.