SCIM Provisioning
Managing user accounts and access permissions across various systems and applications can be a complex and time-consuming task. System for Cross-domain Identity Management (SCIM) provides a standardized approach to user provisioning and simplifies the process of creating, updating, and deactivating user accounts.
Files.com integrates with several identity providers using SCIM provisioning, SCIM is an open standard that simplifies cloud identity management and allows user provisioning to be automated. The integration is designed to integrate seamlessly with many popular identity providers who support SCIM provisioning. Files.com SCIM provisioning is only compatible with SAML-based integration, not with OAuth or OpenID Connect.
Some of the popular identity providers Files.com integrates with using SCIM are Okta, Microsoft Entra ID, LDAP/Active Directory, OneLogin, JumpCloud, and SAML (any provider).
Automated User Provisioning
Files.com SCIM provisioning enables organizations to automate the process of creating user accounts. When a new user is added to the organization's identity provider (IdP), the SCIM provisioning feature automatically provisions the user's account on Files.com, eliminating the need for manual setup. We provision the standard user attributes such as the User Name, Name, Display Name, Email Address, and Company Name. This ensures that new users can quickly access the platform and start collaborating without delays.
SCIM provisioning automates user and group management tasks on a scheduled sync cycle from your IdP. Some IDPs also offer on-demand provisioning, allowing immediate provisioning actions without waiting for the next scheduled sync. Files.com supports both approaches similarly; however, support for on-demand and SCIM provisioning may vary by identity provider (IDP). Please refer to your IDP’s documentation for specific capabilities and configuration details.
User Account Updates
SCIM provisioning also facilitates seamless updates to user accounts. When changes are made to user attributes such as name, email address, company name or group memberships in the IdP, these modifications are automatically synchronized with Files.com. This ensures that user information remains consistent across different systems, reducing the risk of data discrepancies and administrative overhead.
Account Deactivation
When a user leaves the organization or their access needs to be revoked, Files.com SCIM provisioning simplifies the deactivation process. Instead of manually disabling the user's account, administrators can simply update the user's status in the IdP, triggering automatic account deactivation in Files.com. This helps maintain data security by ensuring that former employees or external collaborators no longer have access to sensitive files.
Group Management
Files.com SCIM provisioning extends beyond individual user accounts to include group management. Organizations can leverage SCIM to automatically create, update, and remove groups in Files.com based on changes made in the IdP. We provision the standard group attributes such as the Group Name and Group Members. This allows for efficient management of team collaborations and access control, ensuring that users have the appropriate permissions within Files.com.
Setting Up SCIM Provisioning
Files.com supports SCIM version 2.0 with both Basic authentication and Token-based authentication for integrating with your Identity Provider (IdP). It enables standard user provisioning, deprovisioning, and automatic management of group memberships. SCIM is designed to work with the SAML protocol, not OAuth.
Files.com follows the SCIM 2.0 standards outlined in RFC 7642, RFC 7643, and RFC 7644, covering key elements of schema, resource management, and protocols for seamless integration. No additional schema customization is required.
To integrate your IdP with Files.com SCIM provisioning, use the below fields within your IdP SCIM configuration:
| Field | Value |
|---|---|
| Files.com SCIM connector base URL | https://app.files.com/api/scim |
| Unique identifier field for users | email (it can be email address with some IdP providers) |
Files.com offers numerous configuration options for SCIM provisioning, detailed in the Configuration Options section. Also, refer to the Entra ID SSO SCIM, Okta SSO SCIM, JumpCloud SCIM, or OneLogin SSO SCIM pages for more information on how you can configure SCIM with your chosen IdP.
Provisioning Users
Once SCIM provisioning is enabled in Files.com, any new users created after the integration will be managed and provisioned through SCIM. The SCIM integration ensures that user creation, updates, and deprovisioning processes are automatically synchronized between the identity provider (such as Okta, Entra ID, OneLogin) and Files.com.
If your users are already present in Files.com or in your IdP prior to configuring SCIM provisioning, the provisioning works seamlessly as long as the user in Files.com is set with corresponding SSO authentication enabled and the same user is assigned to the Files.com application in your IdP.
Provisioning Groups
Files.com can automatically provision/deprovision group memberships using SCIM. To configure the group provisioning settings, edit the settings for your SSO Provider in Files.com. In the Advanced Settings of your SSO provider form, you will see various options related to provisioning. If your Groups at IdP are not synchronizing with Files.com, we recommend using manual provision options within your IdP provisioning settings. If you are using Okta as your IdP, go to Applications -> Files.com -> Push Groups to force the groups to be synchronized with Files.com application.
Configuration Options
Below are the available configuration options with our SCIM provisioning. You can access these options within the advanced settings when adding an SSO provider which supports SCIM provisioning.
| Configuration Option | Details |
|---|---|
| Enable automatic user provisioning via SCIM | Allows you to use the SCIM protocol for provisioning. Select Basic to create a SCIM username and password to use. Select Token to generate a SCIM token and specify an expiration date to use that token. |
| Automatically provision users on first login | Automatically triggers user provisioning upon their initial login attempt to Files.com. |
| Automatically de-provision users | Automatically initiates the de-provisioning of users if they cannot be located in your Identity Provider (IdP) during the next synchronization process. |
| Automatically provision group memberships | Automatically assigns users to groups based on their group membership settings within your Identity Provider (IdP). |
| Automatically de-provision group memberships | Automatically removes users from groups if they are no longer associated with the corresponding groups in your Identity Provider (IdP) during the next synchronization process. |
| Method used for de-provisioning users | Specifies whether de-provisioned users should be deleted or disabled within Files.com. We recommend that users be disabled, rather than deleted, in case you need to audit their prior activity, history, and settings. |
| Provision company | Sets the "Company" attribute in the Files.com user profile of the provisioned user. |
| Add users to these default groups on first login | Automatically assigns provisioned users to specified Files.com Groups upon their initial login. |
| Only provision users in these groups | Restricts user provisioning to only those who are members of the specified IdP groups. Enter comma separated names or wildcards. For instance, to limit provisioning to users in the IT and Support groups, specify IT,Support. Your IdP must send group membership data in SCIM requests to use this configuration option. |
| Only provision these groups | To include or whitelist specific IdP groups for provisioning. Your IdP must send group membership data in SCIM requests to use this configuration option. |
| Exclude these groups from provisioning | To exclude or blacklist specific IdP groups from being provisioned. Your IdP must send group membership data in SCIM requests to use this configuration option. |
| Provision users in these groups to be site admins | Automatically assigns Site Administrator privileges within Files.com to users within the specified groups. Enter comma separated names or wildcards. For example, by specifying Administrators,Domain Admin, users in these groups from the IdP will be granted Site Administrator privileges in Files.com. |
| Provision users in these groups to be read-only site admins | Automatically assigns Read-only Administrator privileges within Files.com to users within the specified groups. Enter comma separated names or wildcards. For example, by specifying Support Admins,ReadOnly Admins, users in these groups from the IdP will be granted Read-only Administrator privileges in Files.com. |
| Provision users in these groups to be group admins | Automatically assigns Group Administrator privileges within Files.com to users within the specified groups. Enter comma separated names or wildcards. For example, by specifying Managers,Associate Directors, users in these groups from the IdP will be granted Group Administrator privileges in Files.com. |
| Provision users in these groups to manage their password via Files.com | Provisions users from the specified groups without requiring Single Sign-On (SSO). Their passwords will be stored in Files.com, independent of the IdP password. |
| Provision users with 2FA | Specifies how two-factor authentication (2FA) is applied to provisioned users. You can choose to follow the site-wide 2FA policy or override it for SCIM provisioned users, opting to always require 2FA or never require it. For example, if your site-wide 2FA policy mandates Always required for all users, but you need to exempt SCIM provisioned users from this requirement, select Never require 2FA. |
| Auto-provisioned users with WebDAV permissions | Specifies whether the provisioned users have permission to use the WebDAV protocol to connect to Files.com. |
| Auto-provisioned users with FTP permissions | Specifies whether the provisioned users have permission to use the FTP and FTPS protocols to connect to Files.com. |
| Auto-provisioned users with SFTP permissions | Specifies whether the provisioned users have permission to use the SFTP protocol to connect to Files.com. |
| Default time zone for auto provisioned users | Specifies the time zone attribute in the Files.com user profile of the provisioned user. |
SCIM Activity Logging
Files.com logs SCIM-related events under History Logs using the Interface filter SCIM. These logs may include details such as user creation, group creation, and updates to users or groups.
If you encounter an error and do not see related details in History Logs, it’s possible the issue originated from your identity provider (IdP). In such cases, check your IdP’s logs for more detailed information and to troubleshoot further.
Troubleshooting Common Issues with SCIM
When troubleshooting SCIM provisioning related issues, it's important to ensure proper synchronization between your Identity Provider (IdP) and Files.com, especially after changes to user attributes like email addresses or usernames. Using on-demand provisioning helps update user information promptly.
Modifying the Email Address or User Name
In the event that you modify your user's email address, user principal name (UPN), or username after provisioning the user with SCIM, the updates may not be immediately synchronized with Files.com. As a result, users may experience login difficulties until your Identity Provider (IdP) pushes those changes according to their synchronization interval. To mitigate this issue, we suggest utilizing the on-demand provisioning capabilities of your IdP to promptly provision and propagate these changes.
Issues with Duplicate User Names or Missing User Names
If you are using Entra ID or other IdP with Create User On First Login enabled and do not have SCIM configured, you may encounter an issue where duplicate user records are created. This occurs because the system interprets the updated UPN/Email address as a new user entry. On the other hand, if you have Create User On First Login disabled and without SCIM, you may see an error when attempting to change the UPN or primary email/username. This error occurs because the system does not recognize the new user entry that is being referenced. To avoid such cases, we recommend using SCIM and on-demand provisioning to properly synchronize the user name or email address changes between your IdP and Files.com.
Issues with Deleting Users in Files.com
When an SSO-provisioned user is manually deleted from Files.com, it can cause the IdP or SCIM integration to fall out of sync, where the IdP shows that the users or groups were successfully provisioned/pushed, but they are not actually being provisioned in Files.com. If this issue happens, the only way to restore an out-of-sync user in Files.com is to deactivate and then reactivate the user within the IdP, which triggers user update requests to Files.com. Group provisioning tools within the IdP have not been effective in restoring users in this scenario.
Provisioning Based on Group Membership
In some scenarios, you may need to provision only a specific subset of users based on group membership. For example, you may want to provision only users who belong to a designated “provisioning group,” while still assigning them to their respective functional groups such as HR or Finance within Files.com. This approach ensures tighter access control and avoids provisioning all users from the identity provider.
Files.com supports SCIM configuration options such as Only provision users in these groups, Only provision these groups, and Exclude these groups from provisioning to manage which users and groups are created. These options require the identity provider to include group membership data in SCIM requests. These options serve as whitelist or blacklist filters.
Microsoft Entra ID does not include group memberships in its SCIM provisioning requests. As a result, Files.com cannot apply the group-based whitelist or blacklist filters mentioned above when Entra ID is used as the IdP.
To work around this, use Entra’s scoping filters based on a custom extension property. This property acts as a designated provisioning attribute, allowing only users with the attribute to be provisioned into Files.com. Group mappings still apply, so provisioned users are automatically added to their assigned groups. For details, refer to Microsoft’s documentation on defining scoping filters and customizing application attributes.