User Provisioning with System for Cross-domain Identity Management (SCIM)

  • Updated

Wire supports the SCIM (RFC 7643) protocol to create, update, and delete users.

Be aware, that connecting a SCIM client to Wire also disables the functionality to invite new team members in the SSO login process. This functionality is disabled when a token is created (see below) and re-enabled when all tokens have been deleted.

 

To set up the connection of your SCIM client (for example, Azure Active Directory) you need to provide the following.

  1. The URL under which Wire’s SCIM API is hosted iw https://prod-nginz-https.wire.com/scim/v2. If you are hosting your own instance of Wire then the URL is https://<hostname>/scim/v2, where <hostname> is where you are serving Wire’s public endpoints. Some SCIM clients append /v2 to the URL your provide. If this happens (check the URL mentioned in error messages of your SCIM client) then please provide the URL without the /v2 suffix, i.e. https://prod-nginz-https.wire.com/scim or https://<hostname>/scim.

  2. A secret token that authorizes the use of the SCIM API. Use the wire_scim_token.py script to generate a token. To run the script you need access to a user account with admin privileges to log in via email and password. Note that the token is independent from the admin account that created it, i.e. the token remains valid if the admin account gets deleted or changed.

You need to configure your SCIM client to use the following mandatory SCIM attributes:

  1. Set the userName attribute to the desired username. It must be unique across the entire Wire cloud (or unique on your instance) and consist of the characters a-z0-9_.- (no capital letters).

  2. Set the displayName attribute to the user’s desired profile name, for example, Jane Doe” It must consist of 1-128 Unicode characters. It does not need to be unique.

  3. The externalId attribute:

    1. If you are using Wire’s SAML SSO feature then set the externalId attribute to the same identifier used for NameID in your SAML configuration (both fields must match case sensitively).

    2. If you are using email/password authentication then set the externalId attribute to the user’s email address. The user will receive an invitation email during provisioning. Also note that the account will be set to "active": false until the user has accepted the invitation and activated the account.

You can use of Wire’s urn:wire:scim:schemas:profile:1.0 extension field to store arbitrary user profile data shown in the user’s profile, for example, department or role. 

Was this article helpful?

1 out of 5 found this helpful

Have more questions? Submit a request