You can use the System for Cross-domain Identity Management (SCIM) protocol to synchronize accounts and groups between applications and Identity as a Service (IDaaS). In this scenario, IDaaS acts as the SCIM server. The SCIM protocol standardizes data sharing and API definitions between identity systems to enhance interoperability.
Scope
You have activated Identity as a Service (IDaaS) and created an EIAM Cloud Identity Service instance.
Your third-party identity system supports the SCIM protocol, and you have the required configuration information.
Step 1: Create an application
Log on to the Alibaba Cloud IDaaS console. In the navigation pane on the left, click EIAM. On the IDaaS tab, find the target instance and click Manage in the Actions column.
On the IDaaS page, go to the navigation pane on the left and choose . On the Applications page, click Add Application.
Select either Standard Protocols or Custom Applications, and then click Add Application or Add Custom Application.
NoteBy default, only standard and custom applications can be synchronized to IDaaS.
In the dialog box that appears, enter an Application Name and click Add. You will be redirected to the application details page.
Step 2: Set the account synchronization scope
On the application details page, click the Provisioning tab and then configure the Provisioning Scope.
In the Configure Synchronization Scope panel that appears, select the target Organization and Group.
Step 3: Configure Synchronize Application to IDaaS parameters
On the Provisioning tab, click the Synchronize Application to IDaaS sub-tab and configure the basic settings.
Synchronization Scope:
Specify the organization where IDaaS accounts are automatically assigned when they are imported using the System for Cross-domain Identity Management (SCIM) protocol. This applies only to accounts that do not already belong to an organization. The organization that you select as the Synchronization Scope must be within the IDaaS Provisioning Scope.
Bearer Token:
Click Add Bearer Token. In the Specify Validity Period pane that appears, set the Validity Period of Bearer Token. The validity period can range from 1 day to 3 years.
A Bearer Token is a security credential that allows the holder to access protected resources without repeatedly providing identity verification information, such as a username and password. It is an important client credential and is used for credential management along with the Client ID and Secret. Follow these rules when you configure the token:
Quantity limit: You can have a maximum of two Bearer Tokens.
Status requirement: At least one token must be enabled.
Deletion process: To delete a token, you must first disable it.
SCIM Base URL:
This is the base URL for the SCIM API. The SCIM client uses this URL to make API calls.
Configure SCIM Operation Permission:
To sync data to IDaaS using SCIM, you must enable the SCIM API Permissions in the IDaaS API section. This allows the application to call the API.
Click Authorize to go to the IDaaS API page.
At the top of the page, click the
icon next to IDaaS API. In the Enable panel that appears, click Enable.In the SCIM API Permissions section, select all Scenarios, and then click Save.
Configure advanced settings.
The basic settings only support syncing basic fields to IDaaS. To sync additional fields, you must use the advanced settings to map them to extension fields in IDaaS. On the Synchronize Application to IDaaS tab, click Show Advanced Settings and configure the following parameters.
Custom Field Namespace: Specify the namespace. It must match the namespace in the third-party system.
For Okta: Enter
urn:ietf:params:scim:schemas:extension:customfield:2.0:User.For Microsoft Entra ID (Azure AD): Enter
urn:ietf:params:scim:schemas:extension:${CustomExtensionName}:2.0:User, where${CustomExtensionName}is a variable. Adjust the variable as needed.
Sync Target Field: Select the target fields to sync. Only Extended Fields are supported. You can select multiple fields. For more information about how to configure Extended Fields, see Create extension fields.
After you configure the settings, click Save.
Basic fields that can be synchronized
User:
SCIM field | IDaaS field | Description |
id | userId | The unique ID of the user. |
userName | username | The username. |
displayName | displayName | The display name of the user. |
phoneNumbers [type eq "work"] | phoneNumber | Mobile phone number. If the mobile phone number includes an area code, it must be prefixed with "+". Only one phoneNumber can be stored, and its type must be work. |
phoneRegion | phoneRegion | The area code of the mobile phone number. If this field is not filled in and the mobile phone number includes an area code, the area code is extracted from the mobile phone number. If this field is filled in and its value is inconsistent with the area code in the mobile phone number, an error is reported. If this field is not filled in and the mobile phone number does not include an area code, the default value "86" is used. |
emails [type eq "work"] | Only one email can be stored, and its type must be work. | |
externalId | userExternalId | External ID. |
active | status | User status. When active=true, status is enabled. When active=false, status is disabled. |
password | password | Password, in plaintext. If the format is incorrect, an error is reported. |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User
| - | - |
organizationId | The ID of the organization to which the account belongs. If no value is provided, the account is placed under the synchronization target. If a value is provided, the account is placed in that organization. |
Group:
SCIM field | IDaaS field | Description |
id | groupId | The unique ID of the group. |
displayName | groupName | The name of the group. |
externalId | groupExternalId | The external ID of the group. |
members
| - | Group members. |
- | The type of the group member. Only User is supported. | |
userId | The unique ID of the user. | |
- | The full URL of the member resource. |
Recommendations for production environments
Best practices
Bearer Token management: Enable a rotation mechanism to regularly update tokens. This helps avoid the long-term exposure of a single credential.
Minimize synchronization scope: Synchronize only the necessary organizations and groups to reduce the risk of incorrect data synchronization.
Monitor synchronization status: Monitor the API call frequency and failure logs to promptly detect abnormal behavior.
Fault tolerance and security
Do not delete the last enabled token, because this will interrupt the synchronization.
Field consistency check: Ensure that the data types for
phoneNumbersandemailssent from the external system are correct. If they are not, the synchronization will fail.Idempotence: Repeated submissions of the same user data are treated as updates instead of new creations.
References
For information about how to configure upstream applications to synchronize with IDaaS using SCIM, see Synchronize users or groups from Microsoft Entra ID (formerly Azure AD) using SCIM and Synchronize users or groups from Okta using SCIM.
When you synchronize application data to IDaaS using SCIM, the application automatically calls the IDaaS SCIM API operations after you complete the configuration, provided the application supports the SCIM protocol. You do not need to call them manually. For more information, see SCIM 2.0 operations supported by EIAM.
Enterprises can manage accounts through applications and synchronize data to IDaaS in real time. For more information, see Account data synchronization.
IDaaS provides APIs that allow enterprise developers to import and synchronize account and organization information. For more information, see Open application APIs.