Druva enables inSync administrators to automate user management in Druva inSync using System for Cross-domain Identity Management (SCIM) v2.0. SCIM is a standard for the exchange of user identities between identity providers (IdPs) and applications requiring user identity information (such as enterprise SaaS apps).
Organizations use Identity Providers (IdPs) as a source directory to manage and authenticate users to provide access to different applications. After you integrate Druva inSync with SCIM-compliant IdPs, users are automatically managed based on the actions in the IdP.
Druva inSync complies with the following RFC standards for SCIM implementation:
After integration with SCIM,
- User accounts are automatically created in Druva inSync when new user accounts are assigned to the SCIM app in the IdP.
- User account status and their information are automatically updated in Druva inSync based on the updates in the IdP. The following updates to user information are supported currently:
- Change in Display Name (combination of First Name + Last Name or vice-versa)
- Change in the Email address
- Change in User account status update, that is, change of user account status from active to inactive, and inactive to active only.
- User accounts are automatically preserved in Druva inSync when user accounts are deactivated from the IdP or deleted from the SCIM app.
- Druva inSync does not make any updates to the user information in the IdP, that is, Druva inSync does not create, update, or delete any user accounts or modify their information.
- Users preserved by inSync administrator in the inSync Management Console, cannot be re-activated from the IdP.
- If a user is deactivated from IdP, administrators need to again assign the SCIM app to the user to activate (change user account status from Preserved to Active) the user account in inSync.
- Manually created users are automatically managed using SCIM after their accounts are assigned the SCIM app in the IdP.
Benefits of using SCIM over other available user management options in Druva inSync
SCIM based user management is fully-automated compared to CSV based user management. It reduces administrator efforts to create and manage users consistently.
Real-time sync of user accounts and their information in IdPs with Druva inSync. Unlike AD or LDAP sync which works at a fixed interval , IdPs push the user data whenever any updates are made in the IdP.
Druva Cloud Apps only customers can leverage UPN in their IdP to identify and manage users in Druva inSync.
Eliminates the need for AD or LDAP deployment. It reduces complexity, risk, and time to manage users across multiple SaaS applications.
- The option to use SCIM is available only to customers who have not used AD or LDAP to manage users in Druva inSync.
- No AD or LDAP account must be configured to import users in Druva inSync Management Console.
- No AD or LDAP mapping should exist in Druva inSync Management Console.
- No AD or LDAP managed user in 'Active' and 'Preserved' state should exist in the Druva inSync Management Console.
- The profile and storage assigned to the manually added users in Druva inSync and which you may want to manage using SCIM, stay the same even after the migration.
Certified SCIM based IdPs
The following SCIM v2.0 compliant IdPs are certified by Druva:
- Microsoft Azure AD
*Druva will provide certified solutions for other SCIM 2.0 compliant IdPs through its partnership program. Contact Druva Support for technical assistance if you wish to use other SCIM v2.0 compliant IdPs.
Supported provisioning actions
The following SCIM provisioning actions are supported:
- Creation of individual user accounts
- Update to user account status and information. The following information updates are supported currently:
- Display Name (combination of First Name + Last Name) update
- Email address update
- User account status update. Change of user account status from active to de-active, and de-active to active only.
- Deactivation or deletion of user accounts
- Deactivation or deletion of a user in the IdP leads to the preservation of the user account in Druva inSync.
Unsupported provisioning actions
The following SCIM provisioning actions are not supported:
- Password sync
- Managing or migration of user accounts from Druva inSync to IdPs
- Managing of user groups within IdPs in Druva inSync
Workflow to manage users using SCIM in Druva inSync
Workflow to manage Cloud Apps only user accounts in Druva inSync
- Create a Profile which has only Cloud Apps enabled and settings configured in it. For more information, see Create and manage profiles.
- Configure Cloud Apps settings to define the user access settings of their Cloud Apps account. By default, Druva inSync uses the email address of inSync users. You can configure inSync to use the User Principal Name (UPN). For more information, see Configure Cloud Apps Settings.
- Configure Druva inSync to use SCIM for user management. For more information, see Configure inSync to manage users using SCIM.
- In the IdP, ensure you configure the userPrincipalName SCIM attribute and define the value for it. For more information, see Configure IdP to integrate with Druva inSync.