Skip to main content
Druva Documentation

Configure inSync to manage users using SCIM

Overview

This article lists the steps that the Druva inSync administrator must perform to enable SCIM integration and manage users in Druva inSync.

Pre-requisite

Only a Druva Cloud administrator and inSync Cloud administrator can configure Druva inSync to manage users using SCIM.

Procedure

Step 1: Configure Druva inSync to use SCIM to manage users

inSync administrator must define the user import type in the inSync Management Console. To configure and use SCIM for managing users in the inSync Management Console, perform the following steps:

  1. On the inSync Management Console menu bar, click Manage > Deployments > Users.
  2. On the User Deployment page, click Use SCIM to use SCIM based IdPs to import and manage users.
    choose_scim_main.png
  3. On the confirmation dialog box that appears, read the message and click Confirm.

Once you select SCIM for user management in the inSync Management Console, you cannot use AD or LDAP for user management.

You are redirected to generate a token to integrate IdP with Druva inSync.

Step 2: Generate a token to integrate IdP with Druva inSync

As an inSync Cloud administrator, after you select SCIM for user management,  you must generate a token to integrate the IdP from which you want to manage users in Druva inSync. A token is a key to identify and authenticate the IdP with Druva inSync.

  • If you see the message - API gateway feature is disabled for your account, kindly contact Druva Support to enable this feature for your account.
  • Only a Druva Cloud administrator and inSync Cloud administrator can generate a token.
  • You must copy the token and save it immediately when you generate it. The token is not saved in the inSync Management Console. 
  • Once generated, the token is valid for 365 days.
  • If you or any other inSync Cloud administrator regenerates a token, the previous token becomes invalid. The new token must be used to reconfigure the existing SCIM app.

Procedure

To generate a token:

In the previous step, if you are redirected to the Settings tab on the User Deployment page, click Generate Token in the Auth Token for SCIM section.

Alternatively,

  1. On the inSync Management Console menu bar, click Manage > Deployments > Users.
  2. On the User Deployment page, click the Settings tab.
  3. In the Auth Token for SCIM section, click Generate Token.

Generate_token_fade.png

The token is generated. Copy the token and save it. Use it to enable API Integration of IdP with Druva inSync later in Step 5.

Step 3: Create a SCIM mapping

A SCIM mapping enables inSync administrators to define the filter parameters (SCIM attributes configured in the IdP) to automatically classify users and define the profile, storage region, and storage quota that should be assigned to the users who match the filter criteria.

An inSync administrator can create multiple mappings to classify users based on the various SCIM attributes and value pairs. After creating multiple mappings, administrators can also specify the priority of the mapping based on which the user classification should take precedence.

Druva inSync supports the standard SCIM attributes. You can even map the custom SCIM attributes and create a mapping to classify the users.

 

 

  • The SCIM attributes that you define in the SCIM mapping must be mapped to the IdP attributes in the IdP; else the user creation fails.
  • If a user does not classify or fall under any SCIM mapping created in Druva inSync, the user account creation fails.
  • Druva recommends that you also create a default mapping with the configuration 'Allow any user'. This default mapping will ensure that any users who do not classify or fall under any of the mappings are created with a default configuration. The priority of this default mapping can be set to lowest.
  • Once you create a SCIM mapping, you can only modify the Mapping Name and inSync configuration. You cannot modify the Users criteria to filter users.
  • The filter is case sensitive. The value you specify in the SCIM mapping and the attribute value in IdP should be in the same case.

Before you begin

Ensure you have:

  • Created a Profile - A profile is a set of configuration that is applied to a set of users. Using profiles, you can define the data sources for backup, generic backup configuration parameters that are automatically applied to all the users that belong to that profile. For more information, see Create and manage profiles.
  • Your Druva inSync storage region is configured.

Procedure

  1. On the inSync Management Console menu bar, click Manage > Deployments > Users.
  2. On the User Deployment page, under the Mappings tab, click New Mapping.
  3. On the Create Mapping wizard, under Mapping Configuration tab, specify the following details:
    1. Mapping Name - Specify a name for the SCIM mapping.
    2. Under the Users section,
      • Select Filter by SCIM attribute, if you want to configure users based on a specific SCIM attribute and matching values.
        • Specify the SCIM Attribute name.
        • In the Value(s) box, type the value for the attribute.
          The filter is case sensitive. The value you specify in the SCIM mapping and the attribute value in the IdP should be in the same case.
          - Only the characters a-z, A-Z, 0-9, and underscore (_) are supported.
          - Use a comma to specify multiple values for the attribute.
          Only the user accounts, who match the values specified in the box are mapped to this mapping.
      • Else, select Allow any user if you want to import and configure users based on no criteria.
        scim_mapping_1.png
    3. Click Next.
    4. On the inSync Configuration tab, specify the following details:
      1. Select the Profile to which the users should be assigned to if they are mapped using this SCIM mapping.
      2. Select the Storage on which the user data should be saved.
      3. Specify the storage Quota per user.
      4. Select Send activation email to newly added users check box, if you want to send Druva inSync invitation email to the users who are added to Druva inSync.
        scim_mapping_2.png
    5. Click Finish.

SCIM mapping is created. You can create multiple mappings to define multiple combinations of SCIM attributes and values to classify users in Druva inSync and allocate them a different profile, storage region, and storage quota.

Any new SCIM Mapping or an update to an existing SCIM mapping is logged by inSync and displayed in the administrator audit trails. Audit trails is a feature that is part of the Governance offering. For more information, see View audit trail for administrators.

(Optional) Step 4: Define priority for the SCIM mapping

User accounts are automatically created when the IdP is integrated with Druva inSync. When you define multiple SCIM mappings, inSync automatically classifies the users, while creating the user accounts, based on the filter parameters and starts assigning the profile and storage specified in the SCIM mapping.

However, it may be a case, where user accounts fall under multiple SCIM mappings based on the defined criteria. In such cases, Druva inSync administrators can define the priority for the mappings and users are imported based on the mapping sequence and assigned the profile and storage specified in that mapping.

When you create multiple SCIM Mappings, Druva inSync by default gives priority to the oldest SCIM mapping. SCIM mapping listed at the top has the highest priority while the one at the bottom has the lowest priority. By default, the latest SCIM mapping defined is assigned the lowest priority.

inSync provides an option to change the priority of a SCIM mapping after you create it.

Example

Assume you have defined two SCIM mappings that have the following criteria,

  • General Users Mapping
    • Import all users from the Engineering department
    • Assign them to General Profile 1
    • Per-user storage - 5 GB
  • Executive Users Mapping
    • Import Executive users that are also from the Engineering department
    • Assign them to Executive Profile
    • Per-user storage - 50 GB

General Users Mapping is created before Executive Users Mapping.

Here is how inSync imports users based on the criteria defined in the SCIM mappings,

Executive users fall under both the Mappings. As General Users Mapping is created before the Executive Users Mapping, by default, it has the priority. All the users are imported to Druva inSync, including Executive users, and assigned to the General Profile 1 and storage of 5 GB.

However, you want Executive users assigned to Executive Profile and storage usage of 50 GB. In this case, you must change the priority of Executive Users Mapping from lowest to highest. Druva inSync then, first classifies the Executive users and assigns them to Executive Profile and then other General users are assigned to the General Profile.

Procedure

To change the priority of a SCIM mapping,

  1. On the inSync Management Console, click Manage > Deployments > Users.
  2. On the User Deployment page,  you can view the details of the existing SCIM mappings. Click the Settings tab.
  3. In the Mapping Priority section, you can see the existing SCIM mappings as per their defined priority. Click Edit to change the priority of a SCIM mapping.
  4. Mapping Priority for User Import window with the list of all the SCIM mappings appears. Select a SCIM mapping to change its priority.
  5. Use the following options appropriately to change the priority of the selected SCIM mapping.
    • Move Up - Click this button if you want to increase priority one level up.
    • Move Down - Click this button if you want to decrease priority one level down.
    • Move to Top - Click this button if you want to change the priority to the highest.
    • Move to Bottom - Click this button if you want to change the priority to the lowest.
      mapping_priority_scim.png
  6. Click Save.

Priority of the selected SCIM mapping is updated. inSync classifies users based on the updated priority of the SCIM mapping and assigns them the profile and storage.

Step 5: Configure IdP to integrate with Druva inSync to manage users

After configuring Druva inSync, inSync administrator must configure the IdP to integrate with Druva inSync. After successful integration, users from the IdP are created and automatically managed in Druva inSync.

Follow these steps to integrate an IdP with Druva inSync:

  1. Create a custom SCIM app in the IdP. 
  2. Enable API Integration with Druva inSync.
  3. Configure and map the SCIM attributes with the IdP attributes in the SCIM app.
  4. Assign users to the SCIM app.

To integrate Okta with Druva inSync, see Manage Users from Okta using SCIM.

To integrate Microsoft Azure AD with Druva inSync, see Manage Users from Microsoft Azure Active Directory using SCIM.

  • Was this article helpful?