Skip to main content

How can we help you?

Druva Documentation

Configure inSync to manage users using SCIM

Overview

This article lists the steps that the administrator must perform to enable SCIM integration and manage users in inSync.

Pre-requisite

Only a Druva Cloud Administrator and inSync Cloud administrator can configure inSync to manage users using SCIM.

Procedure

Step 1: Configure inSync to use SCIM to manage users

Administrator must define the user import type in the inSync Management Console. To configure and use SCIM for managing users in the inSync Management Console, perform the following steps:

  1. On the inSync Management Console menu bar, click Users > Deployment. 
  2. On Select a user provisioning method window, click Use SCIM to select SCIM based identity providers (IdPs) to import and manage

Select_provisioning_method.png

  1. On the confirmation dialog box that appears, read the message and click Confirm.

Step 2: Generate a token to integrate IdP with Druva inSync

As an inSync Cloud administrator, after you select SCIM for user management,  you must generate a token to integrate the IdP from which you want to manage users in inSync. A token is a key to identify and authenticate the IdP with inSync.

 

  • Only a Druva Cloud Administrator and inSync Cloud administrator can generate a token.
  • You must copy the token and save it immediately when you generate it. The token is not saved in the inSync Management Console. 
  • Once generated, the token is valid for 365 days.
  • If you or any other inSync Cloud administrator regenerates a token, the previous token becomes invalid. The new token must be used to reconfigure the existing SCIM app.

Procedure

To generate a token:

In the previous step, if you are redirected to the Settings tab on the User Deployment page, click Generate Token in the Auth Token for SCIM section.

Alternatively,

  1. On the inSync Management Console menu bar, click Users > Deployment. 
  2. On the SCIM Deployment page, click the Settings tab
  3. In the Auth Token for SCIM section, click Generate Token.
  4. In the Auth Token for SCIM section, click Generate Token.

The token is generated. Copy the token and save it. Use it to enable API Integration of IdP with inSync later in Step 5.

Step 3: Create a SCIM mapping

A SCIM mapping enables administrators to define the filter parameters (SCIM attributes configured in the IdP) to automatically classify users and define the profile, storage region, and storage quota that should be assigned to the users who match the filter criteria.

An administrator can create multiple mappings to classify users based on the various SCIM attributes and value pairs. After creating multiple mappings, administrators can also specify the priority of the mapping based on which the user classification should take precedence.

inSync supports the standard SCIM attributes. You can even map the custom SCIM attributes and create a mapping to classify the users.

 

 

  • The SCIM attributes that you define in the SCIM mapping must be mapped to the IdP attributes in the IdP; else the user creation fails.
  • If a user does not classify or fall under any SCIM mapping created in inSync, the user account creation fails.
  • Druva recommends that you also create a default mapping with the configuration 'Allow any user'. This default mapping will ensure that any users who do not classify or fall under any of the mappings are created with a default configuration. The priority of this default mapping can be set to lowest.
  • Once you create a SCIM mapping, you can only modify the Mapping Name and inSync configuration. You cannot modify the Users criteria to filter users.
  • The filter is case sensitive. The value you specify in the SCIM mapping and the attribute value in IdP should be in the same case.

Before you begin

Ensure you have:

  • Created a Profile - A profile is a set of configuration that is applied to a set of users. Using profiles, you can define the data sources for backup, generic backup configuration parameters that are automatically applied to all the users that belong to that profile. For more information, see Create and manage profiles.
  • Your inSync storage region is configured.

Procedure

  1. On the inSync Management Console menu bar, click Users > Deployment. 
  2. On the SCIM Deployment page, click the Mappings tab, click New Mapping.
  3. In the New Mapping wizard, under the Mapping Configuration tab, specify the following details:
    1. SCIM Mapping Name - Specify a name for the SCIM mapping.
    2. Under the Filter Users section,
      • Select Use SCIM attribute, if you want to configure users based on a specific SCIM attribute and matching values.
        • Attribute name - Specify the SCIM Attribute name.
        • Value(s) - type the value for the attribute.
          The filter is case sensitive. The value you specify in the SCIM mapping and the attribute value in the IdP should be in the same case.
          - Use a comma to specify multiple values for the attribute.
          - Only the user accounts, who match the values specified in the box are mapped to this mapping.
      • Else, select Allow any user if you want to import and configure users based on no criteria.
    3. Click Next.

On the inSync Configuration tab, specify the following details:

  1. Select the Profile to which the users should be assigned to if they are mapped using this SCIM mapping. 

If you select this profile, you cannot:

  • Delete the snapshots, users, and devices associated with the profile.
  • Change profile of users.
  • Remove the license of the user.

For more details, see Data Lock.

  1. Select the Storage on which the user data should be saved.
  2. Specify the storage Quota per user.
  3. Select Send activation email to newly added users check box, if you want to send Druva inSync invitation email to the users who are added to inSync.
    1. Click Finish.

SCIM mapping is created. You can create multiple mappings to define multiple combinations of SCIM attributes and values to classify users in inSync and allocate them a different profile, storage region, and storage quota.

Any new SCIM Mapping or an update to an existing SCIM mapping is logged by inSync and displayed in the administrator audit trails. Audit trails is a feature that is part of the Governance offering. For more information, see View audit trail for administrators.

 

(Optional) Step 4: Define priority for the SCIM mapping

User accounts are automatically created when the IdP is integrated with inSync. When you define multiple SCIM mappings, inSync automatically classifies the users, while creating the user accounts, based on the filter parameters and starts assigning the profile and storage specified in the SCIM mapping.

However, it may be a case, where user accounts fall under multiple SCIM mappings based on the defined criteria. In such cases, Administrators can define the priority for the mappings and users are imported based on the mapping sequence and assigned the profile and storage specified in that mapping.

When you create multiple SCIM Mappings, inSync by default gives priority to the oldest SCIM mapping. SCIM mapping listed at the top has the highest priority while the one at the bottom has the lowest priority. By default, the latest SCIM mapping defined is assigned the lowest priority.

inSync provides an option to change the priority of a SCIM mapping after you create it.

Example

Assume you have defined two SCIM mappings that have the following criteria,

  • General Users Mapping
    • Import all users from the Engineering department
    • Assign them to General Profile 1
    • Per-user storage - 5 GB
  • Executive Users Mapping
    • Import Executive users that are also from the Engineering department
    • Assign them to Executive Profile
    • Per-user storage - 50 GB

General Users Mapping is created before Executive Users Mapping.

Here is how inSync imports users based on the criteria defined in the SCIM mappings,

Executive users fall under both the Mappings. As General Users Mapping is created before the Executive Users Mapping, by default, it has the priority. All the users are imported to inSync, including Executive users, and assigned to the General Profile 1 and storage of 5 GB.

However, you want Executive users assigned to the Executive Profile and storage usage of 50 GB. In this case, you must change the priority of Executive Users Mapping from lowest to highest. inSync then, first classifies the Executive users and assigns them to Executive Profile, and then other General users are assigned to the General Profile.

Procedure

To change the priority of SCIM mapping,

  1. On the inSync Management Console menu bar, click Users > Deployment. 
  2. On the SCIM Deployment page, you can view the details of the existing SCIM mappings. Click the Settings tab.
  3. In the Mapping Priority Order section, you can see the existing SCIM mappings as per their defined priority. Click Edit to change the priority of a SCIM mapping.
  4. Edit Mapping Priority Order window with the list of all the SCIM mappings appears. Select a SCIM mapping to change its priority.
  5. Use the following options appropriately to change the priority of the selected SCIM mapping.
    • Move Up - Click this button if you want to increase priority one level up.
    • Move Down - Click this button if you want to decrease priority one level down.
    • Move to Top - Click this button if you want to change the priority to the highest.
    • Move to Bottom - Click this button if you want to change the priority to the lowest.
  1. Click Save.

The priority of the selected SCIM mapping is updated. inSync classifies users based on the updated priority of the SCIM mapping and assigns them the profile and storage.

Step 5: Configure IdP to integrate with Druva inSync to manage users

After configuring inSync, administrator must configure the IdP to integrate with inSync. After successful integration, users from the IdP are created and automatically managed in inSync.

Follow these steps to integrate an IdP with inSync:

  1. Create a custom SCIM app in the IdP. 
  2. Enable API Integration with inSync.
  3. Configure and map the SCIM attributes with the IdP attributes in the SCIM app.
  4. Assign users to the SCIM app.

To integrate Okta with inSync, see Manage Users from Okta using SCIM.

To integrate Microsoft Azure AD with inSync, see Manage Users from Microsoft Azure Active Directory using SCIM.

Note: There is no cap on the number of users that can be imported or added for Microsoft 365, Google Workspace, and Endpoints workloads. For more information, see Active and preserved license consumption rationale.

  • Was this article helpful?