Skip to main content

How can we help you?

Druva Documentation

Change user provisioning from AD/LDAP to SCIM

Overview

inSync provides the option to change the user provisioning method from AD/LDAP to SCIM and vice versa, while preserving the user's backed up data. 

This section provides:

  • The detailed impact of changing the user provisioning  method from AD/LDAP to SCIM
  • The checks to perform before changing the provisioning method from AD/LDAP to SCIM
  • The procedure to change user provisioning from AD/LDAP to SCIM
  • Next steps after changing the provisioning method from AD/LDAP to SCIM

After successfully changing the user provisioning method from AD/LDAP to SCIM, inSync performs backups according to the profile settings.

Impact of changing the user provisioning method from AD/LDAP to SCIM

Changing the user provisioning method from AD/LDAP to SCIM has the below impact:

  • The following configurations get deleted from the inSync Management Console during the change in provisioning:
    • AD/LDAP mappings used to manage users in inSync.
    • CloudCache mappings associated with the AD/LDAP users.
  • The user accounts provisioned using AD/LDAP and added to inSync Share groups will be detached from their respective group when the provisioning method changes to SCIM.
  • User provisioning mode for all users will be changed to Manual provisioning.
  • The User Deployment page (Manage > Users) UI of the inSync Management Console changes to conform to mappings related to SCIM provisioning.

Advantages of using SCIM-based user provisioning method in inSync

  • Real-time sync of user accounts and their information in IdPs with Druva inSync. Unlike AD or LDAP sync which works at a fixed interval , IdPs push the user data whenever any updates are made in the IdP.
  • Eliminates the need for AD or LDAP deployment. It reduces complexity, risk, and time to manage users across multiple SaaS applications.
  • Manage user identities from your choice of  SCIM-compliant IdPs. Druva has certified Okta and Microsoft Azure AD as IdPs and provides certified solutions for other SCIM compliant IdPs through its partnership program.

Checks to be performed before changing the provisioning method

Ensure that none of the profiles assigned to the users that are provisioned from AD to SCIM have AD/LDAP Account as their authentication method. The provisioning is aborted  with the below error if the authentication method in any of the profiles is set to AD/LDAP Account. 

login_AD-LDAP error.png

If you see the above error message while changing the provisioning method, set an authentication method to other than AD/LDAP Account in the respective profile and try to provision the users again. See Update a profile.

Change user provisioning from AD/LDAP to SCIM

  1. Go to the User page from Endpoints/SaaS Apps console.
  2. Select the User Provisioning tab.

  3. On the summary section, click 3_dot_menu.png and select the Change User Deployment method option.
  4. Select SCIM as the provisioning method and click Save. A confirm message appears.

clipboard_e9a665767a8cfb791f65591b65805a09e.png

  1. Select Confirm in the dialog box. The user provisioning method has been successfully changed from AD/LDAP to SCIM.

    AD-LDAP to SCIM confirm.png

All users will be moved to manual provisioning mode and will not be mapped to any SCIM mapping automatically.

Next steps after changing the user provisioning from AD/LDAP to SCIM

  • Was this article helpful?