inSync provides the option to change the user provisioning method from AD/LDAP to SCIM and vice versa, while preserving the user's backed up data.
This section provides:
- The detailed impact of changing the user provisioning method from AD/LDAP to SCIM
- The checks to perform before changing the provisioning method from AD/LDAP to SCIM
- The procedure to change user provisioning from AD/LDAP to SCIM
- Next steps after changing the provisioning method from AD/LDAP to SCIM
After successfully changing the user provisioning method from AD/LDAP to SCIM, inSync performs backups according to the profile settings.
Impact of changing the user provisioning method from AD/LDAP to SCIM
Changing the user provisioning method from AD/LDAP to SCIM has the below impact:
- The following configurations get deleted from the inSync Management Console during the change in provisioning:
- AD/LDAP mappings used to manage users in inSync.
- CloudCache mappings associated with the AD/LDAP users.
- The user accounts provisioned using AD/LDAP and added to inSync Share groups will be detached from their respective group when the provisioning method changes to SCIM.
- User provisioning mode for all users will be changed to Manual provisioning.
- The User Deployment page (Manage > Users) UI of the inSync Management Console changes to conform to mappings related to SCIM provisioning.
Advantages of using SCIM-based user provisioning method in inSync
- Real-time sync of user accounts and their information in IdPs with Druva inSync. Unlike AD or LDAP sync which works at a fixed interval , IdPs push the user data whenever any updates are made in the IdP.
- Eliminates the need for AD or LDAP deployment. It reduces complexity, risk, and time to manage users across multiple SaaS applications.
- Manage user identities from your choice of SCIM-compliant IdPs. Druva has certified Okta and Microsoft Azure AD as IdPs and provides certified solutions for other SCIM compliant IdPs through its partnership program.
Checks to be performed before changing the provisioning method
Ensure that none of the profiles assigned to the users that are provisioned from AD to SCIM have AD/LDAP Account as their authentication method. The provisioning is aborted with the below error if the authentication method in any of the profiles is set to AD/LDAP Account.
If you see the above error message while changing the provisioning method, set an authentication method to other than AD/LDAP Account in the respective profile and try to provision the users again. See Update a profile.
Change user provisioning from AD/LDAP to SCIM
- Login to inSync Management Console and go to > Settings.
- Open the Deployment tab. Under User Provisioning, the Provisioning Method is set as AD/LDAP.
- Click Edit to change the provisioning method.
- On the Edit Settings dialog box, change the Provisioning Method to SCIM.
- Click Save. inSync asks for a confirmation and indicates the impact of the change in user provisioning method.
All users will be moved to manual provisioning mode and will not be mapped to any SCIM mapping automatically.
- Click Confirm. A confirmation message is displayed indicating the user provisioning method successfully changed to SCIM.
The user provisioning method has been successfully changed from AD/LDAP to SCIM.