Customers using Single Sign-on also have access to user provisioning & de-provisioning via Dscout’s implementation of industry standard SCIM API. This feature allows customers to use their identity provider (IdP) to securely create Dscout accounts for their users, keep their information (name, email, etc.) in sync, and revoke access to Dscout (de-provision) .

Your Dscout account owner and/or IdP administrator will manage access to Dscout. When your Dscout account is ready, they will provide login instructions.

Read on or click on the links below to learn more:

Supported features

  • Create users in Dscout
  • Update users in Dscout
    • Supported attributes are limited to:
      • userName maps to Dscout user’s email address
      • name.givenName
      • name.familyName
      • title
      • timezone
  • Deactivate users in Dscout

Requirements

  • A Dscout account in the Select or Select+ subscription tier
  • Must be the account owner of your Dscout account
  • Administrator rights in your organization’s Okta account
  • An existing Okta SSO configuration

Configuration steps

In Dscout

  1. As the account owner, visit your account’s settings page and select SSO and user provisioning.
  2. Under the User provisioning (SCIM), click the Generate API key button to name and generate your key.
  3. Leave this tab open while you continue the configuration in Okta.

Screenshot 2024-05-31 at 10.52.54 AM (1).png

In Okta

Log in to your Okta admin portal and complete the following steps:

  1. Under the Applications tab, navigate to the Dscout application.
  2. On the Sign On tab, select Email for the Application username format.

image003.png

3. Select the Provisioning tab and then select Integration in the sub navigation. Toggle Enable API Integration, paste your copied API Token into the input field, test your credentials and then click Save.

Screenshot 2024-07-12 at 12.18.11.png

 

4. While still on the Provisioning tab, click on the To App tab and click Edit. Then enable the SCIM functionality you’d like to support. It’s recommended that you toggle all three options. Then            click Save.

 

Screenshot 2024-07-08 at 3.30.44 PM.png

5. SCIM provisioning has now been enabled. Assigning new users to Dscout in Okta will automatically create their account and revoking access will automatically deactivate their account.

6. Recommended - In Dscout, we strongly recommend that after you’ve tested the integration, you switch your Dscout account to SCIM-only. Once this setting is on, you will no longer be able to add or remove users from the platform without first provisioning or de-provisioning them in your IdP.

 

Screenshot 2024-07-08 at 3.33.43 PM.png

Push groups (coming soon)

Dscout allows you to sync groups and group memberships from Okta. You can also map groups to a Dscout role so that newly provisioned users in that group are auto-assigned the correct role.

To sync groups and group memberships from Okta to Dscout follow the steps below.

  1. From your Okta Admin Console go to Applications > Applications > Dscout.
  2. Click Push Groups
  3. From the dropdown menu, select Find groups by name.
  4. Enter the name of the group you would like to sync.
  5. Click Save.

image (4).png

Your groups and group memberships should now begin to show up in Dscout. To verify, login to Dscout and go to Account Management > Settings > SSO and user provisioning.
Screenshot 2024-09-03 at 2.57.34 PM (1).png

By default all groups are mapped to Viewer roles meaning any new users created will be set to the Viewer role. Optionally, your account owner can edit a group to map to a different role such Admin, Researcher or Contributor.

Screenshot 2024-09-11 at 2.22.31 PM.png

A few callouts about groups, group members and role mappings:

  • When you edit a group’s mapping and click “Save”, the mapping will only apply to new users added to the group. None of the existing group members will be re-mapped. If you’d like to re-map the existing members, you can do so from Okta by force syncing the group.

Screenshot 2024-09-11 at 2.28.22 PM.png

  • You can always override a user’s role by changing their role on the user’s page of account management.
  • Dscout define’s the role hierarchy as Admin (highest), Researcher, Contributor, Viewer (lowest).
  • If a user belongs to more than one group, they will assume the highest mapped role.
  • Dscout’s API will never downgrade a user’s role. For example, if a user has an Admin role and is then added to a group with a Viewer mapping, they will continue to be an Admin.
  • Conversely, Dscout’s API will upgrade a user’s role. For example, if a user has a Viewer role and is added to a group with an Admin mapping, their role will change to Admin.
  • The account owner’s role will never change.
  • Once your account has exhausted its purchased seats for a certain type (if applicable), users will mapped to Viewer role.

 

Known issues/troubleshooting

If you have questions or difficulties with your Dscout + Okta SCIM integration, please contact our support team at help@dscout.com.

FAQs

After enabled SCIM, will all of my current users assigned to the application be migrated to Dscout?

No. Only users updated or added after SCIM is enabled are added.

I’m an existing customer and have already added many users in Dscout. How do I sync them with my identity provider?

In your identity provider, simply assign all relevant users to Dscout. If the user does not already exist in Dscout, their account will be provisioned. If the user was previously added manually in Dscout, this process with sync those records (please confirm that user’s email in your identity provider matches the user’s email on their existing Dscout account).

Will newly provisioned users receive a notification or invite from Dscout?

No. Dscout will not notify new users upon provisioning. We leave their notification in your hands after you’ve made any necessary adjustments to their role and/or added them to any workspaces or projects.

I deprovisioned a user from Dscout in my identity provider, but they are still showing up in Dscout.

Our SCIM API accepts “deactivation” requests from your identity provider, but we do not delete the user from your account. Instead, we mark them as “deprovisioned” and disallow the user from accessing Dscout. You (or your account owner) can login to Dscout once the user is deactivated and remove them.

How can I learn more about SCIM?

There are many good references on the internet. Here are a few:

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request