Customers using Single Sign-on also have access to user provisioning & de-provisioning via Dscout’s implementation of industry standard SCIM API. This feature allows customers to use their identity provider (IdP) to securely create Dscout accounts for their users, keep their information (name, email, etc.) in sync, and revoke access to Dscout (de-provision) .
Your Dscout account owner and/or IdP administrator will manage access to Dscout. When your Dscout account is ready, they will provide login instructions.
Read on or click on the links below to learn more:
Supported features
- Create users in Dscout
- Update users in Dscout
- Supported attributes are limited to:
-
userName
maps to Dscout user’s email address name.givenName
name.familyName
title
timezone
-
- Supported attributes are limited to:
- Deactivate users in Dscout
Requirements
- A Dscout account in the Select or Select+ subscription tier
- Must be the account owner of your Dscout account
- Administrator rights in your organization’s Okta account
- An existing Okta SSO configuration
Configuration steps
In Dscout
- As the account owner, visit your account’s settings page and select SSO and user provisioning.
- Under the User provisioning (SCIM), click the Generate API key button to name and generate your key.
- Leave this tab open while you continue the configuration in Okta.
In Okta
Log in to your Okta admin portal and complete the following steps:
- Under the Applications tab, navigate to the Dscout application.
- On the Sign On tab, select Email for the Application username format.
3. Select the Provisioning tab and then select Integration in the sub navigation. Toggle Enable API Integration, paste your copied API Token into the input field, test your credentials and then click Save.
4. While still on the Provisioning tab, click on the To App tab and click Edit. Then enable the SCIM functionality you’d like to support. It’s recommended that you toggle all three options. Then click Save.
5. SCIM provisioning has now been enabled. Assigning new users to Dscout in Okta will automatically create their account and revoking access will automatically deactivate their account.
6. Recommended - In Dscout, we strongly recommend that after you’ve tested the integration, you switch your Dscout account to SCIM-only. Once this setting is on, you will no longer be able to add or remove users from the platform without first provisioning or de-provisioning them in your IdP.
Push groups (coming soon)
Dscout allows you to sync groups and group memberships from Okta. You can also map groups to a Dscout role so that newly provisioned users in that group are auto-assigned the correct role.
To sync groups and group memberships from Okta to Dscout follow the steps below.
- From your Okta Admin Console go to Applications > Applications > Dscout.
- Click Push Groups
- From the dropdown menu, select Find groups by name.
- Enter the name of the group you would like to sync.
- Click Save.
Your groups and group memberships should now begin to show up in Dscout. To verify, login to Dscout and go to Account Management > Settings > SSO and user provisioning.
By default all groups are mapped to Viewer roles meaning any new users created will be set to the Viewer role. Optionally, your account owner can edit a group to map to a different role such Admin, Researcher or Contributor.
A few callouts about groups, group members and role mappings:
- When you edit a group’s mapping and click “Save”, the mapping will only apply to new users added to the group. None of the existing group members will be re-mapped. If you’d like to re-map the existing members, you can do so from Okta by force syncing the group.
- You can always override a user’s role by changing their role on the user’s page of account management.
- Dscout define’s the role hierarchy as Admin (highest), Researcher, Contributor, Viewer (lowest).
- If a user belongs to more than one group, they will assume the highest mapped role.
- Dscout’s API will never downgrade a user’s role. For example, if a user has an Admin role and is then added to a group with a Viewer mapping, they will continue to be an Admin.
- Conversely, Dscout’s API will upgrade a user’s role. For example, if a user has a Viewer role and is added to a group with an Admin mapping, their role will change to Admin.
- The account owner’s role will never change.
- Once your account has exhausted its purchased seats for a certain type (if applicable), users will mapped to Viewer role.
Known issues/troubleshooting
If you have questions or difficulties with your Dscout + Okta SCIM integration, please contact our support team at help@dscout.com.
FAQs
After enabled SCIM, will all of my current users assigned to the application be migrated to Dscout?
No. Only users updated or added after SCIM is enabled are added.
I’m an existing customer and have already added many users in Dscout. How do I sync them with my identity provider?
In your identity provider, simply assign all relevant users to Dscout. If the user does not already exist in Dscout, their account will be provisioned. If the user was previously added manually in Dscout, this process with sync those records (please confirm that user’s email in your identity provider matches the user’s email on their existing Dscout account).
Will newly provisioned users receive a notification or invite from Dscout?
No. Dscout will not notify new users upon provisioning. We leave their notification in your hands after you’ve made any necessary adjustments to their role and/or added them to any workspaces or projects.
I deprovisioned a user from Dscout in my identity provider, but they are still showing up in Dscout.
Our SCIM API accepts “deactivation” requests from your identity provider, but we do not delete the user from your account. Instead, we mark them as “deprovisioned” and disallow the user from accessing Dscout. You (or your account owner) can login to Dscout once the user is deactivated and remove them.
How can I learn more about SCIM?
There are many good references on the internet. Here are a few: