Managing Users and Teams with SCIM

Configuring SCIM for your Sigma organization will allow you to centralize management of users and teams through an Identity Provider (IdP). 

The following guide will introduce you to SCIM and walk you through how you can configure it for your Sigma organization. The configuration instructions in this document are not IdP-specific; however, they can be applied across multiple IdPs (e.g. Okta, Azure, etc).

If you are using Okta, we recommend following our Okta specific instructions.
If you are using Azure, we recommend following our Azure specific instructions

Summary of Content

Requirements
Understanding SCIM
      What is SCIM?
     SCIM with Sigma and your IdP

      SCIM with SAML
What to Expect when Transitioning to SCIM
      Will I be able to edit users and teams in Sigma?
      What will happen to my existing users and teams?
Configuration Instructions
      [Prerequisite] Setup Authentication
      [Step 1] Enable Provisioning in Sigma
      [Step 2] Enable Provisioning in your IdP
      [Step 3] Add Users and Push Groups/Teams
Troubleshooting Tips
Limitations
Related Resources

Requirements

  • You must be an organization Admin in Sigma to initiate provisioning.
  • Your Sigma organization should already be authenticated with your IdP using SAML.
    Note: This feature does not work with Password, SAML or password, or OAuth authentication.

Understanding SCIM

What is SCIM?

The “System for Cross-domain Identity Management”, better known by its acronym SCIM, is a standard for the automation of user and group provisioning between a service provider, in this case Sigma, and an identity provider (IdP).

SCIM with Sigma and your IdP

Configuring SCIM for your organization will allow you to create and manage users and groups in your IdP and automatically push them to your Sigma organization as users and teams.

Once SCIM provisioning is enabled for both services, all management of users and teams must be done through your IdP. While not directly editable in Sigma, both will be displayed in your Sigma Admin Portal.

SCIM with SAML

Before you can configure SCIM for your organization, you will need to enable SAML authentication in your IdP and Sigma. 

SAML allows Single Sign On (SSO) and management of users. However, syncing new users and updates between your IdP and Sigma is not automatic; the user must log into Sigma for the update to carry over. When you add SCIM to your SAML configuration, you will gain the ability to manage Sigma teams from your IdP, and both user and group/team data in your IdP will automatically be pushed to your Sigma organization, regardless of user login. 

What to Expect when Transitioning to SCIM

Are you considering transitioning to SCIM after already creating users and teams in Sigma? This section will discuss what to expect when you transition.

Will I be able to edit users and teams in Sigma?

All management of users and teams must be done through your IdP. While not directly editable in Sigma, both will be displayed in your Sigma Admin Portal.

What will happen to my existing users and teams?

Existing users and teams will remain in Sigma. However, they will no longer be editable through the Sigma Admin Portal.

Users: Your IdP may allow you to link to an existing user with the same email address in Sigma. No work will be lost, and Admin management of that user can then be maintained through your IdP. Alternatively, you may be able to import users from Sigma into your IdP. 

User Account Types: If you switch management of a user originally created in Sigma over to your IdP, Sigma will automatically respect the account type defined in the IdP, regardless of what was originally set in Sigma.

Teams: Your IdP may allow you to link a group in your IdP to an existing team in Sigma. No work will be lost, and Admin management of that group/team can then be maintained through IdP. 

Configuration Instructions

[Prerequisite] Setup Authentication

If you have not already, connect your IdP to Sigma using SAML for authentication. Learn more.

[Step 1] Enable Provisioning in Sigma

  1. Log into Sigma as an organization Admin.
  2. Open your Sigma Admin Portal.
  3. In the left panel, click Authentication to open your organization’s Authentication page.
    Note: If you have not yet configured SAML, please do so now using the "SAML or password" authentication method. Learn how
  4. If your authentication method is set to "SAML or password", please change it to SAML only.
  5. Click the Set up button under Role and Team Provisioning to open the Provisioning modal.
    Note: This section will only be visible if your Authentication method is SAML (not "SAML or password").Screen_Shot_2021-02-25_at_2.43.48_PM.png
  6. Read through the notes provided on the getting started section of the Provisioning modal. Check the confirmation box, and click Next to continue.
  7. You will now be asked to create a token to authenticate your integration with your IdP. Enter a token name. Then click Next.
    Screen_Shot_2021-02-26_at_11.53.00_AM.png

  8. Sigma will provide you with a Bearer Token and Directory Base URL. Copy and store these values in a secure location. You will use them when completing the integration with your IdP.
    Screen_Shot_2021-02-26_at_11.53.19_AM.png
  9. Click Done.

[Step 2] Enable Provisioning in your IdP

Next, you will need to configure provisioning in your IdP. This process may vary depending on your IdP of choice. If you’re using Okta, follow Sigma’s Okta specific configuration instructions. If your company uses a different IdP, follow that IdPs instructions for setting up a SCIM provisioning.

Regardless of your IdP,  you will need the Bearer Token that was generated when you enabled provisioning in Sigma. If you are using an IdP other than Okta, you will also need to provide your Sigma-generated Directory Base URL.

[Step 3] Add Users and Push Groups/Teams

Once provisioning is enabled, you can begin managing users and groups/teams from your IdP and pushing these updates to Sigma. Please refer to your IdPs instructions for guidance, or if you use Okta, visit our guides to add users and push groups/teams.

Management of users and teams from the Sigma Admin Portal will no longer be available. 

Troubleshooting Tips

Please reach out to Sigma Support with any questions during your configuration process.

(1) I added a new user to my Sigma application, but their account has not shown up in Sigma. What should I do?

Provisioning users and groups may take a few moments. If provisioning is taking longer than expected, we recommend checking your IdPs provisioning status page, if available. If the user was assigned before provisioning was configured, you may need to remove and re-assign users.

(2) The Admin who originally set up our provisioning has left or taken on a new role (account deactivated, unassigned, or account type changed). Now we’re hitting errors when attempting to push data from our IdP to Sigma. What happened?

Provisioning is associated with the Sigma Admin who originally set up provisioning in Sigma. If you wish to remove or update this user’s account type, you will also need to remove and re-enable provisioning in Sigma with a new Admin user. This will generate a new bearer token. Provide your IdP with the updated bearer token, and rerun any provisioning tasks that might have failed.

(3) Can I change a user’s user name?

This action is not recommended. Changing a user’s username will result in the creation of a new account in Sigma. It will not update the existing user’s username. 

Limitations

  • Importing groups to an IdP from Sigma teams is currently unsupported.

  • Sigma cannot guarantee that SCIM provisioning will work with any IdP. If you have questions about using a specific IdP with Sigma, please contact Sigma Support. 

Related Resources

Manage Users and Teams with SCIM and Okta
Configure [Azure and] Sigma Computing for automatic user provisioning (Azure documentation)
Single Sign On with SAML