Configure the SCIM server

This topic describes how to configure an OAuth2 client app to access the SCIM server using the appropriate administrative rights and scopes. Reasons to send requests to the SCIM server include managing users and groups (inbound provisioning) and creating PAM objects in CyberArk Privilege Cloud.

SCIM server overview

To send requests to the CyberArk Identity SCIM server, you need a user with access to an OAuth2 client app. Once this is established, the authenticated user can use the OAuth2 client app to retrieve a bearer token. This bearer token validates the user to the SCIM server when it's included in the REST request.

This allows third-party applications to manage objects through the SCIM server using HTTP requests such as GET, POST, and PUT. Supported requests depend on the object. Supported objects are:

  • Users

  • Groups

  • PAM objects

Create a SCIM user

Create a user that is an OAuth confidential client to access the OAuth2 client app.

  1. Log in to the Admin Portal with an administrative account.

  2. Navigate to Core Services > Users > Add User.

  3. Give your user a login name, display name, and password.

  4. In the Status section in the account information page, select Is OAuth confidential client in order to change your user's permission settings, and then click Create User.

Create a role for the SCIM user

Create a new role for the previously-created SCIM user. You will later deploy the OAuth2 client app to this role.

  1. Navigate to Core Services > Roles > Add Role.

  2. Enter a suitable name for the SCIM role (for example, SCIM client) and save the role. Remember the name of the role because you will need it later.

  3. On the Administrative Rights page, add the appropriate administrative rights, depending on what you plan to use the client app for.

    For example, add the Role Management or User Management right to allow users in this role to read and manage objects. Or, add the Vault Management right to allow users in this role to read and manage PAM objects in CyberArk Privilege Cloud or PAM. Adding any other management right with the Vault Management will override the Vault component and you will not be able to view any Vault objects.

  4. Navigate to the Members page, and click Add to add a new member to the role. Then, type the username created previously, to find your user.

  5. After adding your user, click Save

Add and configure the OAuth2 client application

  1. Log in to the Admin Portal with administrative credentials.

  2. Navigate to Web Apps > Add Web Apps > Custom, and then click Add next to OAuth2 client.

  3. Add a distinctive name to your application ID and personalize it by including a description and, optionally, a logo.

  4. On the General Usage page, make sure that the Client ID type is Confidential, Must be OAuth Client (users with the OAuth role can access the application).

  5. On the Tokens page, select Client Creds.

  6. On the Scope page, add a new scope by clicking Add, and enter a name for the scope.

  7. Under Allowed Rest APIs, click Add and then enter scim* in the REST Regex field.

  8. Navigate to the Permissions page. Add the role you created and click Save.

    The application is now deployed.

Create a bearer token

Copy the bearer token so you can authenticate with the app when you test the endpoints.

  1. On the OAuth2 client app, select Actions > Create Bearer Token and enter the OAuth 2.0 client user information. This is the username and password for the SCIM user that you configured previously.

  2. Copy the bearer token listed. If you lose the token, you will need to recreate it. Include the bearer token in REST requests to authenticate your access to the SCIM endpoints.

For information on how to configure the CyberArk Identity integration with PAM, see Manage privileged objects in CyberArk PAM - Self-Hosted.