Integrate with an IGA platform using SCIM

This topic describes how to integrate Privilege Cloud with an Identity Governance and Administration (IGA) platform using CyberArk Identity as a SCIM server. It is intended for organizations that use an identity governance solution alongside a privileged access management solution and want to implement a more centralized approach.

What is SCIM?

System for Cross-domain Identity Management (SCIM) is an http-based protocol for managing identities across platforms. It is a common standard for automating the exchange of user identity information between identity domains or IT systems.

SCIM provides the ability to create a user account in one system and then have matching accounts created in additional systems the user needs to access.

To learn more about SCIM, see http://www.simplecloud.info/.

SCIM support in Privilege Cloud

Privilege Cloud supports SCIM and the SCIM PAM extension as a means to integrate with IGA platforms.

Managing identities and privilege separately as silos can pose many challenges including:

  • Lack of visibility

  • Loss of productivity

  • Potential security gaps

  • Difficulty in enforcing a unified access policy, consistent governance, and provisioning and authorization process

Integration between PAM and IGA solutions helps simplify and automate user provisioning as well as lowering security risks, providing a single source of privileged identity and access data.

Terminology

Different platforms use different terminology for the same entity type. The following table compares entity names in Privilege Cloud and SCIM.

Privilege Cloud

SCIM

User

User

Group

Group

Safe

Container

Safe member

Container permission

Account

Privileged Data

Solution scope

This integration enables you to do the following:

Entity

Use cases

Users and groups

Create, edit, and delete users and groups in either Privilege Cloud or the IGA platform and have these users saved in Privilege Cloud .

Containers and container permissions

  • View containers and their permissions in the IGA platform, as well as Safes and their members in Privilege Cloud .

  • Create containers and add container permissions to the containers in the IGA platform.

    Safes and Safe members are automatically created in Privilege Cloud .

  • Add container permissions to an existing container.

    Members are automatically added to existing Safes in Privilege Cloud .

  • Delete container permissions from a container.

    Members are automatically deleted from the Safe in Privilege Cloud .

  • Delete a container along with its privileged data in the IGA platform.

    Before you can deprovision a Safe in Privilege Cloud you first need to delete all the accounts that are associated with that Safe. Accounts have a default retention period of 7 days. This means that you can delete the Safe only after the retention period passes. You can edit the retention period when you create the Safe. Once the retention period is over, you can delete the Safe from Privilege Cloud .

privileged data

Create, edit, and delete privileged data in the IGA platform and associate them with containers.

Accounts are automatically created, edited and deleted in Privilege Cloud .

These use cases are supported using the endpoints described in Supported endpoints.

The following diagram shows the information flow between the different platforms:

Supported endpoints

Privilege Cloud supports the following endpoints:

Area

SCIM endpoints

Containers

  • GET

  • POST

  • PUT

  • DELETE

Container permissions

  • GET

  • POST

  • PUT

  • DELETE

Privileged data

  • GET

  • POST

  • PUT

  • PATCH

  • DELETE

Users

  • GET

  • POST

  • PUT

  • DELETE

Groups

  • GET

  • POST

  • PUT

  • DELETE

For details on managing PAM objects with SCIM endpoints via CyberArk Identity, see Manage PAM objects with SCIM endpoints.

Before you begin

If you intend on creating users in Privilege Cloud (as opposed to creating users in the IGA), you need the following:

Integration workflow

Click the image to go to the procedure:

Configure CyberArk Identity

CyberArk Identity is the SCIM server, functioning as middleware in the Privilege Cloud -IGA integration. It communicates with the IGA (SCIM client) using the SCIM protocol and relays information to Privilege Cloud using Privilege Cloud REST APIs.

You must integrate CyberArk Identity with both Privilege Cloud and your IGA platform.

  1. Configure the SCIM server. For details, see SCIM client inbound configuration.

     

    Use the Login Name identity-privilege-integration-user$ when you create the user with access to the OAuth2 Client app.

  2. Create a Privilege Cloud OIDC app in CyberArk Identity. For details, see Configure the CyberArk Identity integration with Privilege Cloud.

     

    While performing this procedure, save the following information:

    • CyberArk Identity OpenID Connect Metadata URL

    • CyberArk Identity's OpenID Connect Client ID

    You need these parameters when you run the script, as described in Configure Privilege Cloud .

Configure Privilege Cloud

After you configure CyberArk Identity you need to run a script to complete the integration with Privilege Cloud.

To configure Privilege Cloud:

  1. Download the Configure SCIM in Privilege Cloud script from CyberArk Marketplace.

  2. In PowerShell, run the following command:

     
    .\SCIMConfiguration.ps1 -portalUrl [Privilege Cloud portal URL] -cyberArkIdentityMetadataUrl [CyberArk Identity Metadata URL] -cyberArkIdentityClientId [CyberArk Identity Client ID]

    Parameters:

    Parameter

    Description

    portalUrl

    The URL to your Privilege Cloud portal.

    Example: https://[put-your-subdomain-here].privilegecloud.cyberark.com/PasswordVault

    cyberArkIdentityMetadataUrl

    CyberArk Identity OpenID Connect Metadata URL.

    Example: https://<Identity-subdomain>/op/.well-known/openid-configuration

    This is the parameter you saved while configuring CyberArk Identity, as described in Configure CyberArk Identity.

    CyberArkIdentityClientId

    CyberArk Identity's OpenID Connect Client ID.

    This is the parameter you saved while configuring CyberArk Identity, as described in Configure CyberArk Identity.

  3. When prompted, enter your Privilege Cloud admin credentials.

Configure the IGA for PAM

Configure your IGA platform for PAM, according to the instructions of the IGA platform that you are using.

Migrate to the IGA platform

In order to support existing customers that want to replicate and use their data in the IGA system, an administrator must perform the following action for each Safe that you want to appear in the IGA system:

  • Add the identity-privilege-integration-user$ as a member with all Safe permissions (as a Safe owner).

Send requests to the CyberArk Identity SCIM server

To send requests to the CyberArk Identity SCIM server, see Manage PAM objects with SCIM endpoints.