Setting up SCIM

As an administrator, you use SCIM (System for Cross-domain Identity Management) to transfer user identity information from your identity domain to Challo, automatically.

By using SCIM, you provision members of your organization to use Challo from your identity management system and automatically create their identities in Challo and assign them roles. 

Typically, you use SAML and SCIM together to provision and enable SSO for the members and groups of your organization. See also: Setting up SAML.

Challo has to associates SCIM, SAML, and Challo records for individuals, using an attribute mapping you specify, for your identity management system and organizational configuration.

Provisioning Challo

As an administrator, to provision people from your identity management system so that they can use Challo:

  1. For your identity management system follow their documentation to connect to Challo.
  2. When you need to provide Challo application connection details enter the following:
  3. Your identity management system requires the mapping of attributes to Challo.
    These are specific for each application.

Challo SCIM attributes attributes

  1. Challo requires the following attributes:
Profile fieldSCIM attributeAttribute typeRequired
User nameuserNameStringyes
Challo activeactiveTrue or Falseno-default to True
Display namedisplayNameStringyes
Email addressemails[type eq “work”].valueStringyes
First or Given namename.givenNameStringno
Family or surnamename.familyNameStringno
Identity provider IDexternalIdStringyes—Unique identifier from identity provider
Challo roleroles[primary eq “True”].valueOWNER,
ADMIN
or STANDARD
no—defaults to STANDARD

Provisioning guides

Challo provides SCIM integration for the following Identity management systems:

Generating a SCIM token

  1. From your Challo menu, click Tenant settings
    mceclip0.png
  2. Click SCIM provisioning
  3. Click Add
  4. Enter a label to identify the connection—for example: Connection from AAD
  5. Challo generates a SCIM token, you can only view this once, so take a copy.

Microsoft Azure AD

As an administrator, to provision Challo for Microsoft Azure AD:

  1. In your Azure portal, create a non-gallery enterprise application for Challo provisioning—See: Integrate your SCIM endpoint with Azure AD.
  2. Use the Challo SCIM endpoint URL, and SCIM token.
  3. Provide the following attribute mappings:
Microsoft Azure AD attributeChallo SCIM attribute
userPrincipleNameuserName
Switch([IsSoftDeleted]], , “False”, “True”, “True”, “False”)active
userPrincipleNamedisplayName
mailemails[type eq “work”].value
givenNamename.givenName
surnamename.familyName
userPrincipleNameexternalId
Important: This mappings has to be the same as the SAML Unique User Identifier.
SingleAppRoleAssignment([appRoleAssignments])roles[primary eq “True”].value

If you need to assign Challo application roles in Microsoft Azure AD, you have to add them to your application definition, see: Add app roles and get them from a token.

For example, this manifest defines the 3 Challo application roles: STANDARD, ADMIN, OWNER:

"appRoles": [{
    "allowedMemberTypes": ["User"],
    "description": "STANDARD",
    "displayName": "STANDARD",
    "id": "ccc32650-8ee3-47d0-a5b7-fe8fcde90d19",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "value": null
},
{
    "allowedMemberTypes": ["User"],
    "description": "ADMIN",
    "displayName": "ADMIN",
    "id": "aa3aa483-5fe7-4585-b068-58fb8df4af6e",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "value": null
},
{
"allowedMemberTypes": ["User"],
    "description": "OWNER",
    "displayName": "OWNER",
    "id": "e5d16b85-a820-4b12-a79f-d5015a838164",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "value": null
}]

Important: The role of Challo administrators updates to match the roles the manifest defines. It is possible an administrator’s role changes and they loses access to their tenant settings in Challo.

Okta

As an administrator, to provision Challo for Okta:

  1. Follow the Okta provisioning guide—See: Connect your SCIM service with a new Okta integration.
  2. Provide the following attribute mappings:
Okta attributeChallo SCIM attribute
Configured in Sign On settingsUsername
userName
userfirstNameGiven name
givenName
userlastNameFamily name
familyName
useremailPrimary email
email
useremailDisplay name
displayName
(“STANDARD”)roles

OneLogin

As an administrator, to provision Challo for OneLogin:

  1. Follow the OneLogin provisioning guide—See: Creating a SCIM App.
  2. Use the following SCIM JSON Template:
{
    "schemas": [ 
        "urn:ietf:params:scim:schemas:core:2.0:User" 
    ],
    "userName": "{$user.email}",
    "externalId": "{$user.email}",
    "name": {
        "givenName": "{$user.firstname}",
        "familyName": "{$user.lastname}"
    },
    "displayName": "{$user.email}"
}

PingFederate

As an administrator, to provision Challo for PingFederate:

  1. Follow the PingFederate provisioning guide—See: Define a provisioning target
  2. When providing the Authentication Method, select Basic
    Set the username to: scim
    Set the password to: Challo SCIM token.
  3. Provide the following attribute mappings:
Field nameattribute
Username– sAMAccountName
Family name– sn
Given Name– givenName
Middle name– middleName
Honorific suffix– generationQualifier
Title– title
Email– mail
Phone number– telephoneNumber