Skip to main content
Skip table of contents

Provisioning

Overview

SCIM (System for Cross-domain Identity Management) is an open standard protocol designed for managing user identity information. It provides a defined schema for representing users and groups and offers a RESTful API to perform CRUD (Create, Read, Update, Delete) operations on these user and group resources. By integrating with the account systems used within an organization, the attributes and statuses related to users and groups can be synchronized in real-time to QueryPie as they are updated in the account system.

스크린샷 2024-06-13 오후 5.48.43.png

User Management via SCIM Synchronization

In QueryPie, the user source of truth is defined based on a field called Auth Provider. This Auth Provider follows the external account system type set in Administrator > General > User Management > Authentication.

image-20240714-054222.png

Administrator > General > User Management > Provisioning

Since a typical SCIM integration API cannot identify the principal, when the SCIM API is called and a user is created, the Auth Provider follows the Authentication Type. Therefore, for smoother account flow management, it is recommended to complete the Authentication step first. The system operates as follows:

  • When Authentication is Not Configured (Default: Internal Database)

    • The Auth Provider for users or groups created via the SCIM API is set to “QueryPie” and operates under the concept of a typical bulk import.

    • These are managed just like local QueryPie accounts, allowing for editing and deletion of the user within QueryPie.

  • When Authentication is Configured (e.g., Okta)

    • The Auth Provider for users or groups created via the SCIM API is marked as the respective Identity Provider (IdP), and user attribute profiles are updated and managed according to Administrator > General > User Management > Profile Editor.

    • If an existing local QueryPie account has the same Username (loginId) as the user updated via the SCIM API, the user's profile will be modified to match the IdP. However, to maintain permissions granted within QueryPie, the Auth Provider will not change to the IdP at this point (as of version 9.19.0).

      • Like local QueryPie accounts, these accounts can be managed locally for profile editing, status updates, and account deletion within QueryPie.

      • For consistency, it is recommended that user lifecycle management be conducted through the IdP.

    • Synchronized users cannot be changed or deleted within QueryPie.

Access to the SCIM Provisioning Integration Guide

Enable Provisioning
[Okta] Provisioning Integration Steps
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close