Skip to main content
How to configure SCIM

User provisioning lets you automatically provision users from your Identity Provider to Sana through SCIM v2 API.

Bianca Wetter avatar
Written by Bianca Wetter
Updated over 2 months ago

This tutorial describes the steps you need to perform in both Sana and your identity provider to configure automatic user provisioning.

Sana SCIM API currently only works one way where Sana gets the updates from the Identity Provider. Sana does not push updates to the Identity Provider.

Sana SCIM API supports:

  • Push new users

  • Push Profile Updates

  • Push User Activation / Deactivation

  • Push Groups

Step-by-Step Guide for Okta

  1. First of all, make sure that you have configured SSO with Sana properly. To do that, follow this guide

  2. Go to the Applications page and click the Sana app that you previously configured with SSO

  3. On the General tab click the Edit button on App Settings and select “Enable SCIM provisioning” and Save the changes.

4. Go to your Sana app in a new browser tab and click the Manage tab and find the API submenu. You will need to create a new API client to be used as the authentication method at the next steps. So, click “Add Client” to create a new Client”

  • Fill in the name and description

  • You will get a Client ID and Client Secret.

  • You will use these values at the next step to set up SCIM authentication

5. Go back to Okta and click the Provisioning tab and press the Edit button. on the SCIM Connection Setting

  • Change SCIM connector base URL to https://DOMAIN.sana.ai/scim/v2 where “DOMAIN” is your actual domain at Sana.

    1. Change Unique identifier field for users to “userName”

    2. Mark the following supported provisioning actions:

    3. Push New Users

      1. Push Profile Updates

      2. Push Groups

    4. Select “BasicAuth” as the Authentication Mode and use Sana Client ID as the Username and Sana Client Secret as the Password in the Basic Auth settings

When all the configuration is complete the screen should look as follows:

6. Test the Connector Configuration and you should get a successful result that looks as follows if everything is setup correctly:

7. In the To App section, you have the option to enable “Create Users”, “Update User Attributes”, “Deactivate Users”. Enable these depending on how you want to use Sana.

Attributes

Sana by default supports the following attributes on the User object. These are part of SCIM's Enterprise User Schema "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User".

  • userName

  • givenName

  • familyName

  • userType

  • employeeNumber

  • costCenter

  • organization

  • division

  • department

  • manager.value

The manager.value attribute allows you to see reporting hierarchies directly in Sana. In order for this to work, you need to map the respective user's manager email to that attribute in Okta.

You can add more attributes in Sana than the ones listed above. Provide your Sana account representatives with the custom attributes you want to use. Continue reading to learn how to configure them.

Configuring Attributes for Sana app in Okta

From the main menu on Okta, go to Directory → Profile Editor. Select the Sana App User profile and edit the attributes here to make sure you are only sending the data you want to send to Sana

If you want to add additional attributes, click “Add Attribute” button and add all the attributes that you added to Sana in the previous step to here as well. Sana custom attributes always have the following namespace: “urn:ietf:params:scim:schemas:extension:SanaLabs:2.0:CustomAttributes”

💡 Remember that you have to agree on the custom attribute names with your Sana representative.

Here is an example custom attribute:

The last thing to do is to configure how the custom fields are mapped. To do that, go to the Sana Application. Click Provisioning tab and scroll down to Sana App attribute mappings.

Here click the edit button for each attribute you want to send values for to Sana and select the source of information.

When all is set, you can go to your Sana account at DOMAIN.sana.ai, go to Manage, click Users tab and see that all users are synced and all the right attributes are in place for the user.

Step-by-Step Guide for Azure

1. First of all, make sure that you have configured SSO with Sana properly. To do that, follow this guide.

2. Go to your Sana app in a new browser tab and click the Manage tab and find the API submenu. You will need to create a new API client to be used as the authentication method for SCIM. Make sure to create a new client for SCIM, and do not use an existing one. So, click “Add Key” to create a new Key”

  • Fill in the name and description

  • You will get a Client ID and Client Secret. These will not be used in Azure.

  • Press the "Generate new SCIM token" button.

  • This will generate a SCIM Token which is valid for one year. You will use this value when setting up SCIM authentication.

3. Go back to Azure to the Provisioning tab.

  • Enter https://DOMAIN.sana.ai/scim/v2/ as the Tenant URL field, where DOMAIN is your actual domain at Sana.

  • Enter the SCIM Token from the previous step to the Secret Token field

  • Press the “Test Connection” button to verify that the connection is setup correctly.

Attributes

Sana by default supports the following attributes on the User object. These are part of SCIM's Enterprise User Schema (urn:ietf:params:scim:schemas:extension:enterprise:2.0:User).

  • userName

  • givenName

  • familyName

  • userType

  • employeeNumber

  • costCenter

  • organization

  • division

  • department

  • manager

You can add more attributes in Sana than the ones listed above. Provide your Sana account representatives with the custom attributes you want to use. All custom attributes have value type “String” at Sana. Continue reading to learn how to configure them.

Configuring Attributes for Sana app in Azure

Go to the provisioning tab, and click “Edit attribute mappings”

Then choose “Provision Azure Active Directory Users”

Here you will see a list of all Attribute mappings between Azure Active directory and Sana.

If you want to add additional attributes, click “Add Attribute” button and add all the attributes that you added to Sana in the previous step to here as well.

Here you can add custom attributes. Sana custom attributes have always the following namespace: “urn:ietf:params:scim:schemas:extension:SanaLabs:2.0:CustomAttributes”

💡 Remember that you have to agree on the custom attribute names with your Sana representative.

Go back to Azure to the Provisioning tab, and press “Start provisioning” to start creating users.

image.png

When all is set, you can go to your Sana account at DOMAIN.sana.ai, go to Manage, click Users tab and see that all users are synced and all the right attributes are in place for the user.

Did this answer your question?